How Secure is YOUR WiFi Network?

Поделиться
HTML-код
  • Опубликовано: 27 ноя 2024

Комментарии •

  • @kylereed3577
    @kylereed3577 10 месяцев назад +26

    Thanks! You continually inform an old guy who thought he knew everything. This is going to help with an upcoming project and my home network.

  • @lis6502
    @lis6502 10 месяцев назад +23

    oh one more thing, thanks for making "OG youtube content" in 2024, full of passion and actual content over intros, background music, sketchy vpns and pcbways segways all over the place. i was considering RADIUS for some time, now i know that this is way to go and thanks to your other videos i have good base on implementation.
    Not to mention that after milk-v video i've ordered 10 pieces with IOB boards just to tinker and totally loved open cpu's concept!

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +4

      Glad you like it! VPNs have definitely taken over meaningful discussion on security.

  • @robertopontone
    @robertopontone 10 месяцев назад +19

    your knowledge on details is impressive 😮 and you always manage to pick interesting topics which I cannot find on other channels. Thanks 👍

  • @supremebeme
    @supremebeme 10 месяцев назад +12

    man this content is absolute gold. ty sir

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +1

      no prob thanks

    • @valentinzeller8439
      @valentinzeller8439 6 месяцев назад

      @@apalrdsadventures wanted to state something along the lines of the original commenter. But i see its taken care of already. Keep at it ;-)

  • @nicolaslavinicki4029
    @nicolaslavinicki4029 10 месяцев назад +2

    You are the Best, man! You are really making a difference in the world! I wish you much success!

  • @ttoni-youtube
    @ttoni-youtube 10 месяцев назад +1

    Thanks for the great information you presented! I never knew password are so easy to brute force, even combined ones! It open my eyes, i will definitely change to wpa3 and put stronger passwords on my wifi networks.

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +1

      Glad it helped! It's only really possible to brute force when you can extract the hash and do it offline, which isn't possible in all protocols.

  • @nhofonef
    @nhofonef 10 месяцев назад +12

    I got EAP-TLS running with freeRADIUS a while back. Works great for computers, not so great for IoT and embedded devices unfortunately, so I still need to keep a PSK network around for them.
    Hard agree on disabling legacy Wi-Fi modes as well. I keep 802.11n as a minimum (and it's 15 years old already).

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +5

      By legacy I meant 802.11B/G, not N. Especially on 2.4Ghz.

    • @nhofonef
      @nhofonef 10 месяцев назад +3

      Yep I think we're on the same page :)

  • @AnniMM-lp4tk
    @AnniMM-lp4tk 5 месяцев назад

    I love this, it's such a measured and practical take on WiFi setup; navigating the realities of device protocol support and cryptography techniques and what they mean for people's day-to-day network privacy at large.

  • @codydietrich4246
    @codydietrich4246 8 месяцев назад +1

    Thanks for taking the time to explain it in detail!

  • @break1146
    @break1146 10 месяцев назад +3

    This prompted me to change all the devices I manage to WPA3 (well I did a few, it's evening I'll continue tomorrow lmao), with transition mode enabled unfortunately because I also don't fancy breaking shit out on sea and there is a decent possibility there are still some legacy but mission critical devices out there. However, with this I don't think the fallout will be too high and we'll deal with it if it comes :).
    There also a lot of shitty passwords still out there, some from me and most of the worst ones not from me. Sadly changing passwords from under people's noses isn't much appreciated.
    This was a great video just giving an overview about it. Quite needed for me as well. Thanks!

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +3

      Glad it's working well for you on WPA3! A really good WPA2 password can be as secure as WPA3 passwords, but it's a lot easier for it to not be very good. WPA3 is still vulnerable to password sharing by humans of course.

    • @break1146
      @break1146 10 месяцев назад +1

      @@apalrdsadventures The forward security thing is nice though. These vessels go everywhere so it's more of a just in case. The password sharing aspect isn't going away anytime soon for me. Many passwords are literally the SSID, with some capital letters, etc. It's going on my list of things to make a case about. I'm basically doing most of the IT alone for hundreds of vessels and they're all different owners/management and a whole backlog of setups that desperately need an overhaul and geostationary VSAT connections is making this a funny business. If the weather is particularly bad it can take half an hour (of trying) to change a single setting on a GUI, and when the device only has a GUI...
      I've basically been on a hardening and encryption rampage ever since I started working here and gained some footage. (also to the annoyance of some people but I'll fight them lol)
      Your videos are very useful also for the plans I have for my home lab, I'm collecting hardware here and there for either free or a good price. Thanks!

