Last week I had the privilege to be a guest on the Defrag This podcast to speak about wireless security which you can listen to here: https://blog.ipswitch.com/wireless-security-protocols-brad-call. During the interview I was asked if there was a replacement to WPA2 in the works, and off the top of my head I said, “that I thought that I heard rumors of on in development, but don’t quote me on that as I can’t recall any details.” After the interview was over and I was no longer thinking on my feet, I tied to recall where I had heard this information only to realize that I was mistaken and probably thinking about the 802.11AD standard since that is slowly creeping into the news more.
This question did lead me to start thinking about why was there not a standard in the works to replace WPA2, especially since it is over 10 years old. The conclusion that I can to was surprisingly straightforward. There is no replacement because all things considered WPA2 is actually pretty good. Most of the attacks against it, apart from the Krack Attack (which has been patched) take advantage of poor configurations and not WPA2 as the protocol its self.
Sure, it’s not great that the PSK (pre-shared key) hash can be captured in the 4-way handshake, but with the correct configure it is basically impossible to decrypt with today’s GPU power. A poorly configured WPA2 Personal (a.k.a WPA2-PSK) pre-shared key can be decrypted within minutes. There are now multiple websites, many of which are free, were the attacker can upload the hashed key that was captured in the 4-way handshake and if the site has previously cracked that hash you are presented with the decrypted key. If it has not already been cracked you are presented with the option have the option to pay a very small fee to have the site owners brute force it with their GPU farms.
The good news is that since the network SSID is used in the hashing process, to can make your WPA keys computationally more difficult to crack by simply using an SSID that is unique. For example, do not use the SSID names of “Office” or “Internal” since they are on the https://wigle.net top 1000 SSID stats, and you should definitely not use xfinitywifi or linksys since they are the #1 and #2 most used SSID in the world. In combination with the unique SSID, you should also have a long passphrase. This does not necessarily need to be complex with special characters and complete gibberish. Again, the goal is to make it hard enough that it is not feasible to crack. Since the average WPA pre-shared key is between 8-20 characters long, most of the wordlist list used to crack WPA do not contain words beyond 20 characters. For example, using “This is our secure password” (not an actual recommendation) as your pre-shared key is a 27 character phrase that is very easy to remember but virtually impossible crack.