Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Security IT

WPA-PSK Cracking As a Service 175

An anonymous reader writes "Moxie Marlinspike, a security researcher well known for his SSL/TLS attacks, today launched a cloud-based WPA cracking service, where for $34 you can test the security of your WPA password. The WPA Cracker Web site states: 'WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes.'"
This discussion has been archived. No new comments can be posted.

WPA-PSK Cracking As a Service

Comments Filter:
  • by Anonymous Coward on Monday December 07, 2009 @08:36PM (#30360384)

    So for $34 you can make sure your password is part of their dictionary?

    • Re: (Score:2, Funny)

      by Sir_Lewk ( 967686 )

      Because this is news for nerds, stuff that matters.

      Dumbass.

      • And this matters because..

        • Re: (Score:3, Insightful)

          by geekmux ( 1040042 )

          And this matters because..

          #1: It's IT-related

          #2: It's Security IT-related

          #3: Within IT, it has to do with one of the most prevalent technologies in use today.

          #4: And finally, it's here, because it sure as hell ain't gonna show up on CNN or the nightly news "tech" corner. Well, at least not for another 6 months or so, when it's "breaking news" to them.

        • Ok, I originally assumed you were purposely being obtuse so my answer was short, and apparently comical to someone... I'll try to explain this clearly and concisely, so that it might sink into that brain of yours:

          And this matters because..

          Because any self respecting nerd who isn't busy getting their panties all twisted over "OMG HAXX0RZ" could reasonably be expected to find this interesting.

          Moxie Marlinspike is a rather high profile computer security researcher who has been featured on slashdot at least on

    • Because Moxie Marlinspike is the coolest name ever, with the possible exception of Neal Anderthal.
    • Because information wants to be free, dude!

  • by SuperBanana ( 662181 ) on Monday December 07, 2009 @08:45PM (#30360448)

    While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes

    Anyone interested in testing their own key would not care about it taking 5 days. During a weekday, you're not around most of the time anyway. I doubt anyone cares enough to spend $40 for something that can be done for free.

    • by Dan541 ( 1032000 )

      Suppose your in the middle of a download and suddenly you ISP capps you. For $34 and 20minutes later you could be back online at full speed.

  • by al0ha ( 1262684 ) on Monday December 07, 2009 @08:46PM (#30360460) Journal
    $34 to see if your password can survive a dictionary attack? Hell pay me $20 and I'll gladly save you some money and provide you with a password guaranteed to be unbreakable by brute force. I'll even sign an NDA to ensure I don't disclose it to anyone but rest assured even I won't be able to remember it!
    • by chill ( 34294 ) on Monday December 07, 2009 @09:06PM (#30360632) Journal

      I'll save 'em the full $34.

      Go here: https://www.grc.com/passwords.htm [grc.com]

      • by Urd.Yggdrasil ( 1127899 ) on Monday December 07, 2009 @09:21PM (#30360768)
        Pfft, that's only pseudo random data, why settle when you can get true random data.

        https://www.fourmilab.ch/hotbits/secure_generate.html [fourmilab.ch]
        https://www.random.org/passwords/ [random.org]
        • Great if you want a secure password. But the parent has provided a link specifically for Wifi passwords. Long, random and valid for WPA and WPA2. Personally I'd reckon that they'd be pretty hard to crack!
        • by mlts ( 1038732 ) *

          Even better, use a utility that gets random data without going through the Internet. Here, I use KeePass, tell it to make a 63 character random string, wiggle the mouse and type in some keys.

          Then I paste the string into my router, put a copy of the string on a file in a TC protected container. That I copy to a USB flash drive and manually copy and paste that into the rest of my boxes' WPA2 config.

          If I forget the WPA2 password, who cares. I log on the router via a hardwired connection, repeat the above pr

        • by Power_Pentode ( 1123285 ) on Tuesday December 08, 2009 @02:24AM (#30362590)

          Pfft, that's only pseudo random data, why settle when you can get true random data

          No "random" data that you get from the net should be trusted. I throw old 16-sided gaming dice to generate a transparent X-Y grid, which is then set over the top of my cat's litter box. The positions of the cat turds are normalized against a reference litter box and fed into a fancy matrix algorithm, the output of which is SHA4 hashed and truncated to make the WPA2 key.

          • Re: (Score:3, Insightful)

            by VoidCrow ( 836595 )

            But that's vulnerable to a statistical analysis of the preferred distribution of cat turds. Maybe you should randomise it by giving them catnip every time they take a dump?

