A Tale of Two Passwords

By Joseph Moran

March 05, 2008

Learn the secrets to savvy password creation.

There's no two ways about it—passwords can be a pain in the...well, you know. Most people would avoid dealing with them if they could and thus engage in some bad password habits, like creating overly simplistic passwords (plus using the same password for everything) and failing to change default passwords.

On your broadband router, there are two passwords in particular, that when set improperly, can leave your network vulnerable.

Router Administration Password
This is a password that's commonly overlooked. Given that people may seldom need to access the router's settings beyond an initial configuration, many either inadvertently or intentionally leave the password at its factory default value, which is usually the manufacturer's name, "password," "1234" or sometimes even no password at all.

A router's admin password provides access to critical settings that govern both your Internet connection and personal wired and/or wireless network, and leaving it unchanged can leave you vulnerable to a specific kind of attack known as drive-by pharming.

Last year, some security researchers effectively invented and documented this kind of attack. In a nutshell, code embedded in a Web page or e-mail message is used to remotely log into a router using a known default password. (The default password for almost any brand and model of router is easily looked up online. See for yourself at www.routerpasswords.com, which is just one site among many.)

In drive-by pharming, once granted access to the router, an attacker can then configure it to use the attacker's own DNS servers — not unlike how we configured a router to use OpenDNS a few weeks back — and from there exercise total control over which sites the user is taken to. (For a narrated animation describing how a drive-by pharming attack works, check out www.symantec.com/enterprise/security_response/weblog/upload/2007/02/db-pharming.html.)

What was once a theoretical risk has (perhaps inevitably) become a very real one. According to Symantec security researcher Zulfikar Ramzan—one of the researchers who originally discovered and documented the attack— drive-by pharming has now just been spotted "in the wild", which means it's actually been done in the real world as opposed to just in a computer lab. It was in Mexico, to be specific, where it was used to redirect folks using a specific router to a faux Web site posing as that of a major bank. (Read a detailed description on Ramzan's blog.)

Long story short, if you're one of those that forgot to change your router's password or didn't think you needed to, now is an excellent time to log you're your router and correct that mistake. If you don't know your router's default password offhand, you'll very likely find it on the site mentioned above.

WPA Password
Another router-based password that you'll want to take a close look at is the one you use to WPA-encrypt your wireless network. Those in the know wisely choose WPA over WEP because of the superior security it can provide, but this isn't automatic— the password you create will directly affect the level of protection you receive.

Case in point: a WPA password can be as short as 8 characters or as long as 63, but as with all passwords, there's a tendency to use the shortest and easiest to remember WPA password possible. People commonly set up WPA passwords that are dictionary words or proper names of family members or pets, because it must be typed into every device on their wireless networks.

One of the reasons WEP is so weak is because it uses a static encryption key which can eventually be decoded if you monitor the network long enough—often for just hours or minutes. WPA is better because it uses the password you specify to generate a constantly-changing series of encryption keys. But all those keys are still derived from that single WPA password (also known as the Pre-Shared Key, or PSK), so a longer and more complex password will produce keys that are stronger and harder to decode. Put another way, a lengthy WPA password made up of random characters is far preferable to something like "samandmary".

If you're using such a short-and-simple WPA key, it's highly advisable that you change it. Don't despair about having come up with a long complicated password, though, because there are Web sites that can help. You can head over to www.passpub.com/wpa256.php to grab an instant 52 character key, or generate a custom-length password at www.kurtm.net/wpa-pskgen/. (The former site sends your key over an SSL-encrypted connection, while the latter generates it directly on your computer, so there's no danger of eavesdropping.)

And yes, you will have the inconvenience of entering your newly long and cumbersome key at each of your wireless computers. But you'll only have to do it once, and it's a small price to pay for better security. These days, you can't be too careful.

Story courtesy of PracticallyNetworked. Joe Moran is a regular contributor to PracticallyNetworked.

To learn more about WPA, read "The Wi-FiPlanet Guide to WPA."

Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.