  • @HarrySManback
    @HarrySManback 10 месяцев назад

    Dude, you're killing it. Much respect.

  • @BertPdeboy
    @BertPdeboy 10 месяцев назад

    really good work balancing the amount and depth of information! as a generalist I learned some news things.
    your demonstration of hashcat is very clear people of every skill level could follow, it's required learning material level 👍

  • @neilfairbairn3775
    @neilfairbairn3775 7 месяцев назад +1

    As well as a strong password, I use MAC Address Filtering, reserving each of my internal IP addresses to a device's MAC Address, and limit the number of IP Addresses to the number of devices I own. I do have a guest network running for friends and other family members that are not in my household. There are also several firewalls to segregate my network into gaming, entertainment and work.

  • @eschofield1
    @eschofield1 10 месяцев назад +3

    Could you do a setup video on WPA Enterprise TLS? Would be interesting to see your take on how it would be configured.

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +2

      I'm working on that one

    • @joshs2022
      @joshs2022 10 месяцев назад +1

      Also interested in a WPA Enterprise TLS video

  • @mtnsolutions
    @mtnsolutions 10 месяцев назад

    Just set up wpa3 enterprise with my unifi u6pro and a self-hosted controller/third-party gateway. I do hide the SSID for my iot stuff because they’re not mobile. Very cool talk. I would love to see a demo of standing up a high-availability radius server with the TLS certificate you mentioned. Keep up the great work. Oh, btw, i also wish unifi would dedicate a bit more of their talent in supporting ipv6

  • @jvannoyx4
    @jvannoyx4 10 месяцев назад +1

    @apalrdsadventures thank you for the great content. Always enjoy seeing your videos in my feed. I would like your insight on a Network Access Control (NAC) such as Packetfence NAC and how that can be used to secure a larger wifi environment. Thanks again.

  • @VizionHUN
    @VizionHUN 7 месяцев назад

    OMG, very informative video again. If a very good encryption method was available since the '70, why did ppl develop something not-so secure? Thx for the great content!

    • @apalrdsadventures
      @apalrdsadventures  7 месяцев назад

      When WiFi was drafted in 1997 (and WEP was part of the original spec), the US still considered any encryption over 40 bits to be an export-controlled munition, so a lot of encryption in the 90s was known to be weak even when it was designed. This is why the original SSL usually used 512-bit RSA and 40-bit RC4, despite the protocol supporting 1024-bit RSA and 128-bit 3DES or RC4 for companies who could jump through the hoops to only distribute their software to US citizens. Eventually the EFF would challenge this by publishing the source code to cryptographic algorithms in a book.
      There's also the concern that the authentication ciphers in WiFi are virtually always implemented in software (while the stream ciphers are in hardware), so doing ECDH for each auth can be a lot of work for the AP. Modern WPA3 has to consider that the increased crypto work to authenticate new clients can potentially cause a DoS for the AP, so APs implement rate limiting on how fast they will process new clients. A few decades ago this would have been too much for the CPU in the AP.

  • @fedemtz6
    @fedemtz6 10 месяцев назад +1

    when I visited Spain last summer, I found that most places (and in the actual routers) shared the wifi password with a QR code and when I looked at the actual password, they were about 20 random numbers and letters long. That is not bad as long as it is not some id or serial number as I noticed with another ISP's old CPEs in Mexico. The ideal thing to make it easier for us wanting to connect to the wifi on our laptops is the XKCD type of word passwords, maybe just camelCase it and add some basic symbols or numbers.
    btw, the Mexican ISP used some serial number that was printed on the side of the CPE as the password and the last 4 digits were part of the SSID as -. That ISP was bought by another one and those CPE's have been mostly taken out of service.

  • @curtispavlovec
    @curtispavlovec 6 месяцев назад

    Excellent synopsis. WPA3/SAE is the only way to go today for the home user. Unfortunately too many devices still in 2024 do not support it. So we are forced to put printers and IOT devices for example on a separate WPA2 network.

