Helllo Celejar, >> WPA2's (that's your conventional WiFi standard) secure configuration >> is fiendishly difficult. > I take your point, but "fiendishly difficult"? I think you're exaggerating.
I think so too, WPA2 has been around for a rather long time and all software knows about it. >> You have beacon frames that are broadcasted without any encryption. > True, but is there any evidence that this constitutes a security risk? Yes, https://www.bleepingcomputer.com/news/security/new-method-simplifies-cracking-wpa-wpa2-passwords-on-80211-networks/ This tells about that method and mainly talks about how it is now a lot easier to get a password hash for PSK in WPA2. >> You have authentication frames that can be intercepted (so WPA passphrase >> can be bruteforced). > Lots of things (such as TLS, ssh) can theoretically be brute forced - the > question is whether such > brute forcing is sufficiently practical to be a threat. I have seen nothing > to indicate that properly > configured WPA2 can be realistically brute forced. Reco talks about WPA and you and I talk WPA2, maybe that is the difference, although at the top Reco also mentions WPA2. >> You have several encryption algorithms, but: >> a) They are not equally good. > Of course not - they never are ;) The trick is to pick a good one, and for > wifi, that's WPA2 using AES. Indeed, if one uses AES instead of PSK then it gets lots safer but now we ARE getting in to harder to use protocol. Not all WiFi hardware knows how to use WPA2 AES encryption. >> b) You may have a hardware that lack support for a good ones. > I suppose, but my impression is that most hardware from the last few years is > fine. All devices should know WPA2 and PSK, maybe not AES. But what the hashcat method does is simply get the PSK password hash quicker than any other method before, after that it is still a bruteforce job to get the password. The article I referenced talks about THAT sometimes being easier because most people use the default password of the WiFi router, and some of those passwords being predictable. If one sets a new and long PSK key then cracking it is a lot harder. After that it is just making sure all your devices can handle the password length you have chosen. Celejar
