How Secure is YOUR WiFi Network?
Vložit
- čas přidán 5. 06. 2024
- Despite all of the failings and security issues with WPA2, the most common weakness in your wireless security is probably passwords. Come along as I explore the different types of WiFi security, how you can generate secure passwords for your network, and the alternatives you might want to consider for the ultimate in WiFi security for your homelab!
Support me on Ko-Fi if you enjoy my content and find it useful:
ko-fi.com/apalrd
Feel free to chat about my upcoming projects on Discord!
/ discord
Chapters:
00:00 - Introduction
00:57 - Open Networks
01:55 - Enhanced Open (WPA3-OWE)
02:48 - All About Passwords!
04:45 - Old Faithful (WPA2-PSK)
05:30 - Private Pre-Shared Keys
07:25 - WPA2 Problems
09:23 - No Forward Secrecy
11:37 - Offline Key Decryption
20:25 - Good Passwords
23:23 - Diffie-Hellman To The Rescue (WPA3-SAE)
26:00 - But Device Support!
26:53 - Finally Better Security (WPA-Enterprise)
29:41 - The Ultimate Champion (EAP-TLS)
30:25 - Hiding your SSID?
34:39 - Conclusion - Věda a technologie
Thanks! You continually inform an old guy who thought he knew everything. This is going to help with an upcoming project and my home network.
Wow glad to help!
oh one more thing, thanks for making "OG youtube content" in 2024, full of passion and actual content over intros, background music, sketchy vpns and pcbways segways all over the place. i was considering RADIUS for some time, now i know that this is way to go and thanks to your other videos i have good base on implementation.
Not to mention that after milk-v video i've ordered 10 pieces with IOB boards just to tinker and totally loved open cpu's concept!
Glad you like it! VPNs have definitely taken over meaningful discussion on security.
your knowledge on details is impressive 😮 and you always manage to pick interesting topics which I cannot find on other channels. Thanks 👍
As well as a strong password, I use MAC Address Filtering, reserving each of my internal IP addresses to a device's MAC Address, and limit the number of IP Addresses to the number of devices I own. I do have a guest network running for friends and other family members that are not in my household. There are also several firewalls to segregate my network into gaming, entertainment and work.
man this content is absolute gold. ty sir
no prob thanks
@@apalrdsadventures wanted to state something along the lines of the original commenter. But i see its taken care of already. Keep at it ;-)
Excellent synopsis. WPA3/SAE is the only way to go today for the home user. Unfortunately too many devices still in 2024 do not support it. So we are forced to put printers and IOT devices for example on a separate WPA2 network.
I got EAP-TLS running with freeRADIUS a while back. Works great for computers, not so great for IoT and embedded devices unfortunately, so I still need to keep a PSK network around for them.
Hard agree on disabling legacy Wi-Fi modes as well. I keep 802.11n as a minimum (and it's 15 years old already).
By legacy I meant 802.11B/G, not N. Especially on 2.4Ghz.
Yep I think we're on the same page :)
Could you do a setup video on WPA Enterprise TLS? Would be interesting to see your take on how it would be configured.
I'm working on that one
Also interested in a WPA Enterprise TLS video
Dude, you're killing it. Much respect.
Love this video and as always thanks for the great content!!😊😊
thanks for the vid. I've learnt a lot!
Thanks for taking the time to explain it in detail!
Glad it was helpful!
You are the Best, man! You are really making a difference in the world! I wish you much success!
Thanks!
@apalrdsadventures thank you for the great content. Always enjoy seeing your videos in my feed. I would like your insight on a Network Access Control (NAC) such as Packetfence NAC and how that can be used to secure a larger wifi environment. Thanks again.
really good work balancing the amount and depth of information! as a generalist I learned some news things.
your demonstration of hashcat is very clear people of every skill level could follow, it's required learning material level 👍
Wow! Amazing info for free!!! Thank you!!!
Great info, thank you. 👍🏻
Thanks for the great information you presented! I never knew password are so easy to brute force, even combined ones! It open my eyes, i will definitely change to wpa3 and put stronger passwords on my wifi networks.
