Is WPA-TKIP secure?

MKR

I can't get a straightforward answer with any amount of googling.

Essee

Basically, regular WPA is fairly secure (I don't know whether people are cracking it right now or not). WPA2, if available, is the most security you can put on right now (aside from enabling stuff like MAC address filtering and other security measures on top of that). WEP security, from what I've read, is just sort of laughable by now because there are so many tools to bypass it at this point.

So yeah, your answer is basically "kinda". If you want max security, use WPA2 if your devices support it (some slightly older devices don't). Otherwise, you won't have max security, but it's better than WEP and waaaayyy better than nothing at all.

MKR

What do you mean by regular WPA? There's AES and TKIP.

I can't use better than WPA-TKIP on this network without some serious rejiggering.

matt has a problem

WPA is fine for your average home router. It is crackable, but it takes time, and no one is going to take the time to crack a WPA password just to piggyback some free wifi. WPA-2 is what you should be using in any kind of corporate environment.

bowen

WPA will be fine assuming you're not the target of active hacking. You'd need to have a metric butt-ton of activity in order to crack it. One or two laptops on the network won't be reliable enough.

Essee

Ahhh, you're asking which to use? You should've specified that you wanted to know between TKIP and AES, that would've been more clear. Yeah, I believe TKIP is the better choice. I think WPA2 is supposed to only use TKIP with its keys (IIRC), so I'm guessing they think TKIP is the better system.

MKR

There's a swarm of WPAd routers around here.

MKR

Essee wrote:

Ahhh, you're asking which to use? You should've specified that you wanted to know between TKIP and AES, that would've been more clear. Yeah, I believe TKIP is the better choice. I think WPA2 is supposed to only use TKIP with its keys (IIRC), so I'm guessing they think TKIP is the better system.

Is WPA-TKIP secure?

It's in the title. :P

Thanks.

edit: I am probably misreading something

Essee

Yeah, but as you can see, several people (not just me) thought you were just asking about WPA in general because you didn't specify. :P

bowen

TKIP is indeed the better of the two.

MKR

For some reason I was thinking AES was better. Probably because I've heard the acronym more.

You guys are way better than Google.

Djeet

If all your devices support AES then use that as it is stronger*, but some legacy (or lesser) devices can only do TKIP since that can be implemented in software*. Your wireless AP may have a TKIP-and-AES mode which permits both methods to be negotiated.


*Edit: Or I should say TKIP requires less processing overhead to implement in software than AES.

BoomShake

Read This

tl;dr

To keep things simple, the best options, in decreasing order of preference, may be:
WPA2 + AES
WPA + AES (only if all devices support it).
WPA + TKIP+AES (only if all devices can support it).
WPA + TKIP
Disabled (no security)

Essee wrote:

(aside from enabling stuff like MAC address filtering and other security measures on top of that)

Don't bother with MAC address filtering. It is stupid easy to clone a MAC address, and thus only provides a false sense of increased security.

MKR

So the takeaway is that the worst-case option of WPA+TKIP is fine as long as I don't become a high ranking official in a corporation or government?

Magus`

You'll be fine. It's unlikely someone is gonna put that much effort into getting into your stuff.

DoctorArch

Any opinion on making a wireless network invisible on top of WPA protection? I've always done it as sort of a legacy thing, and I wonder if it is really even necessary or even useful to do so anymore.

Essee

BoomShake wrote:

Essee wrote:

(aside from enabling stuff like MAC address filtering and other security measures on top of that)

Don't bother with MAC address filtering. It is stupid easy to clone a MAC address, and thus only provides a false sense of increased security.

I know it's easy enough to circumvent and all, but at the very least it does make it slightly more annoying if someone wants to get in. It's just an extra layer on top of things, which makes it slightly more difficult to piggyback on the network (like hiding your SSID, which is similarly easy to bypass as best I recall). Your average person will just go with the connection that it's easiest to get into, at any rate. If they're really lucky, someone left their router unsecured. If they're fairly lucky, someone just secured their stuff with WEP and didn't put anything else they need to deal with on it, and they have the tool to deal with this. If they have a couple more hoops to jump through with someone's connection, they might just not bother and move onto someone else nearby, that's my theory. But I suppose once you get to the point that you're actually using WPA/WPA2, you're not really a prime target, anyway, because plenty of people are less secure than that.

BoomShake

Essee wrote:

BoomShake wrote:

Essee wrote:

(aside from enabling stuff like MAC address filtering and other security measures on top of that)

Don't bother with MAC address filtering. It is stupid easy to clone a MAC address, and thus only provides a false sense of increased security.

I know it's easy enough to circumvent and all, but at the very least it does make it slightly more annoying if someone wants to get in. It's just an extra layer on top of things, which makes it slightly more difficult to piggyback on the network (like hiding your SSID, which is similarly easy to bypass as best I recall). Your average person will just go with the connection that it's easiest to get into, at any rate. If they're really lucky, someone left their router unsecured. If they're fairly lucky, someone just secured their stuff with WEP and didn't put anything else they need to deal with on it, and they have the tool to deal with this. If they have a couple more hoops to jump through with someone's connection, they might just not bother and move onto someone else nearby, that's my theory. But I suppose once you get to the point that you're actually using WPA/WPA2, you're not really a prime target, anyway, because plenty of people are less secure than that.

That's like saying, "You might as well put a few twigs in front of your dead-bolted door for an added hoop". At best it's worthless, at worst it's an annoyance to the rightful owner. If someone has the two braincells it takes to get a WEP cracking tool or network sniffer, getting past the MAC filter is less than trivial. The ONLY person that it would stop is the guy who's only going to connect to the completely unprotected network, whom we've already eliminated by using WPA.

Additionally, having your access point hide its SSID is one of the worst pieces of "advice" that's been perpetuated through the years. It does nothing positive, only increasing the potential for new problems and decreasing security.

@MKR
If WPA-TKIP is as high as your network (and all included client devices) can handle, then that's all you can do now. It's not the most secure, but it's better than WEP or nothing. Don't screw about with MAC filtering, SSID hiding, or any of that.
The likelihood of an attacker targeting your network is low, though still a possibility even for a "regular" person like you; some people get their kicks from just snooping around private networks, so don't become complacent. I would also suggest that you consider security capabilities as a factor when you upgrade any of your devices, and try to bring your network up to date over time. There's really nothing else to be said on the situation.

MKR

So after a little inquisition I learned that the one device causing this headache never connects to the Internet anyway. So now I'm on WPA2-TKIP+AES and feeling a lot safer.

BoomShake

Can you get it to do WPA2 AES alone? If your network supports it, do that.

Using the AES+TKIP is basically backwards compatibility mode; it will try to do WPA2 AES, and fall back to WPA TKIP. It isn't always obvious what ends up being used depending on the hardware involved. Just something to keep in mind that your network may not be as secure as you think.

MKR

BoomShake wrote:

Can you get it to do WPA2 AES alone? If your network supports it, do that.

Using the AES+TKIP is basically backwards compatibility mode; it will try to do WPA2 AES, and fall back to WPA TKIP. It isn't always obvious what ends up being used depending on the hardware involved. Just something to keep in mind that your network may not be as secure as you think.

Done

Thanks. :rotate: