Secure authentication with only a password

By Dan Harkins, Scientist
Share Post

Cloud services are now being used to crack passwords used in WPA2-PSK. One researcher used the Amazon cloud to check over 400,000 passwords per second at a cost of less than a penny. He claims he can find passwords for less than $2.

If "use a stronger password!" is your response, then you're not thinking about Moore's Law. These sorts of attacks are going to be getting faster and cheaper and your ability to remember a password, and repeately enter it with a low probability of error, starts to degrade after about 20 characters. It's a losing battle!

What should I do, you ask? Good question. The answer is to not use protocols that are susceptible to dictionary attack.

A dictionary attack is one in which the attacker is able to run through a set of potential passwords and be able to realize it when he finds the right one. The set of passwords isn't necessarily a dictionary, potential passwords can have numbers and special characters (for example, "passw*rd" is unfortunately a very popular password, so is "abc123"). The idea is that the attacker has everything he needs, except the right password, to compute a password verifier and he has the information to know when that verifier is correct. All he needs is a giant database of a few million potential passwords, and those can be easily found on the Internet. When a protocol is resistant to attack it means an attacker cannot observe an attack and then go offline searching for the right password (as is done with WPA2-PSK).

Aruba has developed a protocol called dragonfly that is resistant to dictionary attack. This protocol has been added to the 802.11 standard in the form of SAE (Simultaneous Authentication of Equals). It's also been incorporated into an EAP method as defined in RFC 5931 ( as EAP-pwd.

The implications of this are profound. Passwords used for access can be shorter and easy to remember without a considerable loss of security (repeated, active, guessing attacks are still possible against dragonfly but those are easily detected and countermeasures can deal effectively with them). As a drop-in replacement for WPA2-PSK, SAE will make small office and home networks secure. As an EAP method, EAP-pwd will provide enterprise (and guest access) security using simpler passwords without the need for server-side certificates.

Coming soon to an Aruba network near you: secure authentication with only a password.