mdhwoods wrote: ↑Mon Apr 15, 2019 9:17 pm
Ya i was reading about this last week. if you build it, someone will break it.
actually i found a better article here
Next-gen standard was supposed to make password cracking a thing of the past. It won't.
“In light of our presented attacks, we believe that WPA3 does not meet the standards of a modern security protocol,” authors Mathy Vanhoef of New York University, Abu Dhabi, and Eyal Ronen of Tel Aviv University and KU Leuven wrote. “Moreover, we believe that our attacks could have been avoided if the Wi-Fi Alliance created the WPA3 certification in a more open manner.”
Had the alliance heeded a recommendation made early in the process to move away from so-called hash-to-group and hash-to-curve password encoding, most of the Dragonblood proof-of-concept exploits wouldn't have worked, the researchers went on to say. Now that the Dragonfly is finished, the only option is to mitigate the damage using countermeasures that at best will be "non-trivial" to carry out and may be impossible on resource-constrained devices.
https://arstechnica.com/information-tec ... passwords/
i agree with merlin's statement
The expert critics are pretty loud however about the fact that the Wifi Alliance were warned early during the design phase about some of their initial choices, but they decided to keep going on doing their own thing and ignore outside advice (or so those experts say).
Bottom line hasn't changed: if it doesn't move, wire it. If it moves and it's security-sensitive, wire it anyway.
recommended solution from the article
People should ensure that any WPA3 devices they may be using are running the latest firmware. They should also ensure they are using unique, randomly generated passwords that are at least 13 characters long. Password managers or the use of dice words are two useful ways to ensure password requirements are being met. Security experts have long recommended both these practices. They only become more important now.