            • by cenc ( 1310167 )

              Randomize the cat.

              Or you could go even one more step and kill the cat after it takes a dump.

          • by selven ( 1556643 )

            That's interesting. I feed the gaming dice to my cat, then feed it ipecac and let the cat throw the dice!

        • Eh, it's all been predetermined from the beginning of time anyway.

      • Comment removed based on user account deletion
      • Re: (Score:3, Informative)

        by wagnerrp ( 1305589 )
        That's great if you have a compliant device. I spent two hours trying to figure out why my mom's Nokia wasn't working with such a passphrase. I finally got tired of typing in such a long phrase and truncated it to 15 or so characters only to find it instantly working. Turns out while it lets you type in long phrases, it will silently fail to use them in a completely undocumented deficiency.
        • Nokia aren't the only phones with crap wpa implementation. My LG Renoir allows you to type in a 63 digit wpa key with only moderate difficulty, but if you actually try to connect to the wifi network the phone reboots. How i laughed.

    • $20?? Pad me $10 offer a tool that generates an unlimited number of military-grade security passwords that even a young child can remember forever, and optionally also generates public/private keys to use in-between.

      <fearmongering>Plus a guide on proper usage and a link list if you’re interested in learning more about how to prevent your young daughter being online-raped, your partner being raped in the ass in prison because of someone framing her, and you getting caught by Chinese/Russian/Ameri

  • ... you dont use d!ct!0n@ryw0rd50r@tl3@st make them hard to be brute forced.

    I cant really see how this is service is legal but I am willing to be educated how it could be.

    • Why should it be any more illegal than tools like aircrack-ng, nmap, or for that matter, telnet? Just because something can be used by hackers doesn't mean it's illegal*.

      *Unless you live in Germany. "Hacker tools" are illegal there iirc.

      Also, l33t-speaking dictionary words is generally considered a pretty poor way to create passwords.

    • That password would be vulnerable to a standard dictionary attack which included l33t v@r1a7i0nZ.

      Interleaving words makes it mmuocrhe htaord bfrourtcee.

      (much more hard to brute force)
      • Apologies for replying to myself, but I realise that you concatenated several words. That's great if you want a 20+ character password, but which user wants that? First name + year of birth: 1R9o8b3. EAsy to remember, shocking to crack.
        • by karnal ( 22275 )

          by L4t3r4lu5 --> Apologies for replying to myself, but I realise that you concatenated several words. That's great if you want a 20+ character password, but which user wants that? First name + year of birth: 1R9o8b3. EAsy to remember, shocking to crack.

          You were born in the year 4345??? And your real name is Ltrlu?

  • From the Article... (Score:3, Interesting)

    by BulletMagnet ( 600525 ) on Monday December 07, 2009 @08:48PM (#30360476)

    "Marlinspike declined to say who operates his compute cluster"

    I guess he can't come out and say he's using botted boxes, right?

    • Or perhaps MM simply doesn't want to get the plug pulled by a conventional cloud compute provider, due to the questionable PR (and possibly other attention) that this service may

      One could view this as an alternative to the old "publish the exploit as a goad to the provider" tactic. Previously, some cryptographic weaknesses required someone to have the resources to obtain a compute cluster large enough to deal with some specific cracking problem. With this approach, it isn't even necessary to be able to se

  • by Anonymous Coward

    ...$34 is the super-fast price.

  • Who uses WPA or WEP anyways? Either you leech your neighbor's unprotected WiFi, you live far enough away from other homes so that your signal doesn't leave your property, or you maintain a separate DMZ of wireless IPs that can't get into the good stuff, but can access the Internet.

    Next people will say that MAC address security is actually meaningful.

    • by rikkards ( 98006 )

      Or, you run wired.
      One of the first projects I did when I moved into our new house was run ethernet to all rooms

    • by mlts ( 1038732 ) * on Monday December 07, 2009 @10:41PM (#30361330)

      Believe it or not, there are some embedded devices which don't have the CPU juice for WPA2, so they were given a BIOS update so they can run something better than WEP as some form of security. WPA has its issues, but it sure beats WEP.

      The best wireless setup is to have two wireless SSIDs. Your internal one that runs off of WPA2-Enterprise, RADIUS server, and smart cards. Then an external one that has a stern packet filter and throttling mechanism. This way, people can log on your open wireless to check E-mail, but Limewire and other P2P apps will be stopped. Of course, someone can jump that, but if they do that, its not your problem anymore.

