Forum Archive Home -> Computer -> Is WPA encryption really better than WEP?
Is WPA encryption really better than WEP? | ||||
| yoda313 posted 2009 Oct 17 16:57 | ||||
| I finally took the time to switch my wifi router to WPA encryption. I was using WEP before. I decided since my other devices supported WPA I might as well do it.
Now that I have done it I wonder - is WPA really better than WEP? Was I more vulnerable to attack under WEP than WPA? I had checked and my Nintendo WII supported WPA and my older wifi card on my XP desktop supports WPA so I decided to switch. My xbox 360 and ps3 are hardwired to my router so those weren't affected. eDIT - Out of curiosity my zune 30gb model with the latest zune update does support wpa. It was previously set up to do wireless (synch with pc and limited marketplace functionality - not the full internet like the new zune hd does however). I was able to turn on the wireless broadcast on the zune and then it found my network and I plugged in my password and I was good to go. | ||||
| rumplestiltskin posted 2009 Oct 17 17:28 | ||||
| There are freely downloadable apps for both OSX and Windows that utilize the wireless connections in your notebook to detect WEP-encrypted WiFi networks and then crack them in about 3 minutes.
So, yes, WPA is much more secure; and, yes, you were quite vulnerable using WEP. HOWEVER, be sure you use a long password (23 characters should be sufficient). Read this: http://news.cnet.com/8301-13554_3-9822842-33.html | ||||
| redwudz posted 2009 Oct 17 18:57 | ||||
| The level of security you need really depends on where you are located. Routers only transmit a short distance, usually less than a 1/4 mile. Or more commonly, even less, depending on the antenna configuration, location, the output power, and sometimes depending on the receiving antenna. I've played with a parabolic dish and was able to double my WiFi reception range.
Check the wireless signals around you and see what's out there at your location. If you only see a few, lower security threat. I've used WirelessMon to check out the signals in my neighborhood. It has a 30 day trial. http://www.passmark.com/products/wirelessmonitor.htm If you're next to a urban internet café with lots of web savvy teenagers, the more protection, the better. :lol: If you're in the 'burbs', protection still needed, but you aren't as likely to be attacked. But I agree, WPA is much better than WEP. I use WPA2-PSK [AES] for my laptop. If you want a bit more security, disable your SSID Broadcast and you're likely not to be found at all. And use a higher level password for your encryption PW and also use a better PW for your router. It's funny how many routers don't use any encryption and if they do, the password to access the router is 'password'. :) If you are worried about financial transactions being compromised over a wireless connection, they almost always use https, which already has a strong layer of security. | ||||
| jagabo posted 2009 Oct 17 20:13 | ||||
| Be sure to use WPA2:
http://www.electronista.com/articles/09/08/27/wpa.1.minute.hack/
| ||||
| yoda313 posted 2009 Oct 18 08:34 | ||||
| Thanks for the info.
Fyi I apparently can't use wpa2 on my wifi card on my desktop. It's an older netgear G wifi card and does support wpa but not wpa2 by the looks of it. Also its weird I had trouble logging on this morning. It was fighting between windows control of the adapter and the netgear configuration utility. It took awhile but I got back on. | ||||
| AlanHK posted 2009 Oct 18 09:25 | ||||
Commonly believed, but bad idea.
| ||||
| AlanHK posted 2009 Oct 18 09:32 | ||||
You either use "Windows Zero Configuration" or a third-party app (usually bundled with the hardware). If the latter, you need to deactivate WZC, they both can't work simultaneously. Usually this is done by the new app, but maybe you reactivated WZC by mistake. See http://www.ezlan.net/wzc.html | ||||
| rumplestiltskin posted 2009 Oct 18 10:34 | ||||
| There are also some instances where WPA2 on Snow Leopard isn't reliable periodically dropping the connection. I can confirm this. I switched the router to WPA only (from WPA/WPA2) and this resolved the issue 100%. I suspect it may not apply to all wireless access points but mine are the 2Wire AT&T DSL gateway and a Netgear MIMO WPN824; Apple's AirPort Extreme has also been reported as having this problem (but I don't own this one so I can't confirm). | ||||
| redwudz posted 2009 Oct 18 13:06 | ||||
| I had a lot of problems recently with my Netgear router dropping the signal to my laptop. The router wouldn't show at all on the laptop. My netbook also had problems with WPA2 and losing the signal. A router update seemed to have fixed both problems.
