WPA and WPA2 are still safe, experts call BS on NVIDIA cracking

by Steve Ragan - Oct 14 2008, 11:09

When The Tech Herald posted a quick article about ElcomSoft's Distributed Password Recovery tool, lots of other places reported the news as well. However, with that milestone of distributed power coming from GPUs, came FUD and claims that WPA and WPA2 keys are obsolete.

Several security experts jumped on the FUD, quickly quelling the news that came from a posting on Slashdot. The Slashdot story linked to an article where a security company called GSS warned that, "This breakthrough in brute force decryption of Wi-Fi signals by ElcomSoft confirms our observations that firms can no longer rely on standards-based security to protect their data." GSS goes on to say that, "As a result, we now advise clients using Wi-Fi in their offices to move on up to a VPN encryption system as well."

That quote sparked some mainstream media coverage, including an article from SC Magazine. Once the quote gained fame in the security blog scene, various experts weighed in on the subject.

"These guys are forgetting two things- first; this method doesn't work AT ALL against an enterprise installation (RADIUS) of WPA," wrote Rich Mogul, discussing the comments made by GSS.

"Second, as the original article added as an update, this attack only speeds up brute forcing. Use a long, strong passphrase for your WPA key and you're fine," Mogul added.

Robert Graham of Errata explains this in more depth. "At worst, all this really means is that you have to add one extra character to your WPA password to achieve the same level of security. Password cracking is exponential. Each additional character in a password makes it 100 times more difficult to crack (assuming you use upper and lower case, numbers, and symbols)."

"You can only crack WPA passwords when everyone on the same network uses the same password (using "pre-shared keys" or PSK). Companies that give out different passwords to different people (using a RADIUS server and EAP) are not vulnerable to this sort of cracking."

As mentioned, the original story added an update to this effect. What the ElcomSoft technology proves is that by harnessing the power of several computers at once, an entire network of them to be exact, you can brute force passwords faster. This is accomplished by using their technology in conjunction NVIDIA GPUs.

The lesson to learn from all this FUD is there is no technological advance that will replace good planning. WPA and WPA keys are safe, but they are just as vulnerable as any password if they are too small or easy to guess.

Around the Web