Hacking Passwords

The original article explains several methods for hacking passwords. These are, asking, guessing, brute force, common word attacks, and dictionary attacks. You can look at the article to see how the original author describes these methods, but many of them should be self explanatory. