Forgot your password?

Home wireless security level?

Displaying poll results.
Open network: Internet should be free for all!
  1751 votes / 5%
WEP encryption: Waiting to be compromised
  967 votes / 2%
WPA/WPA2 encryption: Should be secure
  18874 votes / 53%
WPA/WPA2 w/ hidden SSID: A bit more secure
  3840 votes / 10%
Ditto, but w/ MAC whitelist: A tough tighter
  3300 votes / 9%
Ditto, but DHCP disabled: Wireless fortress
  1021 votes / 2%
Wired connection or powerline Ethernet only
  1908 votes / 5%
Whatever my neighbors are using
  3301 votes / 9%
34962 total votes.
[ Voting Booth | Other Polls | Back Home ]
  • Don't complain about lack of options. You've got to pick a few when you do multiple choice. Those are the breaks.
  • Feel free to suggest poll ideas if you're feeling creative. I'd strongly suggest reading the past polls first.
  • This whole thing is wildly inaccurate. Rounding errors, ballot stuffers, dynamic IPs, firewalls. If you're using these numbers to do anything important, you're insane.
This discussion has been archived. No new comments can be posted.

Home wireless security level?

Comments Filter:
  • by Soulskill (1459) Works for Slashdot on Friday August 02, 2013 @11:00AM (#44456461) Homepage

    Restarted this poll to fix comments. Apologies for the lack of comments on the previous one.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Apologies for the lack of comments on the previous one.

      Nope, we're not buying it. Clearly, it was part of some evil plan your evil masters at Dice Evil Holdings eviled up for some evil purpose (we'll make up... I mean, determine just what it was supposed to do later) and only our complaining could possibly foil this evil from taking over the world*. We're clearly heroes and whining on an online message board is a viable tactic to save the world!

      *: Slashdot

    • by simplypeachy (706253) on Friday August 02, 2013 @12:22PM (#44457423)

      Care to restart it again with a correct list of "least to most secure" options?

    • by antdude (79039) on Friday August 02, 2013 @03:24PM (#44459885) Homepage Journal

      http://slashdot.org/poll/2613/time-until-facebook-is-replaced [slashdot.org]

      Can you please kindly restart that one too so we can post comments?

    • by wolrahnaes (632574) <sean@NoSPAM.seanharlow.info> on Saturday August 03, 2013 @03:25PM (#44466435) Homepage Journal

      How about restarting it again to get rid of the absolutely idiotic choices. Please stop promoting the misconception that MAC filtering, SSID hiding, or DHCP disabling are worth anything at all for network security. All any of those three do is make legitimate use harder while not hindering an attacker in the slightest. Does anyone think there are people who can crack WPA2 but can't run Wireshark for 15 seconds to see both legitimate MACs and the IP scheme?

      • by Lumpy (12016) on Monday August 05, 2013 @12:47PM (#44478367) Homepage

        Problem is Slashdot no longer has anyone working here that knows anything about technology.

        You wanted the Slashdot from 10 years ago, it's gone.

  • by Anonymous Coward

    A clear field of view and a targeting range in excess of the WAP's range should be sufficient security.

    • Re: (Score:3, Interesting)

      by kalalau_kane (1621021)
      Most wireless devices would have to be on my land to access my router, so I've got an Alfred E. Neumann attitude toward wireless security. If you're visiting me, go ahead. I tested with a high wattage radio connected to first a 13Dbm Omni antenna, then a 25Dbm flat panel antenna. I could establish a reliable connection at over half a mile to the router on my desk, but after that things got a bit shakey. The Omni didn't have quite the range as the panel, but the alignment on the panel had to be spot on a
  • by anss123 (985305) on Friday August 02, 2013 @11:09AM (#44456557)
    I'm still using WEP for the simple reason that I would have to update several devices settings, and I'm too lazy for that. This also means I lose out on wireless N, but my internet connection is pretty slow anyway.
    • by ShakaUVM (157947)

      >I'm still using WEP for the simple reason that I would have to update several devices settings, and I'm too lazy for that.

      Yep. And it's compatible with everything.

      It has enough security that it keeps out casual people, but not enough to pretend you have actual security.

      You should never trust your wifi network. Even if you have some magical unhackable security, all you need is one friend connecting with a cell phone and Google knows it (Android phones autoupload wifi passwords by default) and therefore t

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Between eeeeeeevil NSA agent driving up to my home and surfing porn with my Google-acquired credentials and neighbour's kid discovering Backtrack pwning my WEP network or a passing by wardriver doing same, one is about as likely as winning jackpot in a lottery by finding a ticket on the street, and another like getting 2:1 payment back on one ticket from a thousand you bought.

