Not true at all. It makes it more difficult and time consuming, and will protect you from people trying to guess the password that connect to your router manually brute forcing....
But it's easy to capture the EAPOL packets using tools such as aircrack-ng suite. At that point you just run aircrack-ng against that capture file with a wordlist. You don't even have to be near the router once the handshake is captured while it is cracking as it's all done at this point without having to attempt to authenticate with the router.
It's time consuming, and resource consuming, but is not out of the realm of possibility. If your password is n characters long, and the person has a wordlist of all combinations of characters up to your password length or greater, it can be cracked. It may take months or years, depending on the machine(s) used to crack it, but it still is possible. If you have access to a botnet and can distribute the work it makes it faster, as well as using GPUs.
So in conjunction with a complex WiFi password, changing it regularly also improves security. Changing your passwords regularly is just security basics 101.
A password in line with the recommendations in the Wireless Overview wiki, would be impossible to crack in a human lifetime:
Since I'm not sure on the exact number of symbols that can be utilized, let's use 18. With case sensitive, alphanumeric, this would equate to 80 possible characters than can be utilized.
(17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 = x
17*10^-6 = 0.0017ms
Approximately how long it takes an 8C 2.8GHz CPU to process SHA512 hashes
I don't believe wifi passwords use SHA512 for hashing, but I do believe they use SHA256
80^16 = 2.81474976710656e+30
80: amount of alphanumeric characters
26 lowercase
26 uppercase
10 numbers
18 symbols
16: Amount of characters in the password
(17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 = 758,668,601,611,040,100 yrs per PC
This assumes password will be cracked when half of the possible passwords are checked, hence division of two
Even with SHA256 hashing, it would still be fundamentally, literally, impossible to brute force a password in line with the recommendations, hence why I added the recommendations.
It would take a botnet comprised of 12M supercomputers utilizing GPUs for calcualtion 4,214YEARS to crack SHA512.
I don't have the time at the moment to calculate SHA256 hashing times, but we'll provide an improbable speed up of 75%, of which it would still take 1,053 YEARS
In cryptography it's always accepted that brute force is an option theoretically therefore Literally ALL of security is built on making brute force take impossibly long, that's the modern definition of security. So if the largest concievable botnet would take 1000 years to crack a device with a 10 year lifetime it's by the modern definition secure.
I'm not going to take the time to read every post, so some of this has probably already been covered.
The 'Bad guys' that know what they are doing are probably not going to 'bruit force' a wifi account, and what I mean by bruit force is password guessing. Unless they know the user uses weak passwords they won't waste time. Wifi's weakness is in the key and hash exchange during authentication. If the 'bad guy' can force a re-authentication of clients and steal the hash, then they will begin using rainbow tables to match 2 hashes. << Much faster than password guessing.
CCMP-AES Encryption < No publicly known weakness. Recommended.
WPA2 < There are weaknesses here and are commonly attacked. Recommended over WPA or earlier.
PSK < recommended password length is equal to or greater than 20. Recommended against APT's!
MAC Filtering < Recommended. Always take a layered approach to security. Though this hurdle can be passed, it does add difficulty. Recommended
About password length.. People have rainbow tables Terabytes in size of pre-compted password hashes of all possible combinations but limited length. Though shorter passwords are probably going to be safe, it isn't likely going to stop a APT. As state sponsored hacking continues to grow, many of these APT techniques are filtered down over time. I recommend staying ahead of the curve and just making it 20 characters or more. Make your password an "out of the blue" phrase you can remember, and then sprinkle in a Upper Case or special Character.
I'd still consider all 802.11 wireless as insecure. That doesn't mean not to ignore security, on the contrary, do all that you reasonably improve it by good choices and practices. It not only means that you may have someone on your wireless network that is "unexpected" and potentially hostile, but also that you should not trust 802.11 encryption for anything of value.
While CCMP / AES "forced" encryption is the recommended choice for most security-aware home use, it might be better to state
(Strike-out mine)
There are plenty of vulnerabilities and weaknesses that have been known for years or decades. Some have been patched, some not. Of some patched, who knows on a specific device, client or AP.
That way we aren't potentially suggesting to someone that wireless is "secure" , or even as secure as PCI-compliance requires, or TLS with forward-secrecy
I've got similar issue but it seems that this is because of my WiFi configuration. My both 802.11 AC and N wifi networks have a similar name, and MAC address filter is enabled for both networks, so AC clients can connect only to the AC wifi network and the same for the N clients. Though strangely I have had this configuration for years but never seen these messages before. I can see my clients trying to connect to the opposite network and also I can see a lot of unknown MAC addresses trying to connect to my networks.
Hi. Sorry for bringing up old topic, but did anyone found a solution to over-spaming log problem? I get these annoying messages even at log level 2. Log looks ugly and big. I'd like to never receive only those particular daemon.notice hostapd: Station xx:xx:xx:xx:xx:xx not allowed to authenticate messages.