The Wi-Fi technology (IEEE 802.11) was introduced in 1997. With the increasing use and deployment of such networks, their security has also attracted considerable attention. Current Wi-Fi networks use WPA2 (Wi-Fi Protected Access 2) for security (authentication and encryption) between access points and clients. According to the IEEE 802.11i-2004 standard, wireless networks secured with WPA2-PSK (Pre-Shared Key) are required to be protected with a passphrase between 8 to 63 ASCII characters. However, a poorly chosen passphrase significantly reduces the effectiveness of both WPA2 and WPA3-Personal Transition Mode. The objective of this paper is to empirically evaluate password choices in the wild and evaluate weakness in current common practices. We collected a total of 3,352 password hashes from Wi-Fi access points and determine the passphrases that were protecting them. We then analyze these passwords to investigate the impact of user's behavior and preference for convenience on passphrase strength in secured private Wi-Fi networks in Singapore. We characterized the predictability of passphrases that use the minimum required length of 8 numeric or alphanumeric characters, and/or symbols stipulated in wireless security standards, and the usage of default passwords, and found that 16 percent of the passwords show such behavior. Our results also indicate the prevalence of the use of default passwords by hardware manufacturers. We correlate our results with our findings and recommend methods that will improve the overall security and future of our Wi-Fi networks.
翻译:Wi-Fi技术(IEEE 802.11)于1997年问世。随着此类网络的使用和部署日益广泛,其安全性也受到了相当大的关注。当前的Wi-Fi网络使用WPA2(Wi-Fi保护接入2)来实现接入点与客户端之间的安全(认证与加密)。根据IEEE 802.11i-2004标准,采用WPA2-PSK(预共享密钥)保护的无线网络必须使用8至63个ASCII字符组成的密码短语进行保护。然而,选择不当的密码短语会显著降低WPA2和WPA3-Personal Transition Mode(WPA3个人过渡模式)的有效性。本文旨在通过实证方法评估实际环境中的密码选择情况,并评估当前常见实践中的弱点。我们共收集了来自Wi-Fi接入点的3,352个密码哈希值,并确定了保护这些接入点的密码短语。随后,我们分析了这些密码,以研究新加坡受保护私人Wi-Fi网络中用户行为及对便利性的偏好对密码短语强度的影响。我们刻画了使用无线安全标准规定的最小长度(8位数字或字母数字字符及/或符号)的密码短语的可预测性,以及默认密码的使用情况,发现16%的密码表现出此类行为。我们的结果还表明,硬件制造商使用默认密码的做法普遍存在。我们将结果与研究发现进行关联分析,并提出了提升Wi-Fi网络整体安全性和未来发展的改进方法。