        It's like saying "Well, a nicely placed C4 charge would blow this safe open anyways, so I might as well just hide my money in my old

      • I use WEP, but you're going to hit a FreeBSD server with paranoid security settings once you get past that little nuisance. And the only way through is a VPN.
  • by danbob999 (2490674) on Friday August 02, 2013 @11:10AM (#44456565)

    Is it so hard to spoof a MAC address? I wouldn't call that security.
    Also hidden SSID is a bad idea, period.
    http://blogs.technet.com/b/networking/archive/2008/02/08/non-broadcast-wireless-ssids-why-hidden-wireless-networks-are-a-bad-idea.aspx [technet.com]
    WPA2 with CCMP-only encryption is good enough. Added security comes from a random SSID and good password.

    • by coldsalmon (946941) on Friday August 02, 2013 @11:35AM (#44456845)

      Disabling DHCP is the most ludicrous option. The only way this could make your home network more secure is if it is an open network and you want to prevent devices from automatically connecting. Do you really think someone is going to crack your WPA2 encryption, spoof your MAC address, and then give up because they don't feel like configuring a static IP address? Or is there actually some valid security reason for disabling DHCP?

    • Re: (Score:2, Interesting)

      by jellomizer (103300)

      Ok I setup my Router to handle only 3 mac addresses.

      You walk by my house you see a signal. however the ssid is hiden and is under WPA2 and you need to know what Mac Addresses I have allowed. It is getting more and more difficult.
      At best you can peer into the window and see say a Dell Laptop and you could get some of the numbers that Dell systems tend to use. But still you are going to wait a long time in elements trying to break into a router.

      • by Anonymous Coward on Friday August 02, 2013 @01:41PM (#44458625)

        I would just throw a brick through the window and take the Laptop.

      • by Luthair (847766) on Friday August 02, 2013 @04:20PM (#44460613)

        Firstly, a hidden SSID is pointless and trivial to snoop (and if you've turned on the option to connect if it is not broadcasting your devices call out the SSID constantly). Secondly your MAC address is broadcast in the clear regardless of your network encryption, anyone can easily find these by watching wireless traffic.

        A relatively unique SSID (as in, unlikely to be in an existing rainbow table) paired with a reasonable password is all that is required to secure a personal wifi network.

      • by AmiMoJo (196126) *

        It's your neighbours that you need to worry about. Easy to get a working MAC address, just wait for one of your devices to connect. In fact that it also what they need to gather the necessary packets to start an offline dictionary attack on your WPA2 key anyway, so you can see that it offers exactly zero benefit over WPA2 alone.

      • by MiG82au (2594721)
        Please tell me you're trolling.
        I can fire up kismet on my laptop and straight away see what MAC addresses are connecting to your SSID (regardless of whether it's broadcast). It's that easy. I've never bothered trying to spoof a MAC and breaking a wifi key, but getting the SSID and MAC address is trivial.
        Guessing MAC addresses by model of laptop, SNORT!
  • by clarkn0va (807617) <apt.get @ g m a i l . c om> on Friday August 02, 2013 @11:11AM (#44456575) Homepage

    Only one of the possible responses provides any real security against malicious intent. The others might keep nosy neighbours and casual wardrivers out, with varying degrees of effectiveness.

    Then there's the first option. This used to be my philosophy. I still believe in sharing wireless, but these days I do it with a dedicated vlan and a WPA2 key that is disclosed right in the SSID. Sharing doesn't have to mean throwing security out the window.

    • by tapspace (2368622)

      WPA2 key that is disclosed right in the SSID

      What is the point?

      • by clarkn0va (807617)
        Encryption
        • by tapspace (2368622)

          http://security.stackexchange.com/questions/8591/are-wpa2-connections-with-a-shared-key-secure [stackexchange.com]

          Basically, with WPA/WPA2 PSK, anyone who really wants to decrypt a user's traffic can (so long as they witness the association or force a reassociation). It's minimally more difficult than just sniffing unencrypted wifi packets.

          • http://security.stackexchange.com/questions/8591/are-wpa2-connections-with-a-shared-key-secure [stackexchange.com]

            Basically, with WPA/WPA2 PSK, anyone who really wants to decrypt a user's traffic can (so long as they witness the association or force a reassociation). It's minimally more difficult than just sniffing unencrypted wifi packets.