Glad it helped! It's only really possible to brute force when you can extract the hash and do it offline, which isn't possible in all protocols.
Excellent video
when I visited Spain last summer, I found that most places (and in the actual routers) shared the wifi password with a QR code and when I looked at the actual password, they were about 20 random numbers and letters long. That is not bad as long as it is not some id or serial number as I noticed with another ISP's old CPEs in Mexico. The ideal thing to make it easier for us wanting to connect to the wifi on our laptops is the XKCD type of word passwords, maybe just camelCase it and add some basic symbols or numbers.
btw, the Mexican ISP used some serial number that was printed on the side of the CPE as the password and the last 4 digits were part of the SSID as -. That ISP was bought by another one and those CPE's have been mostly taken out of service.
OMG, very informative video again. If a very good encryption method was available since the '70, why did ppl develop something not-so secure? Thx for the great content!
When WiFi was drafted in 1997 (and WEP was part of the original spec), the US still considered any encryption over 40 bits to be an export-controlled munition, so a lot of encryption in the 90s was known to be weak even when it was designed. This is why the original SSL usually used 512-bit RSA and 40-bit RC4, despite the protocol supporting 1024-bit RSA and 128-bit 3DES or RC4 for companies who could jump through the hoops to only distribute their software to US citizens. Eventually the EFF would challenge this by publishing the source code to cryptographic algorithms in a book.
There's also the concern that the authentication ciphers in WiFi are virtually always implemented in software (while the stream ciphers are in hardware), so doing ECDH for each auth can be a lot of work for the AP. Modern WPA3 has to consider that the increased crypto work to authenticate new clients can potentially cause a DoS for the AP, so APs implement rate limiting on how fast they will process new clients. A few decades ago this would have been too much for the CPU in the AP.
I have a WPA2/WPA3-Personal network. How does having mixed WPA 2 and 3 work? is there any benefit to having WPA3 if there are still some WPA2 only clients?
WPA3 clients will use SAE (with forward secrecy / inability to decrypt even if you know the password).
Just set up wpa3 enterprise with my unifi u6pro and a self-hosted controller/third-party gateway. I do hide the SSID for my iot stuff because they’re not mobile. Very cool talk. I would love to see a demo of standing up a high-availability radius server with the TLS certificate you mentioned. Keep up the great work. Oh, btw, i also wish unifi would dedicate a bit more of their talent in supporting ipv6
I gotta go and rotate some passwords is the new I gotta go return some videotapes.
Great vid
Thanks!
This prompted me to change all the devices I manage to WPA3 (well I did a few, it's evening I'll continue tomorrow lmao), with transition mode enabled unfortunately because I also don't fancy breaking shit out on sea and there is a decent possibility there are still some legacy but mission critical devices out there. However, with this I don't think the fallout will be too high and we'll deal with it if it comes :).
There also a lot of shitty passwords still out there, some from me and most of the worst ones not from me. Sadly changing passwords from under people's noses isn't much appreciated.
This was a great video just giving an overview about it. Quite needed for me as well. Thanks!
Glad it's working well for you on WPA3! A really good WPA2 password can be as secure as WPA3 passwords, but it's a lot easier for it to not be very good. WPA3 is still vulnerable to password sharing by humans of course.
@@apalrdsadventures The forward security thing is nice though. These vessels go everywhere so it's more of a just in case. The password sharing aspect isn't going away anytime soon for me. Many passwords are literally the SSID, with some capital letters, etc. It's going on my list of things to make a case about. I'm basically doing most of the IT alone for hundreds of vessels and they're all different owners/management and a whole backlog of setups that desperately need an overhaul and geostationary VSAT connections is making this a funny business. If the weather is particularly bad it can take half an hour (of trying) to change a single setting on a GUI, and when the device only has a GUI...
I've basically been on a hardening and encryption rampage ever since I started working here and gained some footage. (also to the annoyance of some people but I'll fight them lol)
Your videos are very useful also for the plans I have for my home lab, I'm collecting hardware here and there for either free or a good price. Thanks!
Wonderful video, I also love them googly eyes. I want a dream router just to do that now!
