Is WPA good enough or must I use WPA2?

Question

Level 2

190 points

Is WPA good enough or must I use WPA2?

Hi there,

I'm a fairly experienced(ish) user, currently setting up a network in my parents (and my) home. I was hoping to use WPA2 to secure it, but my dad has an old Powerbook G4 with an Airport card, and since discovering you have to have an Airport Extreme card to access a network with WPA2, I'm not so sure what to do.

I do actually have an Airport Extreme card going spare from my old laptop, which I could give him, but I'm not sure it's worth the effort for that extra little bit of security.

Extra info that may be useful:
- I'm also disabling SSID broadcast and will soon be setting up MAC address filtering, so that'll be an extra couple of security steps taken.
- In our home, we will be doing a fair amount of internet banking, eBay transactions, internet shopping etc, so that's part of the reason I want good security.
- There will be several computers online often-times, and my brother's fond of using multiple MAC addresses for his one machine (apparently) so whatever method I use must serve a number of machines.

So what do you think, do I go the extra mile for WPA2 by putting my Airport Extreme card into my Dad's Powerbook or will WPA be fine for my needs?

Thanks alot, and please only answer if you do actually know what you're talking about... I see some answers on here which are really nothing more than guess-work & conjecture, and I need something a little more definite.

Thanks again,
Charity

iBook G4 12 inch, Mac OS X (10.4.5), 80 GB internal Hard Drive

Posted on May 9, 2007 5:34 PM

Reply

Answer 1

Camelot

Level 9

58,311 points

May 9, 2007 6:11 PM in response to CharityJF

For all intents and purposes, the difference between WPA and WPA2 is that the latter supports AES encryption in addition to the standard TKIP/RC4 algorithms in WPA.

There are other minor differences, but that's the one that really matters.

AES is a higher encryption standard and should, therefore, be harder to crack.

For most practical purposes, though, it shouldn't make a big difference - anyone would have to capture a significant amount of traffic and analyze it to break the network.

In this case, though, you should also bear in mind that the base station can support both WPA and WPA2 modes, meaning that the clients that support WPA2/AES can connect at the same time as WPA-only clients using TKIP. Therefore it's only really the traffic between the base station and the PowerBook that's running with the lower encryption standard.

Without knowing your traffic patterns it's impossible to tell where most of your traffic is flowing, but if it's to other machines, then you have less to worry about than you at first thought.

If you're really worried about security then the cost of a WPA2 card is insignificant, but even that won't guarantee your security (there are all kinds of other ways people can get your account details). You still need to follow good security protocols, including password selection and changes no matter what.

Reply

Answer 2

CharityJF Author

Level 2

190 points

May 9, 2007 6:36 PM in response to Camelot

Thank-you very much for your reply Camelot.

In your response you said:
"In this case, though, you should also bear in mind that the base station can support both WPA and WPA2 modes"

When you refer to the base station, do you mean an Apple brand router? I'm actually using a Netgear DG834PN router (sorry, should have put that in my first post.) I'm not sure if that will offer that feature, but it's good to know that if it does, that will at least provide a more secure connection for computers in the house other than the Powerbook. The Powerbook is used alot, usually for most of the day, but only really for educational purposes (my sister is schooled via the net), online chat and browsing the net. No shopping or banking goes-on on that machine.

By the way, I'm in the UK, so I need to go to bed now and therefore won't be replying to any messages on this thread til morning.

Thanks.

Reply

Answer 3

May 9, 2007 6:41 PM in response to CharityJF

WPA2 uses a better encryption algorithm than WPA, but with a sufficiently complex pre-shared key, WPA is fine.

Disabling SSID broadcast and using MAC address filtering will stop the casual observer, but if someone is really trying to pull information out of the air, these won't stop anything.

Of course, in order to break a complex WPA-PSK (more than 20 random char.), it would take someone standing in range of your AP for about 4000000000000000000000 years.

Reply

Answer 4

May 10, 2007 9:16 AM in response to LittleSaint

Can Powerbook G4s with Airport (non-Extreme) even do WPA ? I thought they were restricted to WEP...

Reply

Answer 5

CharityJF Author

Level 2

190 points

May 10, 2007 12:20 PM in response to Karl Zimmerman

Can Powerbook G4s with Airport (non-Extreme) even do
WPA ? I thought they were restricted to WEP...

I have looked into this a bit and found quotes saying both that they can and that they can't.

I'm inclined to say they can, as the network I'm currently working to replace used a WPA password and my dad'd G4 with non-Extreme airport could get on absolutely fine.

I'm only replacing the network because it was all the newer computers in the house that had problems, which I think are down to the router (D-Link - avoid their kit, it's really bad from my experience.)

Reply

Answer 6

May 10, 2007 1:16 PM in response to Karl Zimmerman

WPA uses the same RC4 encryption as WEP. TKIP is what distinguishes WPA from WEP and makes it more secure provided you use a large, complex key. WPA2 uses completely different encryption which requires the newer hardware to crunch the numbers.

Reply

Answer 7

CharityJF Author

Level 2

190 points

May 10, 2007 1:23 PM in response to LittleSaint

"provided you use a large, complex key."

As I understand it, WPA keys can include upper & lower case letters, numbers and the more common characters, am I correct?

I use all the above, make sure there are no dictionary words in my password, and make it as long as possible.

Reply

Answer 8

May 11, 2007 12:39 AM in response to CharityJF

and my brother's fond of using multiple MAC addresses for his one machine

As a matter of idle curiousity, why?

AK

Reply

Answer 9

May 11, 2007 7:55 AM in response to CharityJF

20 characters or more is recommended. No words or patterns. A good rule is if you can remember the key without writing it down, it's no good.

Reply

Answer 10

CharityJF Author

Level 2

190 points

May 11, 2007 1:31 PM in response to Austin Kinsella1

and my brother's fond of using multiple MAC

addresses for his one machine

As a matter of idle curiousity, why?

Austin, I have no idea. My brother does quite like to paint himself as a mysterious computer genious, and I doubt I'll get a proper answer from him on this matter. He's a Windows user and hates Mac users (myself included.)

I think he said it was for speed, but I hope that doesn't reduce the speed to other computers in the house, as while he probably uses the net for pure recreation, my sister and I use it for school and business respectively, so speed's important for our productivity.

Any thoughts on this matter? If his using many MAC addresses is going to impact on our network's speed at all, I can tell him he's got to use just one, as I'm going to set up MAC address filtering soon.

Reply

Answer 11

May 11, 2007 1:56 PM in response to CharityJF

I can think of no way that changing your computer's MAC address would have any impact on speed. The typical reason that someone changes MAC address is that they are trying to get access to a network resource for which their network card is not authorised, and they happen to know the MAC address of one that is.

AK

Reply

Answer 12

CharityJF Author

Level 2

190 points

May 11, 2007 2:53 PM in response to Austin Kinsella1

He's not changing his MAC address, he's adding extra ones, so his computer has several MAC addresses.

Reply