Coding Horror: Open Wireless and the Illusion of SecurityThe implication is that other versions of WPA (WPA-2?) are less vulnerable. In practice, as Schneier would probably say, it comes down to the value of what you’re trying to protect vs. the cost of the attack. Security is not a binary thing, it’s a spectrum. Relative, not absolute.
… here are a few guidelines.
In the end, perhaps wireless security is more of a deterrent than anything else, another element of defense in depth. It's important to consider the underlying message Bruce was sending: if you've enabled WEP, or WPA with anything less than a truly random passphrase of 33 characters, you don't have security.
- WEP = Worthless Encryption Protocol
WEP, the original encryption protocol for wireless networks, is so fundamentally flawed and so deeply compromised it should arguably be removed from the firmware of every wireless router in the world. It's possible to crack WEP in under a minute on any vaguely modern laptop. If you choose WEP, you have effectively chosen to run an open wireless network. There's no difference.
- WPA requires a very strong password
The common "personal" (PSK) variant of WPA is quite vulnerable to brute force dictionary attacks. It only takes a trivial amount of wireless sniffing to obtain enough data to attack your WPA password offline -- which means an unlimited amount of computing power could potentially be marshaled against your password. While brute force attacks are still for dummies, most people are, statistically speaking, dummies. They rarely pick good passwords. If ever there was a time to take my advice on using long passphrases, this is it. Experts recommend you shoot for a 33 character passphrase.
You have the illusion of security.
I suspect a good 20 character random password would suffice for most of us.
Update: A comment includes a nice link to a web site that helps create memorable passphrases.