            Perhaps, but at least you can go from worrying about real cybercriminals + dangerous idiot script kiddies to just worrying about the former.

            Any simply implemented measure that mitigates some portion of threat and risk is worth it, IMO.

            • by tapspace (2368622)

              I can't believe my comment was downmodded. Did you read the stack exchange answer? You need some tool (like wireshark) to sniff packets on an unencrypted wireless link. It is trivially more difficult with an encrypted connection when the attacker knows the WPA passphrase. Any "script kiddie" who can figure out how to use wireshark to sniff unencrypted packets on the public VLAN will also be able to sniff encrypted packets. Wireshark does it for you. All said script kiddie needs to do is use the aircra

    • by Type44Q (1233630)

      I still believe in sharing wireless, but these days I do it with a dedicated vlan

      I initially read that as "I do it with a dedicated van" and was rather amused.

  • by radish (98371) on Friday August 02, 2013 @11:13AM (#44456597) Homepage

    Hiding the SSID and/or MAC whitelisting will make it a bit tougher for a casual attacker. BUT, a casual attacker will be totally defeated by WPA2. If whoever is attacking you is able to break WPA2, then the hidden SSID and MAC whitelist will offer you zero protection against them.

    Thus, they're pointless and an inconvenience to legitimate users. My dad is obsessed with MAC whitelists which is a pain as every time I take my laptop over there I have to wait while he reconfigures the fricking router (yes, he deletes the entry when I leave).

  • PSK vs 802.1x (Score:4, Interesting)

    by jaak (1826046) on Friday August 02, 2013 @11:22AM (#44456709)

    I know one isn't supposed to complain about the lack of choices in the poll, but if this is asking about security there should have been an option for PSK vs. 802.1x.

    • by meustrus (1588597)

      I know one isn't supposed to complain about the lack of choices in the poll

      That was a suggestion. Optional. Like pants.

  • I keep my wireless on a separate subnet and firewalled from my main PC. It still has access out to the Internet, just blocked from the rest of my internal network. It's also running WPA2 with a somewhat ridiculous passphrase and a very limited DHCP scope.
  • by JeanCroix (99825) on Friday August 02, 2013 @12:11PM (#44457279) Journal
    I'm not telling - you'll have to wardrive my neighborhood to find out.
  • "Open network: Internet should be free for all!" should read "Open network: Internet should be free for...hold on, the FBI is at door"
  • by a-zarkon! (1030790) on Friday August 02, 2013 @12:49PM (#44457863)
    Disabling SSID Broadcast should not be considered more secure than standard WPA2/PSK. Clients configured to connect to a hidden SSID will beacon constantly to see if that SSID is available. Take a look at Hotspotter to see if you can figure out why that might not be a great idea. Also, whether you are broadcasting SSID or not, your network is pretty easily found by anyone who is actively looking for wireless networks in the area. This equates to introducing a potential vulnerability for your client systems and no increase in security for your network - so broadcast away. Your best bet is a complex pre-shared key. Change it once in a while if you're paranoid. Tunnel over VPN or SSH if you're really paranoid.
    • by Petron (1771156)

      Not less secure. More secure to the casual hacker. Not more or less secure to somebody targeting you.

      If somebody wants to get on a wireless connection and sees 10 broadcasted SSID's... they would likely try those first. They could wait for a client to send out a request with the ID in it, but there are those 10 that are screaming "HERE I AM!!" that is very easy to find. It's the "I don't need to out swim the shark" approach.

      Now of somebody is targeting you... Hidden or not, they will find your connecti

      • by a-zarkon! (1030790) on Friday August 02, 2013 @02:36PM (#44459351)

        Yes. The point I'm trying to make is that if:
        1) You set your SSID to "my_secret_ssid" and then disable broadcast
        2) You configure your laptop to connect automatically to "my_secret_ssid" and check the box that this is a non-broadcast ssid

        Then
        3) Every time you bring your laptop to work or the airport or the donut shop, it will start beaconing to look for "my_secret_ssid".

        Evil nefarious types have the tools to look for those beacons and automatically reply with "my_secret_ssid" to trick your machine into connecting to them. Theoretically they can then pass this connection to a legitimate network connection, but leave themselves in the middle. You and your laptop won't necessarily know that this has happened.

        How to avoid this: Don't automatically connect to wifi, and don't configure non-broadcast SSIDs on your machines any longer than you need to.

        • by Petron (1771156)

          Ahh! That is a good point.