  • @Nathan-q6y
    @Nathan-q6y 10 месяцев назад

    Love this video and as always thanks for the great content!!😊😊

  • @UnderEu
    @UnderEu 10 месяцев назад +3

    Tip for a secure password: Put someone you don’t like that much to close up vim 🙃

  • @TheMonemone2
    @TheMonemone2 10 месяцев назад +1

    thanks for the vid. I've learnt a lot!

  • @alexaka1
    @alexaka1 10 месяцев назад +2

    I gotta go and rotate some passwords is the new I gotta go return some videotapes.

  • @d3wy
    @d3wy 10 месяцев назад

    Wonderful video, I also love them googly eyes. I want a dream router just to do that now!

  • @Akadjjoel
    @Akadjjoel 10 месяцев назад +1

    Excellent video

  • @ronm6585
    @ronm6585 10 месяцев назад +1

    Great info, thank you. 👍🏻

  • @MrBoboka12
    @MrBoboka12 4 месяца назад +1

    Great video but missing a few things: WPA3 (AES -> not PPSK/PEAP/TLS/PASS) + WPA (AES/TKIP) + etc ... the stuff that you find in your average Jo home routers and even tho some of them are acronyms but Jo will have 0 idea.

    • @apalrdsadventures
      @apalrdsadventures  4 месяца назад

      WPA (1) and TKIP were only a transitional standard for pre-2004 clients who didn't have hardware support for AES

  • @fedemtz6
    @fedemtz6 10 месяцев назад +4

    I have a WPA2/WPA3-Personal network. How does having mixed WPA 2 and 3 work? is there any benefit to having WPA3 if there are still some WPA2 only clients?

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +3

      WPA3 clients will use SAE (with forward secrecy / inability to decrypt even if you know the password).

  • @stelas9307
    @stelas9307 8 месяцев назад

    Wow! Amazing info for free!!! Thank you!!!

  • @gunnargu
    @gunnargu 10 месяцев назад +4

    My question WHY is it soo hard to setup a radius server? All I want is a USER FRIENDLY radius server that can do all the wifi auth modes. Just part of routers or as a vm appliance!

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +6

      RADIUS is a very troublesome protocol for everyone involved

    • @curtispavlovec
      @curtispavlovec 6 месяцев назад +1

      Ubiquiti has a built in RADIUS server iirc

  • @subrezon
    @subrezon 10 месяцев назад +2

    I used to have an xkcd-like password, except that I combined 4 words from 4 different languages. If whoever is cracking my password has a wordlist with russian transliterations and a rule that correctly leetifies russian - honestly, they deserve the W.
    (not my password strategy anymore)

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +1

      Oh wow now I need to find multi-lingual word lists

  • @lumisonic48-io5xw
    @lumisonic48-io5xw 10 месяцев назад

    Excellent video, can't wait for the follow-up. Will you talk about cert based radius? I have a few PCs with corporate issued certificates for corporate Wifi, my dream is to once have my own Wifi with FreeRadius to accept these certificates.

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад

      Yup, it's cert based RADIUS. Although most of the video covers the CA / issuing certs bits and not much on FreeRADIUS.

    • @lumisonic48-io5xw
      @lumisonic48-io5xw 10 месяцев назад

      @@apalrdsadventures so, that will be an adventure for me to figure out :)

  • @InShadowsLinger
    @InShadowsLinger 10 месяцев назад

    Almost didn’t watch thinking “what knew could I possibly learn?“. Boy, was I wrong. I am still kind of stuck in early 2010s

  • @GameDesignerJDG
    @GameDesignerJDG 10 месяцев назад +2

    21:59 I love to be pedantic about entirely useless trivia, but there are 365.2425 days in a year. You're welcome.
    .
    ..
    ...
    ....
    .....
    Long explanation: 365 days + 1/4 (+1 leap day every 4 years) - 1/100 (-1 leap day every 100 years) + 1/400 (+1 leap day every 400 years). This random pointless fact brought to you mostly just as a joke, completely not as a criticism. 365.25 is a perfectly usable shorthand (only off by 3 / 400ths of a year) and this only matters after a lot of years.

  • @neilquinn
    @neilquinn 10 месяцев назад +1

    How risky is using an ancient actiontec mi484wr just as a router? (have a more modern AP attached and the radio disabled on the actiontec)

  • @TheOisannNetwork
    @TheOisannNetwork 10 месяцев назад +1

    Thanks!