      I do see one use for MAC address security, and its more of a legal thing than computer protection. If a security breach criminal case winds up in court, and you can prove a potential intruder was bypassing your MAC security, it might land a conviction. Otherwise, someone can make up a story of you allowing people to have your WPA2 passwords, etc.

    • All forms of security are flawed, if that's what you're getting at. The goal is not to make it impossible to break into your space (be it computer network, home, whatever), but to make it difficult enough that it's not worth the attacker's trouble. I fail to see why you're bashing things like wireless encryption or MAC filtering for not being perfect, when you ought to realize this simple truth.

      I mean, let's look at your example of "your signal doesn't leave your property". If your attacker cares enough to

    • by cenc ( 1310167 )

      I live in a country where most of the major ISP's provide DSL and cable modems (I would say around 40% of the country has one these) boxes with wireless and only WEP encryption ( they claim much of the country still only uses WEP when asked ). They do not provide most of the time a way to modify this, and most users would not know how anyway.

      Even worse, most use a predictable well known formula for generating the password, that is based on publicly available information. Essentially you need to know two pie

  • Nobody is going to brute force my randomly generated 63 character alphanumeric key. Not before a vulnerability in the encryption appears or the hardware gets replaced with a new standard

    • Re: (Score:3, Funny)

      by Fnord666 ( 889225 )

      Nobody is going to brute force my randomly generated 63 character alphanumeric key. Not before a vulnerability in the encryption appears or the hardware gets replaced with a new standard

      I thought this [xkcd.com] was how you brute forced a password in less than 30 minutes.

  • by smchris ( 464899 ) on Monday December 07, 2009 @09:27PM (#30360816)

    For $30 I'll run the command-line random number generator I found on the web and send you a 60 digit number.

    If you act today, that's only 50 cents a number!

  • I’m sorry, but if your password is found in a dictionary, you fail, and deserve to be cracked. I don’t care if you’re 50 year old steel worker with no higher education. You are still a human. The most intelligent being on the planet! Behave like one, would ya?

    Protip: Adding just ONE special character to your password is going to wreck even faster brute force attacks. Let alone dictionary ones.
    If you want your password being “penis”, and it complains that it’s too short, n

    • by wisty ( 1335733 )

      It's a horrible myth that L337SP33K is very secure. Special characters just aren't that great.

      Try something like "the quick brown fox shat all over the lazy dog".

      Or "twinkle twinkle like a rolling stone".

      Or any other phrase that makes sense to your twisted and uniquely messed-up gray matter.

      Plaintext is easier for a human to remember than quasi-random characters, and it will be just as secure.

    • by qmaqdk ( 522323 )

      3. If you can, use public key authentication. Let’s see them brute-force a 2048 bit key!

      Remember that you can't compare symmetric and asymmetric schemes like that. Usually, in symmetric schemes the bits refer to the length of the password, where in asymmetric schemes it refers to the size of the prime numbers involved. For instance it took a good amount of time to break 64-bit DES at distributed.net, but a 663 bit prime number has been factorized using a general purpose algorithm (http://en.wikipedia.org/wiki/RSA#Integer_factorization_and_RSA_problem).

      • by qmaqdk ( 522323 )

        Remember that you can't compare symmetric and asymmetric schemes like that. Usually, in symmetric schemes the bits refer to the length of the password, where in asymmetric schemes it refers to the size of the prime numbers involved. For instance it took a good amount of time to break 64-bit DES at distributed.net, but a 663 bit prime number has been factorized using a general purpose algorithm (http://en.wikipedia.org/wiki/RSA#Integer_factorization_and_RSA_problem).

        That would be a 663 bit NUMBER. Even I can factorize prime numbers :P

  • e.g. a sentence. With capitalization and punctuation. You won't really have to worry about dictionary attacks that way.

  • Moxie Marlinspike. That's a Gnome name if ever I heard one.

  • In Italy, where I live, it is illegal to set up an unprotected wifi point, but since the vast majority of ADSL modem/routers are sold to homes or small businesses, I see a lot of unprotected access points, with names like "D-link "; I doubt that getting people to use robust passwords would work as well as having them use ANY password.
  • Assuming 5 days for a dual core, and thus 2.5-3 days for a quad core, that's not really a huge amount of time on a machine that's easily available. I certainly wouldn't want to spend $34 when i can just leave a spare quad core box running this in the background for a few days.

  • Capitalism-wise, it's genius. Nearly as smart as prostitution.

    "Let me perform a service, charging you by the hour, but the longer I go the happier you are."

"How to make a million dollars: First, get a million dollars." -- Steve Martin

Working...