As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

Is WPA-TKIP secure?

MKRMKR Registered User regular
edited September 2011 in Help / Advice Forum
I can't get a straightforward answer with any amount of googling.

MKR on

Posts

  • EsseeEssee The pinkest of hair. Victoria, BCRegistered User regular
    edited September 2011
    Basically, regular WPA is fairly secure (I don't know whether people are cracking it right now or not). WPA2, if available, is the most security you can put on right now (aside from enabling stuff like MAC address filtering and other security measures on top of that). WEP security, from what I've read, is just sort of laughable by now because there are so many tools to bypass it at this point.

    So yeah, your answer is basically "kinda". If you want max security, use WPA2 if your devices support it (some slightly older devices don't). Otherwise, you won't have max security, but it's better than WEP and waaaayyy better than nothing at all.

    Essee on
  • MKRMKR Registered User regular
    What do you mean by regular WPA? There's AES and TKIP. D:

    I can't use better than WPA-TKIP on this network without some serious rejiggering.

  • matt has a problemmatt has a problem Points to 'off' Points to 'on'Registered User regular
    WPA is fine for your average home router. It is crackable, but it takes time, and no one is going to take the time to crack a WPA password just to piggyback some free wifi. WPA-2 is what you should be using in any kind of corporate environment.

    nibXTE7.png
  • bowenbowen How you doin'? Registered User regular
    WPA will be fine assuming you're not the target of active hacking. You'd need to have a metric butt-ton of activity in order to crack it. One or two laptops on the network won't be reliable enough.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • EsseeEssee The pinkest of hair. Victoria, BCRegistered User regular
    Ahhh, you're asking which to use? You should've specified that you wanted to know between TKIP and AES, that would've been more clear. Yeah, I believe TKIP is the better choice. I think WPA2 is supposed to only use TKIP with its keys (IIRC), so I'm guessing they think TKIP is the better system.

  • MKRMKR Registered User regular
    There's a swarm of WPAd routers around here.

  • MKRMKR Registered User regular
    edited September 2011
    Essee wrote:
    Ahhh, you're asking which to use? You should've specified that you wanted to know between TKIP and AES, that would've been more clear. Yeah, I believe TKIP is the better choice. I think WPA2 is supposed to only use TKIP with its keys (IIRC), so I'm guessing they think TKIP is the better system.
    Is WPA-TKIP secure?

    It's in the title. :P

    Thanks.

    edit: I am probably misreading something

    MKR on
  • EsseeEssee The pinkest of hair. Victoria, BCRegistered User regular
    Yeah, but as you can see, several people (not just me) thought you were just asking about WPA in general because you didn't specify. :P

  • bowenbowen How you doin'? Registered User regular
    TKIP is indeed the better of the two.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • MKRMKR Registered User regular
    For some reason I was thinking AES was better. Probably because I've heard the acronym more.

    You guys are way better than Google.

  • DjeetDjeet Registered User regular
    edited September 2011
    If all your devices support AES then use that as it is stronger*, but some legacy (or lesser) devices can only do TKIP since that can be implemented in software*. Your wireless AP may have a TKIP-and-AES mode which permits both methods to be negotiated.


    *Edit: Or I should say TKIP requires less processing overhead to implement in software than AES.

    Djeet on
  • BoomShakeBoomShake The Engineer Columbia, MDRegistered User regular
    edited September 2011
    Read This

    tl;dr
    To keep things simple, the best options, in decreasing order of preference, may be:
    WPA2 + AES
    WPA + AES (only if all devices support it).
    WPA + TKIP+AES (only if all devices can support it).
    WPA + TKIP
    Disabled (no security)

    Essee wrote:
    (aside from enabling stuff like MAC address filtering and other security measures on top of that)

    Don't bother with MAC address filtering. It is stupid easy to clone a MAC address, and thus only provides a false sense of increased security.

    BoomShake on
  • MKRMKR Registered User regular
    edited September 2011
    So the takeaway is that the worst-case option of WPA+TKIP is fine as long as I don't become a high ranking official in a corporation or government?

    MKR on
  • Magus`Magus` The fun has been DOUBLED! Registered User regular
    You'll be fine. It's unlikely someone is gonna put that much effort into getting into your stuff.

  • DoctorArchDoctorArch Curmudgeon Registered User regular
    Any opinion on making a wireless network invisible on top of WPA protection? I've always done it as sort of a legacy thing, and I wonder if it is really even necessary or even useful to do so anymore.

