The Wi-Fi Alliance’s research confirms a lot about wireless user behaviour that security experts have known about for some time. But the fact that wireless access point users are getting sloppy with their password length – eight characters is clearly no longer sufficient – makes a clear case for easy-to-use authentication.
Responding to research claiming to show that, whilst wireless users are now more aware of the need for security, many wireless networks are still insecure, SecurEnvoy says that easy-to-use authentication may be a low-cost solution the problem.
According to Steve Watts, co-founder of the tokenless two-factor authentication specialist, what is interesting about the research from the Wi-Fi Alliance is that 97 per cent of respondents believed that their data on wireless devices and networks is safe and secure.
“In fact, as recent developments in the field of password recovery software from the likes of Elcomsoft has shown, even a WPA2 password is crackable. Using the professional version of Elcomsoft’s Wireless Security Auditor software, for example, allows `password recovery’ to take place on a computer with up to 32 CPUs and 8 GPUs to crack WiFi encryption using a brute force attack,” he said.
“Review tests of Elcomsoft’s WSA software have shown the application can brute force crack as many as 103,000 WPA2 passwords per second – that’s more than six million passwords a minute – on an HD5390 graphics card-equipped PC. You don’t need to be a maths genius to work out the repercussions for a supposedly strong eight-character WPA2 wireless passphrase here,” he added.
Watts went on to say using longer WPA2 password on WiFi networks is now an absolute must for any company that takes its network security seriously. Other options – including two-factor authentication – should also be moved from the nice-to-have into the must-have security category, he noted.
The irony of the fact that many wireless users will be using a smartphone to access the Internet and/or company resources across a WiFi connection is also something that should not go unnoticed, he says, as users can also use their smartphone as an authentication device for the same session.
This, he explained, avoids the need to carry easily-mislaid hardware authentication devices around, whilst at the same time giving users a far higher degree of security than is available using wireless passwords and user IDs/passwords on their own.
In fact, says the SecurEnvoy co-founder, if the underlying wireless network can be compromised by hackers, then the user ID and password can be eavesdropped, along with entire communications sessions, regardless of whether it is email, general Internet surfing or corporate system plus folder interactions.
“The Wi-Fi Alliance’s research confirms a lot about wireless user behaviour that security experts have known about for some time. But the fact that wireless access point users are getting sloppy with their password length – eight characters is clearly no longer sufficient – makes a clear case for easy-to-use authentication,” he said.
“And if that authentication is tokenless, that makes the logon process a lot easier for the user, meaning that even if the underlying wireless connection is not entirely secure, the use of authentication and encrypted VPN technology can make the actual data transmissions far more secure. And that’s a must-have in today’s company information-rich environment,” he added.