I also have my router set up for fixed addresses. I find that much more reliable than DHCP. (Dynamic Host Configuration Protocol) I don't normally turn off SSID, but it does keep the router from showing up on other's computers. Unless you have sophisticated hackers around, it's not likely they will try to break into your system if they don't see it listed on their machines. But I agree turning off SSID will give you occasional problems as the computers may not always find the router quickly. I live in the suburbs and there isn't anyone nearby with enough computer experience to be much of a threat for a attack. And I do use firewalls that keep out most intrusions if they were to get into the router. Checking your router logs on occasion may alert you to something odd going on. You can also set up your router to just recognize your computers and to ignore all others easily by using MAC address filtering. If you host guests occasional on your system, then that may be a problem. If you don't have WPA2, at least use a strong password and a decent firewall. :) And change the name of your router. When it IDs as a Linksys or a D-link, not hard to guess what the address range is. And if it uses 'admin' as the login, you just need to guess the password. | ||||
| MOVIEGEEK posted 2009 Oct 18 13:42 | ||||
Yeah turning it off causes problems with my Linksys router but on my old D-Link it wouldn't cause problems. Having at least 13 characters for a network key is a good idea and changing it every few months is also. Also make sure you enable stealth mode on your firewall, Linksys calls it "Block Anonymous Internet Requests". Vista and 7 are more secure than XP when using a unsecured network(internet cafe) but here's a few tips for you XP users: 1.Make sure you have SP3! 2.Turn off Remote Assistant. 3.Turn off file and printer sharing. 4.Use a better firewall. | ||||
| yoda313 posted 2009 Oct 23 16:05 | ||||
Hey there, Well I got around it. I deleted the netgear connection utility from the startup menu so now Windows does the connection. It connected automatically on its own without any hassle. Thanks for the info though. | ||||
| edDV posted 2009 Oct 23 16:12 | ||||
| The worst place to run wireless routers for security would be a dense apartment complex in Silicon Valley. First, they all know how to hack to your hard drives, second the only way to find an open WiFi channel is to hack somebody else.
All this would also apply to high tech customer hotels anywhere in the world. | ||||
| Video Head posted 2009 Oct 23 22:13 | ||||
Yes, but in that case you would expect everyone to be at the same level of play. It should not be pro vs high school. The defense would not only be ready for the play but also trying to stuff the offense in the backfield...or in tech terms: running a honeypot to turn the hunter into the hunted...but no one would ever do that 8) | ||||
| edDV posted 2009 Oct 23 23:00 | ||||
| In the burbs, you need to worry about the teens close by.
Actually within a mile or so if they use a yagi. In the hills it could be a couple dozen miles.  | ||||
| Video Head posted 2009 Oct 24 01:30 | ||||
Most of what anyone can do, if they do manage to connect to your router, is gain access to your internet connection and use your bandwidth. If they where to start downloading large files they could kill your monthly cap or use it for illegal activities and make it look like it came from your connection. Access to other connected computers would depend upon firewall and file sharing permissions. I might have missed it, but the one thing I have not seen mentioned here is ensuring that remote management of the router is disabled. It always amazes me as to how many people do not enable any security at all. Possibly because they just do not have the knowledge of what can happen if they don't or else their internet connection does not work if they enable it, so they disable it...when I check available networks in my area there are about 50. Most are WAP 1/2, a few WEP and 4 or 5 are no security with default router names. Who would start hacking the WAPs or the WEPs when there are some wide open? Scary...and probably the same in just about every high density metropolitan residential area. | ||||
| edDV posted 2009 Oct 24 01:47 | ||||
| Yes, around my area there are several wide open. I figure WPA2-PSK makes you less a target. I also shield the wireless router from the down hill side and turn down signal strength. The opposing ridge has no cable or DSL service. I figure some are DX'ing for a wireless connect. | ||||
| yoda313 posted 2009 Oct 24 06:23 | ||||