    Switch Friend Code: SW-6732-9515-9697
  • EsseeEssee The pinkest of hair. Victoria, BCRegistered User regular
    BoomShake wrote:
    Essee wrote:
    (aside from enabling stuff like MAC address filtering and other security measures on top of that)

    Don't bother with MAC address filtering. It is stupid easy to clone a MAC address, and thus only provides a false sense of increased security.

    I know it's easy enough to circumvent and all, but at the very least it does make it slightly more annoying if someone wants to get in. It's just an extra layer on top of things, which makes it slightly more difficult to piggyback on the network (like hiding your SSID, which is similarly easy to bypass as best I recall). Your average person will just go with the connection that it's easiest to get into, at any rate. If they're really lucky, someone left their router unsecured. If they're fairly lucky, someone just secured their stuff with WEP and didn't put anything else they need to deal with on it, and they have the tool to deal with this. If they have a couple more hoops to jump through with someone's connection, they might just not bother and move onto someone else nearby, that's my theory. But I suppose once you get to the point that you're actually using WPA/WPA2, you're not really a prime target, anyway, because plenty of people are less secure than that.

  • BoomShakeBoomShake The Engineer Columbia, MDRegistered User regular
    Essee wrote:
    BoomShake wrote:
    Essee wrote:
    (aside from enabling stuff like MAC address filtering and other security measures on top of that)

    Don't bother with MAC address filtering. It is stupid easy to clone a MAC address, and thus only provides a false sense of increased security.

    I know it's easy enough to circumvent and all, but at the very least it does make it slightly more annoying if someone wants to get in. It's just an extra layer on top of things, which makes it slightly more difficult to piggyback on the network (like hiding your SSID, which is similarly easy to bypass as best I recall). Your average person will just go with the connection that it's easiest to get into, at any rate. If they're really lucky, someone left their router unsecured. If they're fairly lucky, someone just secured their stuff with WEP and didn't put anything else they need to deal with on it, and they have the tool to deal with this. If they have a couple more hoops to jump through with someone's connection, they might just not bother and move onto someone else nearby, that's my theory. But I suppose once you get to the point that you're actually using WPA/WPA2, you're not really a prime target, anyway, because plenty of people are less secure than that.

    That's like saying, "You might as well put a few twigs in front of your dead-bolted door for an added hoop". At best it's worthless, at worst it's an annoyance to the rightful owner. If someone has the two braincells it takes to get a WEP cracking tool or network sniffer, getting past the MAC filter is less than trivial. The ONLY person that it would stop is the guy who's only going to connect to the completely unprotected network, whom we've already eliminated by using WPA.

    Additionally, having your access point hide its SSID is one of the worst pieces of "advice" that's been perpetuated through the years. It does nothing positive, only increasing the potential for new problems and decreasing security.

    @MKR
    If WPA-TKIP is as high as your network (and all included client devices) can handle, then that's all you can do now. It's not the most secure, but it's better than WEP or nothing. Don't screw about with MAC filtering, SSID hiding, or any of that.
    The likelihood of an attacker targeting your network is low, though still a possibility even for a "regular" person like you; some people get their kicks from just snooping around private networks, so don't become complacent. I would also suggest that you consider security capabilities as a factor when you upgrade any of your devices, and try to bring your network up to date over time. There's really nothing else to be said on the situation.

  • MKRMKR Registered User regular
    So after a little inquisition I learned that the one device causing this headache never connects to the Internet anyway. So now I'm on WPA2-TKIP+AES and feeling a lot safer.

  • BoomShakeBoomShake The Engineer Columbia, MDRegistered User regular
    edited October 2011
    Can you get it to do WPA2 AES alone? If your network supports it, do that.

    Using the AES+TKIP is basically backwards compatibility mode; it will try to do WPA2 AES, and fall back to WPA TKIP. It isn't always obvious what ends up being used depending on the hardware involved. Just something to keep in mind that your network may not be as secure as you think.

    BoomShake on
  • MKRMKR Registered User regular
    BoomShake wrote:
    Can you get it to do WPA2 AES alone? If your network supports it, do that.

    Using the AES+TKIP is basically backwards compatibility mode; it will try to do WPA2 AES, and fall back to WPA TKIP. It isn't always obvious what ends up being used depending on the hardware involved. Just something to keep in mind that your network may not be as secure as you think.

    Done

    Thanks. :rotate:

Sign In or Register to comment.