Correct, the password cracker does not get a hint of partial matches.
In the case you site though the first one might crack first because the tables are machine generated and BananaBanana comes first alphabetically.

PS. Don't use AfganistanBananaStand

So "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" should be pretty OK but "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ" somewhat better?

prevents changing settings by an intruder over the wireless connection, good

someone who's going to brute-force your WPA2 password likely also will be able to find the MAC addresses in use by your wireless devices, and copy one. Having to manually add MACs is quite an additional hassle for each new component.

DON'T! This adds exactly 0 extra security

+ use a very long pass-phrase or preferably (if your devices support it) use a PKI for access (e.g. EAP-TLS).

If you can't secure the wireless connection, agreed.

As long as the modem admin interface isn't exposed to the WAN, you can set a very good wireless pass-phrase and prevent physical access (reset modem to defaults and/or plug in a cable into the modem), then it's not very important (imo).

oooooooooooooooooooooooiiiiiiiiiiiiiiiiiiiiiiiiiii cccccccccccccccccc

Lol. Define "somewhat"

Aren't there programs to steal the pass phrase if they can catch you while you are connecting your own device to the router?

PS Ours is four words: the names of two past pets and two words in Chinese pinyin. Has been for years.

@Tony that's your idea of easy to remember?
How about "+6ugg3r@ff!"

yes

When I did my Wifi security course at for work, they mentioned that overly offensive names for Access Points can lead to a challenge from a hacker.
Even if you don't have your access point visible, when your Laptop etc tries to connect, it 'announces' the AP name over the air. At this point, a 'handshake' occurs, that can be intercepted and decoded, even with WPA etc (Just longer to crack).
When connected, all is fine.

Which is why I use wired connection wherever possible.
You could also get a good Wireless router, that allows you to vary the strength of your signal, so that it doesn't reach outside your house/garden.
If you live in an apartment, you're buggered, get it wired.

The Linksys WRT54GL is a pretty good (linux) router, especially since it can be modded extensively with a reflash of the firmware.

In some places that could get you a visit from the Secret Police.

There are a few ways to make a password secure. If you don't have to enter a password over and over again, like a WPA2 shared key, you can just go wild with it. Create a 32 character jumble of absolute randomness using upper/lower characters, numbers, punctuation and special characters. Just store it securely somewhere for when it's needed.

As for password storage, I prefer to use a tool called KeePass (http://keepass.info/). KeePass uses a heavily encrypted database to store passwords. To get access you need a very strong password and a key file (optional). It's small and can be portable so you can run it off a thumb drive. If you're paranoid about having it on a thumb drive then use BitlockerToGo (Win7) or TrueCrypt to encrypt the flash drive itself.

As mentioned earlier, using punctuation and special characters makes a password harder to crack. Using a larger character set increases the complexity of the password exponentially.



And lastly, from the comic, using a long passphrase with random words in it increases the password strength.

Something to remember about brute forcing a password: the times you see quoted are estimates. The actual time can be significantly less or more, depending on how many guesses per second the hack can perform and random statistical luck (where your password shows up in their password database or password generator). With GPU acceleration common these days password cracking can take a matter of minutes to cover every permutation of a password 6 characters or less.

For the record, I've seen rainbow tables in the tens of GB's. Tables that large, with GPGPU acceleration, can crack passwords like you wouldn't believe.

I would have thought cracking with rainbow tables would be i/o bound.
And no computer shop should be without ophcrack.

You'd be amazed what sort of IO you can get these days.



On a more realistic scale:



Think about this. An enterprise SAN, like the Dell EQ PS6010XV, that runs $68k only gets 26000 IOPS. An OCZ RevoDrive X3 R2 can push 200,000 IOPS for $720 and 230,000 IOPS for $1700. While that's pricey it's doable on any sort of decent income.

Put a couple of those in a RAID 0, load up a nice rainbow table with a GPGPU accelerated password cracker and off you go. Chances are you'll be processor limited more than anything.

Although I understand this, the hacker won;t actually know whether I use all characters or not, would he? So my take is that as long as your security allows for a large characterset AND it is credible that most users use weird characters, then the hacker would have to go for that and lenght of the PW would be the real determinant of how long it would take. No?

Also, there is no reason to expire or change passwords because if they are cracked they are used right away.

Both points possibly have some truth to them, but not a "best practice".

I started leaving router passwords default and enabling admin by LAN only. Anyone who can physically access LAN/router is either trusted or if he has broken in, he can probably do more damage than reconfigure router.

Could someone crack your wifi password and take over your router and enter your LAN?
In other words, are wifi connections part of the local LAN after they are established?

On my Sitecom WL router (pw = Harry!Baals?Mike¥Hunt), once your in through Wifi you can do anything.