Tip for a secure password: Put someone you don’t like that much to close up vim 🙃
My question WHY is it soo hard to setup a radius server? All I want is a USER FRIENDLY radius server that can do all the wifi auth modes. Just part of routers or as a vm appliance!
RADIUS is a very troublesome protocol for everyone involved
Ubiquiti has a built in RADIUS server iirc
How risky is using an ancient actiontec mi484wr just as a router? (have a more modern AP attached and the radio disabled on the actiontec)
With your password generator, I capitalize the first letter of words, and I add punctuation to make things more obvious on what the phrase means to me.
I used to have an xkcd-like password, except that I combined 4 words from 4 different languages. If whoever is cracking my password has a wordlist with russian transliterations and a rule that correctly leetifies russian - honestly, they deserve the W.
(not my password strategy anymore)
Oh wow now I need to find multi-lingual word lists
Excellent video, can't wait for the follow-up. Will you talk about cert based radius? I have a few PCs with corporate issued certificates for corporate Wifi, my dream is to once have my own Wifi with FreeRadius to accept these certificates.
Yup, it's cert based RADIUS. Although most of the video covers the CA / issuing certs bits and not much on FreeRADIUS.
@@apalrdsadventures so, that will be an adventure for me to figure out :)
Almost didn’t watch thinking “what knew could I possibly learn?“. Boy, was I wrong. I am still kind of stuck in early 2010s
Great video as always. Is there an updated discord link?
It should be correct?
I get invalid or expired.
Works for me. You've probably been banned.
It's not a ban from my side. But here's another 7-day link to try: discord.gg/E2EbWdtx
On Android, both links fail, on desktop, works a charm. Thanks again!@@apalrdsadventures
21:59 I love to be pedantic about entirely useless trivia, but there are 365.2425 days in a year. You're welcome.
.
..
...
....
.....
Long explanation: 365 days + 1/4 (+1 leap day every 4 years) - 1/100 (-1 leap day every 100 years) + 1/400 (+1 leap day every 400 years). This random pointless fact brought to you mostly just as a joke, completely not as a criticism. 365.25 is a perfectly usable shorthand (only off by 3 / 400ths of a year) and this only matters after a lot of years.
Before OWN the advice used to be that WPA PSK with the password on the store wall/window was better than Open. I never looked into it but I suppose it helps if each client gets their own session key.
Posting the password on the wall in theory makes sure someone walking by doesn't use your network, but realistically everyone in the area will know your password and that's not really useful security.
@@apalrdsadventures Everyone is supposed to know the password, the point is to provide slightly better security than a plain open AP. WPA PSK will handshake each client and give them their own temporary key that is used to encrypt the traffic between the client and AP. (That was the theory 10 years ago anyway)
yeah, that's like the perfect use case for OWE. If everyone knows the password, it's trivial to decrypt all of the WPA2 PSK traffic anyway, SAE doesn't have this problem (and SAE is used for both OWE and WPA3 Pass-based).
26:30 lot IoT devices barely support wifi4, I have them in separate IoT network without internet or access to other VLANs.. locking all the questionable devices in it's own corner is better than having them in main network, but still not great
I once had a (temporary!) connection I called "Spaceball One" and set the password as "onetwothreefourfive" 😂
You didn't mention MAC filtering / restrictions, and whether they have any merit.
In general, MAC filtering causes headaches in the enrollment phase (you often need to connect a device to a network to capture the MAC, then move it over to a secure network). It's also trivial to spoof a MAC on the air, so it provides little security by itself, but it can be extremely useful for higher level segmentation (assigning VLANs / PPSKs by MAC using RADIUS).
Is that an Asrock X300 on your desk?
yes, I love it
Have a WiFi network with whatever the best encryption is you can manage, but that network can only access the router. Run VPN on the router (WireGuard, openvpn, whatever) to access the rest of the network 👍
Do you mean VPN from the client to router (over wifi)? That's not going to provide any advantages over WPA-Enterprise.