          But if I'm at an airport and I connect to "My_Secret_SSID", I know I'm out of range. It's a pretty big tell, but in the moments from connecting to disconnection could be long enough to plant something nasty.

          But when I travel, I normally turn off my wi-fi connections. Bit of my OCDness of having things scanning for things that are not there.

          Now the man-in-the-middle attack is there, if at home somebody could set up an SSID to match you, but that could be done both broadcast and h

        • by hankwang (413283)

          ... automatically reply with "my_secret_ssid" to trick your machine into connecting to them.

          This is only an issue for password-less systems or cases where the attacker knows the password, because the handshake protocol requires both the access point and the client to know the password. In either of those cases, an attacker could just as well sniff the network traffic.

          Is there a scenario where (hidden_SSID + WPA2) is actually more insecure than (broadcast_SSID + WPA2)?

  • WPA2 should be secure. I understand it is not vulnerable to known attack in the enterprise configuration with EAP-TTLS, where the WPA supplicant has a CA installed and can authenticate the peer using a certificate.

    But in the home scenario, what prevents MiM attacks? How can the WPA supplicant make the difference between your own wifi router, and the malicious neighbor's one?

  • by barlevg (2111272) on Friday August 02, 2013 @01:32PM (#44458521)
    My Nintendo DS only supports WEP, so I'm kinda stuck there. My router runs DD-WRT, though, so in theory I could set up a second WLAN. I've actually been meaning to do that for a while, but my motivation is sorely lacking.
  • My take on home WPA2 best practices, in case it helps anyone:

    EDIT 2013-07-06 - WPA2 PSK best practices

    Did a lot of googling and reading up of articles on WPA2 PSK best pracices, and watched youtube videos of how it can be compromised/cracked.

    1. Ideally choose a maximum_character_length password that is random characters (not dictionary words, to thwart dictionary-based attacks).

    2. Make sure the MAX_LENGTH random password has at least one character each of (a number|a punctuation|an upper case letter| a lowe

  • WPA2+Hidden SSID+base station underground and road ~100m from front door.
  • A tough tighter?

  • by Connie_Lingus (317691) on Friday August 02, 2013 @02:58PM (#44459597) Homepage

    ive found that by smashing my router with a hammer until plastic bits fly all over, ive obtained 100% security.

  • If your home systems are reasonably secure, you just need to keep the most casual users from accessing your wifi and doing nefarious things through your internet connection. If someone really wants to use your wifi, they will - and you should be able to show with your logs what happened. The worst though is when people see wifi security as a substitute for system security; the systems on your network should be secured whether you are using wireless or not.
  • I have a 50 megabit connection with an unsecured wireless G/N network with an SSID of "The People's Wifi".

    Warms my heart every time I log into the router config page and see a half dozen new devices :)

    I do limit the access for everyone else though -- web, email, vpn, and that's about it. Don't want any idiots who don't know how to use block lists firing up a dozen torrents though my network. Granted, I do it via port forwarding, so they could still get through, but anyone with that kind of knowledge is smar

  • Wired Ethernet only (Score:4, Interesting)

    by PPH (736903) on Friday August 02, 2013 @06:59PM (#44462237)

    Powerline Ethernet is by itself insecure. Your house may very well share one utility transformer with several neighbors. Your house wiring is effectively connected to theirs.

    Oh yeah. Don't forget those outside plugs. No telling who might sneak up and plug something in there.

  • by msobkow (48369)

    Despite the fact that my laptop could go wireless, I opted for wired connections and have the WiFi functionality of my 2Wire router disabled. I don't like wireless; never have. All those bits penetrating me... :P

  • by Trogre (513942) on Friday August 02, 2013 @09:28PM (#44462925) Homepage

    WPA is in the wrong category, and the security of hidden SSIDs is over-stated. Let's fix this:

    WEP/WPA: Waiting to be compromised
    WPA2: Should be secure
    WPA/WPA2 w/ hidden SSID: Not really any more secure, since all your devices are now broadcasting your SSID whether you're near your AP or not.
    Ditto, but w/ MAC whitelist: Not really any tighter, since the devices MAC is broadcast unencrypted and can be trivially spoofed.

  • by FridayBob (619244) on Sunday August 04, 2013 @07:02PM (#44472557) Homepage
    Missing option: WPA2 Enterprise using FreeRADIUS (and DD-WRT firmware on the access points). Because you just can't be too sure these days.

Whoever dies with the most toys wins.

 



Forgot your password?
Working...