This is a great idea. Moxie Marlinspike is generally someone worth watching. I didn't do the math on his cloud hosting, but he could double the price here and it'd still be worth it.
What this site really says is, "don't use WPA-PSK on sensitive networks."
WPA2 (or WPA-AES) and a 64-character password. It's not like people type in their network password every time they join the network. This is one of the areas there it's not that much of a hassle to use a long password since you normally just type in the password/passphrase when setting up the network connection (and people are possibly used to long, random-character passwords from using WEP keys).
On a side note: Long passwords are generally a good idea.
On websites that support it you can just type in a memorable phrase, with spaces and everything, and it will be more secure than the usual 10 char alphabet soup.
A password I commonly use is:
Length limits on password input fields suck donkey balls.
Seriously, what's your concern? There's a very low chance that someone will be determined enough to use tools like these to hack into your LAN, and even if he'll do that, so what?
> There's a very low chance that someone will be determined enough to use tools like these to hack into your LAN
To use you LAN no... but to use your internet? Imagine someone is determined to get an your internet connection already and doesn't care if it's legal or not - he starts looking for information on wireless password hacking and finds that site. Now his choice is between a contract + installation fee + monthly fee -vs- 17$ once.
Why would you care? For example if your country/ISP uses a 3 strikes policy. Or you don't want police asking about that child porn distribution network. Or .... (many reasons)
In most companies with in-house applications, access to the wireless network equates in some low number of moves to root access to production servers. Losing your wifi is a big deal.
WPA-PSK uses the name of the network as a salt. There exists rainbow tables for millions of passwords for many of the most used network names.
It doesn't really have to be random, just not something widely in use. In other words, just don't leave it as "linksys", I'm pretty sure that even a 13-char random string doesn't help you then. :)
No. The ssid is used as part of the encryption. Changing it to something very obscure invalidates any precomputed tables and forces a brute force attack
A lot of people seem to misunderstand what this is for. This isn't about breaking into your neighbor's wifi, this is about professional penetration testers more easily being able to crack wpa-psk.
Think nosey neighbors. It's, of course, unethical, invasive and rude... but that hasn't stopped any of my neighbors from looking in the windows when they are open.
To me the valuable part is the dictionary. The rest of this is relatively straight forward script kiddy HOWTO stuff. Most people I know have an extra computer that is idling 95% of the time and could run a process for 5+ days. It's the relatively instant gratification and ease of use that I like.
This really is a great idea. I think this style of cloud cracking might have larger applications as well, outside of just PSK. Inexperienced users will pay to crack systems like this.
I have to clarify: It's not just about guessing the password. If you do guess it, even on WPA2 you could just try logging in . Try too many times, and someone might notice. But on WPA-PSK, you can capture some traffic, and then run huge tables of passwords against it, you don't have to do any login attempts until you find the right one. And yes, WPA2 is safe against that.
Actually, while WPA2 introduced CCMP mode as a replacement for the problematic TKIP, when run with authentication based on Pre-Shared Keys (PSK), it is still vulnerable to dictionary attacks. Our service works against both WPA and WPA2 when PSK is being used.
What this site really says is, "don't use WPA-PSK on sensitive networks."