[Tfug] Why would *anyone* leave a door open?

[Bexley Hall]

> > WPA2 Pre-shared key can be anywhere from 8 - 63 characters long.
> > If it's a simple word in lower case and you are able to capture
> > the four way handshake then sure it can be cracked but anything
> > halfway complex over the 8 character limit is going to be close to
> > impossible.  Dictionary attack is required.

Current *published* techniques might assume that.  But, often,
cryptosystems fail when sopmeone discovers a way to exploit
faults in the technology, its application, *implementation*, etc.

I'd be willing to bet the gu'mmit can see damn near anything
they *chose* to see!  :-(

> > http://lastbit.com/pswcalc.asp
> 
> Actually no.... A WPA2 pre-shared key is 256bits, 64
> hexadecimal characters. 
> Most manufactures allow you to enter an 8+ character
> passphrase, which is 
> then hashed using a common function into a 64 hex character
> shared key.... 

So, you start with a ~8 character passphrase... chances are,
for most folks, those are eight *6* bit (or fewer) characters
(upper and/or lower case + digits).  So, ~50 bits of information
mapped to 256 by a (predictable) hash.  I.e., it is effectively
a 50 bit (or fewer) strong key.  (OK, perhaps the hash is salted
with something truly random?)

> Most in the general population can not accurately copy a 20
> digit license key 
> for their software, let alone 64 digits for the WPA into 2
> or more devices. 

Exactly.  Theoretical issues bear no resemblance to *practical*
issues.  I can put Medeco locks on the doors to my house but
if I leave the key under the mat, what good are those locks?
(or, if I leave the windows open, etc.)

This is the fallacy I see with most key/password/pin systems
in use today.  How many folks guarantee that no two passwords
(passphrases, PINs, etc.) are the same?  And that they are
changed *regularly*?  And that someone close to you can't
*guess* your "secret"?  And that you haven't written those
passwords down someplace??

I have probably a dozen machines that I use on a regular basis.
That doesn't count other online accounts, etc.  (note that I
have *no* online banking, credit card, utility, etc. accounts
which would only add to the number of "secrets")  I don't have
duplicate passwords.  All of them contain nonalphanumeric
charactes, etc.  And none are "written down".  Great!  *But*,
relying on brute force memory means I simply can't afford to
change them often!  So, regardless of how many of the "right"
things I do, I can't do *all* of them (without resorting to
pen and paper, etc.)

I am convinced that the only realistic *good* way of
protecting things (you know, *trivial* things like YOUR
IDENTITY!  :-/ ) is with a physical secret and/or something
biometric that truly *can't* be counterfeited (unfortunately,
I don't think the biometric stuff is that safe either).

> It is the 8-12 character passphrases which can be easily
> dictionary matched... not the 64 character key.

One win is to make the key wider (most folks seem to choose 
6 - 8 characters for passwords).  E.g., I used a tool to
crack an XP password is a bit under a minute (using the
machine that I was trying to break into!).  Had the owner
been a bit smarter and used a wider password, my job would
have been much harder.