@@apalrdsadventures just another layer of protection… you can hack that wifi password all you want… I don’t care… 👍
I like your point about multiple SSIDs too… using VPN as added layer of protection, that one single WiFi could even have internet access for all I care and the password can be shared with friends and family… no guest SSID needed… also if you happen to have some IoT crap, those can talk to their clouds… I wouldn’t let devices like that on my network, but if you have to at least they can’t get to the precious stuff…
WPA3-Enterprise (and WPA2 with PMF + cert checking) is essentially the same process and level of encryption used in IPSec + IKE with per-client keys and cert-based authentication. So if you are using WPA-Enterprise there's no reason to layer anything else on top, and WPA-Enterprise support is a lot easier to deal with on clients than IPSec and there's nothing to install like Wireguard.
I guess the Chinese were searching for good WiFi signal a couple of thousand years before considering Confucius already wrote about security! 😉😏🤯
In ancient Lu, Confucius, intrigued by tales of the mystical "Wifi-zen," embarked on a quest to find the best signal. Armed with teachings from wise elders, he journeyed through crowded markets, serene gardens, and sacred temples, raising his smartphone to the heavens at each location.
Encountering interference in markets, weakened signals in gardens, and elusive connections in temples, Confucius persisted, adjusting settings and offering sage advice. It became clear that, like the pursuit of virtue, finding the best Wifi-zen signal required balance and patience.
After days of exploration, Confucius stood atop a hill, where the Wifi-zen signal surged with strength. Reflecting on his journey, he shared wisdom: "Navigate interference, seek balance, and embrace patience for the highest connection."
The people of Lu marveled at the sage who not only imparted virtue but also triumphed in the quest for the best Wifi-zen signal. Content with his discovery, Confucius continued his journey, leaving behind a city united by ancient wisdom and the invisible threads of the digital realm.
hate to use the CZcams comment system because it seems to delete or shadowban half of what I write, but I have to give you some feedback.
You said: if your device hasn't had a firmware update in the last 5 years to add WPA3 support do you really want to use it?
After I watched your comment I got motivated, and set my AP to WPA3 only.
It turns out there are a lot of good devices that regularly get security updates which don't support WPA3: Intel laptops with Wireless AC 7265 has no WPA3 capable driver for Windows, the iPhone 6S still gets security updates but doesn't support WPA3, my soundbar gets regular updates but doesn't support WPA3, my Raspberry Pi4 gets regular security updates but only supports WPA3 with great troubles (I believe since THIS week there is finally a solution if you completely swap the firmware and the wpa supplicant that comes with the raspberry), and two label printers that I have that get roughly 1 security update per year still but won't support WPA3. So, no that part of the video is just misleading to be frank.
I hope this feedback helps. And doesn't get deleted by CZcams.
Damn, I always assumed that WPA2 without password still used an encryption key, just without authentication. Who the hell thought that it was a good idea to communicate without encryption, especially over air? WPA2-PSK too, it boggles my mind how this level of poor encryption could even be an IEEE standard.
'without encryption' is how wifi was originally designed, back in the 90s it was an expensive and niche system.
So in other words Ethernet is the best type of WiFi
sub from me for this great content
Downvoted for the sinophobia.
On my old AP with OpenWrt, I added to CRON:
1 0 * * * uci set wireless.default_radio0.key=$(head /dev/urandom | tr -dc '0-9a-zA-Z' | cut -b1-56); uci commit wireless; wifi;
In your opinion, how long would it take for the GeForce RTX 4090 to crack the above alphanumeric password of 56 characters?
If I know it uses those characters only (no symbols) that's 62 possibilities per symbol. I also know it's 56 symbols (hypothetically) so I don't have to try all the shorter permutations first.
So total guesses is 62^56 = 2.36e100. RTX 4090 can optimistically do 1.5MH/s (I have no benchmarks but the 3090 can do 1.15MH/s), so roughly 5e86 years on a single card.
However I could instead brute-force the PSK. PSK = SHA1 hash of SSID + Passphrase roughly and is 256 bits long. That's 1.15e77 possibilities, and since there are less steps in the computation of each guess it can also be done faster. But we're still at some wildly high computation times, on the order of 1e50 years.
Realistically by chaining in SHA1 attacks you might be able to get it down to ~100 GPU-years. I haven't seen any research on that applied to WPA2.
How does the UE know the password after cron is executed?