Do you know what netgear calls their version of that so I can disable mine? Also where would you change your network name on the router? Should it be something inconspicuous or can any name do as long as its not the default? Obviously I wouldn't be stupid enough to use my real name or anything - even though our neighbors obviously know us but its the potential "prowlers" I'd be thinking of. Thanks for all the advice and suggestions. I'm glad now I did switch to wpa. Edit - oh also would that prevent me from making changes on my own router from my other computer wirelessly? Would I only be able to access the router with the computer that is hardwired to it? | ||||
| MOVIEGEEK posted 2009 Oct 24 10:45 | ||||
| Remote management is usually in admin and is disabled by default, it allows you to access the settings on a specified port. The network name is usually in wireless security and it's the name being broadcasted, use your initials or an alias such as YODA. I can't believe some of my neighbors use their full names. | ||||
| minidv2dvd posted 2009 Oct 24 11:56 | ||||
| an extra layer of protection i use is to turn off broadcasting. no one can find the wireless connection at all without knowing the workgroup name. | ||||
| redwudz posted 2009 Oct 24 12:32 | ||||
Nope. It's just the SSID name that's being broadcast. When you change it, it should show up as the new name on all your PCs. And I would be careful making changes on your router over a wireless connection. You could drop the signal and corrupt something in the router, though that's unlikely. Definitely don't update your router's firmware over a wireless connection. :( If you use a decent level of encryption with your router, a secure password, add MAC filtering, and use fixed addresses for your computers, you would be fairly safe just about anywhere. As mentioned, someone piggybacking through your router to your ISP is probably the most common danger, not them hacking into your PCs. Here's what my local area looks like at present. The Meridian names are the ISP's WiFi transceivers:  | ||||
| Video Head posted 2009 Oct 24 13:41 | ||||
It should just be called remote management. I have never seen a manufacturer use a pet name for it. The network name (or router name) is in the management settings on the administration page. It is usually a web page at the routers IP address. You then log in with user name and password. You can use any network name you wish. In my area they are people's names, business names, plugs for sport teams (seems to be a war going on there) and one is even called "Macs Rule". On that point, I disagree with a name that draws attention to yourself. The quiet mouse gets the cheese, the loud mouse gets eaten by the cat. Using a name like "My Unhackable Network" would just draw every script kiddie and true hacker to try harder than casual. You will get "drive by" attempts. They are usually just looking for easy prey. Using good security practices will usually make them move on to an easier target. Any computer connected to the router can access the administration page. Just browse to the router's IP address, enter the username and password and you have full access to the management settings - see why it is so important to change the default? To be connected to the router though the device needs the network key. This should never be a problem because your network key is long and strong, right? Another little security trick I like to use is changing the router's default IP address. Change the last number to something other than the default between 0 and 255. Just remember what you changed it to, because you have to hard reset the router to get back the defaults. Anyone trying to hack your router would probably get frustrated when they can not find the administration page and just move on. Remote management allows access to the administration page from the WAN side so it is important that this be dissabled unless you specifically need it. Good router security practices: - Change the administration login name and password. - Use the strongest security scheme that your connected devices support: WPA2, WPA, WEP. - Use a long and strong key: at least 25 characters with upper and lower case letters and numbers. Do not use words found in the dictionary. - Physically ensure that remote management is dissabled - do not trust that it was dissabled at the factory. - Change the default IP address of the router. - Set the maximum number of DHCP assignable addresses to the maximum number of devices you will connect or use fixed IP numbers or only allow assigned MAC addresses to connect if possible (MAC addresses can be spoofed so it is still not fool proof). - Enable connection logs. - Audit your security occassionally: check who is connected to your network, check that remote management has not been enabled, check logs, check that your security scheme has not been changed. Do this frequently after making changes, if no problems you can lower the vigilance. I hope this helps. | ||||
| AlanHK posted 2009 Oct 24 23:22 | ||||
Wrong.