  • @AlyssaNguyen
    @AlyssaNguyen 10 месяцев назад

    I once had a (temporary!) connection I called "Spaceball One" and set the password as "onetwothreefourfive" 😂

  • @tomkelley4119
    @tomkelley4119 6 месяцев назад

    With your password generator, I capitalize the first letter of words, and I add punctuation to make things more obvious on what the phrase means to me.

  • @MrSephkeene
    @MrSephkeene 10 месяцев назад +1

    Great video as always. Is there an updated discord link?

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад

      It should be correct?

    • @MrSephkeene
      @MrSephkeene 10 месяцев назад

      I get invalid or expired.

    • @ougonce
      @ougonce 10 месяцев назад

      Works for me. You've probably been banned.

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад

      It's not a ban from my side. But here's another 7-day link to try: discord.gg/E2EbWdtx

    • @MrSephkeene
      @MrSephkeene 10 месяцев назад

      On Android, both links fail, on desktop, works a charm. Thanks again!@@apalrdsadventures

  • @JonathanSwiftUK
    @JonathanSwiftUK 10 месяцев назад +1

    You didn't mention MAC filtering / restrictions, and whether they have any merit.

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +1

      In general, MAC filtering causes headaches in the enrollment phase (you often need to connect a device to a network to capture the MAC, then move it over to a secure network). It's also trivial to spoof a MAC on the air, so it provides little security by itself, but it can be extremely useful for higher level segmentation (assigning VLANs / PPSKs by MAC using RADIUS).

  • @gorgonbert
    @gorgonbert 10 месяцев назад +1

    Have a WiFi network with whatever the best encryption is you can manage, but that network can only access the router. Run VPN on the router (WireGuard, openvpn, whatever) to access the rest of the network 👍

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад

      Do you mean VPN from the client to router (over wifi)? That's not going to provide any advantages over WPA-Enterprise.

    • @gorgonbert
      @gorgonbert 10 месяцев назад

      @@apalrdsadventures just another layer of protection… you can hack that wifi password all you want… I don’t care… 👍
      I like your point about multiple SSIDs too… using VPN as added layer of protection, that one single WiFi could even have internet access for all I care and the password can be shared with friends and family… no guest SSID needed… also if you happen to have some IoT crap, those can talk to their clouds… I wouldn’t let devices like that on my network, but if you have to at least they can’t get to the precious stuff…

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +3

      WPA3-Enterprise (and WPA2 with PMF + cert checking) is essentially the same process and level of encryption used in IPSec + IKE with per-client keys and cert-based authentication. So if you are using WPA-Enterprise there's no reason to layer anything else on top, and WPA-Enterprise support is a lot easier to deal with on clients than IPSec and there's nothing to install like Wireguard.

  • @WndSks
    @WndSks 10 месяцев назад

    Before OWN the advice used to be that WPA PSK with the password on the store wall/window was better than Open. I never looked into it but I suppose it helps if each client gets their own session key.

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад

      Posting the password on the wall in theory makes sure someone walking by doesn't use your network, but realistically everyone in the area will know your password and that's not really useful security.

    • @WndSks
      @WndSks 10 месяцев назад

      @@apalrdsadventures Everyone is supposed to know the password, the point is to provide slightly better security than a plain open AP. WPA PSK will handshake each client and give them their own temporary key that is used to encrypt the traffic between the client and AP. (That was the theory 10 years ago anyway)

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +2

      yeah, that's like the perfect use case for OWE. If everyone knows the password, it's trivial to decrypt all of the WPA2 PSK traffic anyway, SAE doesn't have this problem (and SAE is used for both OWE and WPA3 Pass-based).

  • @kwinzman
    @kwinzman 10 месяцев назад

    hate to use the RUclips comment system because it seems to delete or shadowban half of what I write, but I have to give you some feedback.
    You said: if your device hasn't had a firmware update in the last 5 years to add WPA3 support do you really want to use it?
    After I watched your comment I got motivated, and set my AP to WPA3 only.
    It turns out there are a lot of good devices that regularly get security updates which don't support WPA3: Intel laptops with Wireless AC 7265 has no WPA3 capable driver for Windows, the iPhone 6S still gets security updates but doesn't support WPA3, my soundbar gets regular updates but doesn't support WPA3, my Raspberry Pi4 gets regular security updates but only supports WPA3 with great troubles (I believe since THIS week there is finally a solution if you completely swap the firmware and the wpa supplicant that comes with the raspberry), and two label printers that I have that get roughly 1 security update per year still but won't support WPA3. So, no that part of the video is just misleading to be frank.
    I hope this feedback helps. And doesn't get deleted by RUclips.

  • @ws_stelzi79
    @ws_stelzi79 10 месяцев назад +2

    I guess the Chinese were searching for good WiFi signal a couple of thousand years before considering Confucius already wrote about security! 😉😏🤯

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад +4

      In ancient Lu, Confucius, intrigued by tales of the mystical "Wifi-zen," embarked on a quest to find the best signal. Armed with teachings from wise elders, he journeyed through crowded markets, serene gardens, and sacred temples, raising his smartphone to the heavens at each location.
      Encountering interference in markets, weakened signals in gardens, and elusive connections in temples, Confucius persisted, adjusting settings and offering sage advice. It became clear that, like the pursuit of virtue, finding the best Wifi-zen signal required balance and patience.
      After days of exploration, Confucius stood atop a hill, where the Wifi-zen signal surged with strength. Reflecting on his journey, he shared wisdom: "Navigate interference, seek balance, and embrace patience for the highest connection."
      The people of Lu marveled at the sage who not only imparted virtue but also triumphed in the quest for the best Wifi-zen signal. Content with his discovery, Confucius continued his journey, leaving behind a city united by ancient wisdom and the invisible threads of the digital realm.

  • @l0gic23
    @l0gic23 10 месяцев назад

    Great vid

  • @SamuelSkottenborg
    @SamuelSkottenborg 10 месяцев назад +1

    Is that an Asrock X300 on your desk?

  • @astacc
    @astacc 6 месяцев назад

    26:30 lot IoT devices barely support wifi4, I have them in separate IoT network without internet or access to other VLANs.. locking all the questionable devices in it's own corner is better than having them in main network, but still not great

  • @subari5875
    @subari5875 10 месяцев назад

    Damn, I always assumed that WPA2 without password still used an encryption key, just without authentication. Who the hell thought that it was a good idea to communicate without encryption, especially over air? WPA2-PSK too, it boggles my mind how this level of poor encryption could even be an IEEE standard.

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад

      'without encryption' is how wifi was originally designed, back in the 90s it was an expensive and niche system.

  • @yuraetoh
    @yuraetoh 8 месяцев назад

    So in other words Ethernet is the best type of WiFi

  • @BenState
    @BenState 5 месяцев назад

    sub from me for this great content

  • @GR3YS0RG4N1CS
    @GR3YS0RG4N1CS 8 месяцев назад

    Downvoted for the sinophobia.

  • @AdrianuX1985
    @AdrianuX1985 10 месяцев назад +1

    On my old AP with OpenWrt, I added to CRON:
    1 0 * * * uci set wireless.default_radio0.key=$(head /dev/urandom | tr -dc '0-9a-zA-Z' | cut -b1-56); uci commit wireless; wifi;
    In your opinion, how long would it take for the GeForce RTX 4090 to crack the above alphanumeric password of 56 characters?

    • @apalrdsadventures
      @apalrdsadventures  10 месяцев назад

      If I know it uses those characters only (no symbols) that's 62 possibilities per symbol. I also know it's 56 symbols (hypothetically) so I don't have to try all the shorter permutations first.
      So total guesses is 62^56 = 2.36e100. RTX 4090 can optimistically do 1.5MH/s (I have no benchmarks but the 3090 can do 1.15MH/s), so roughly 5e86 years on a single card.
      However I could instead brute-force the PSK. PSK = SHA1 hash of SSID + Passphrase roughly and is 256 bits long. That's 1.15e77 possibilities, and since there are less steps in the computation of each guess it can also be done faster. But we're still at some wildly high computation times, on the order of 1e50 years.
      Realistically by chaining in SHA1 attacks you might be able to get it down to ~100 GPU-years. I haven't seen any research on that applied to WPA2.

    • @flintthuang
      @flintthuang 10 месяцев назад +1

      How does the UE know the password after cron is executed?