A tool like Kismet can listen to the network traffic and when something connects to your "hidden" AP, it grabs the details. | ||||
| AlanHK posted 2009 Oct 24 23:45 | ||||
Eg, this freeware: "Advanced IP Scanner". Useful when I bought an old router with no documentation and had find its admin page, and other network devices. | ||||
| minidv2dvd posted 2009 Oct 24 23:56 | ||||
| hehe - don't know what you're using but nothing has found my wifi ssid with broadcast disabled. it shows up on no wireless device brought here. | ||||
| AlanHK posted 2009 Oct 25 00:04 | ||||
Try Kismet
Don't you think that if making your network "unhackable" was so simple, that everyone would do it? That it would be the default? Why bother with encryption if you can just "turn off the beacon and be invisible"? It's just a way of making your network break standards, so devices looking for well-behaved networks will indeed not connect. But hacking tools are not so naive. | ||||
| minidv2dvd posted 2009 Oct 25 00:20 | ||||
| you don't seem to understand. since it's not a named network, it isn't findable using normal methods. it would take a determined hacker hours to find it. my son's college computer science major buddies can't log on half the time even if i give them the ssid. i don't care if it's non-standard, it works for me and all my wifi equipment. that's the point. | ||||
| AlanHK posted 2009 Oct 25 01:18 | ||||
You didn't try Kismet, did you? Here's a tutorial to get you started: http://www.wi-fiplanet.com/tutorials/article.php/3595531 It would take a "determined hacker" two minutes. You gain nothing over simply using a strong WPA password. You can hide from people who aren't a threat anyway -- as you say, all you've done is make it hard for legitimate users to log on. | ||||
| Video Head posted 2009 Oct 25 02:22 | ||||
I agree. It is nothing but another deterent. Living in Hong Kong you must understand the security issues with automobiles. Every time you park your car in Hong Kong you must worry if it will be safe...how do you protect your automobile in Hong Kong? Is locking your doors enough? Do you have passive ignition security? Do you use a steering wheel lock? Do you have an alarm? Do you park it on the street or do you have a secure spot? If you have a secure spot, are there security guards? Do they have dogs? Do they have guns? Are they willing to shoot someone dead to protect your automobile? Security is nothing...if someone is motivated enough to get it, they will... | ||||
| AlanHK posted 2009 Oct 25 11:54 | ||||
If you knew anything about Hong Kong, you'd know that very few people have cars. A bit like Manhattan in that respect. I don't know anyone who does, personally. And security guards here (except in banks) do not have guns. Very few criminals do either, despite what you see in HK movies. But that's another, off-topic, story. Sorry to spoil your analogy -- the good old Slashdot-style car analogy for every occasion. | ||||
| Video Head posted 2009 Oct 25 19:31 | ||||
I know that very few people in Hong Kong have cars...that is why I used the analogy :P One of my friends there works with a woman who "drives to work". The distance she walks between the parking lots is greater than the distance between her closet size apartment and her office. But she drives to work and, as I understand it, is of great status importance. You seemed to completely miss the point... | ||||
| AlanHK posted 2009 Oct 25 21:23 | ||||
Unless it was "Security is nothing...if someone is motivated enough to get it, they will..." which was clear enough. The rest of the story didn't make much sense to me though, which is what I commented on. | ||||
| minidv2dvd posted 2009 Oct 25 21:55 | ||||
there are no legitimate users unless i allow them and the ones who can't figure it out by themselves i can hook up. most of the time no one is logged on the wifi. with no one on, it doesn't transmit anything, all it does is listen. i admit if there were traffic, it may not take long to find it. but, then they'd have to get through the other protections. my logs don't show any users i didn't allow. | ||||
| Video Head posted 2009 Oct 25 22:25 | ||||
Exactly. It was not meant to make sense to you. You live in Hong Kong. You do not have a vehicle. The analogy was intended to be foreign. As is setting-up the security on a residential wireless router to the OP. We were mearly providing the OP with the knowledge necessary to configure a reasonable level of security. You brought forth no solutions, just cynical criticism. Good day. | ||||
| AlanHK posted 2009 Oct 25 23:03 | ||||
Still not getting your point: "It was meant to be foreign"? And while not at having a car here, the concept is not "foreign" to me. Just your story had no basis in reality. I suggest just saying what you mean rather than giving extended fables. And as for the pompous "We were mearly providing the OP with the knowledge.... You brought forth no solutions, just cynical criticism", well, not true and offensive. I said that a good WPA password was a more than reasonable level of security, while pointing out that messing around with the SSID is just a waste of time, causing hassles to normal software, while not impeding hackers. Sorry if hearing that damages anyone's self esteem. Actually, in security matters, you really should cultivate a cynical and critical frame of mind. | ||||
| AlanHK posted 2009 Oct 25 23:14 | ||||
Well, the security on my home setup is actually crappy, a very old 802.11b access point that only has WEP. But it's semi-rural, I only have two or three neighbours in range and know them personally. I just turn off the access point except when I'm running a laptop. Though I'm pretty sure that a hacker couldn't get into my router via wifi. I would upgrade and harden this if I was, say on a main street or a campus. I know the risks I'm running, I just wanted to be sure you did. |
Login/Register to our forum to be able to post here.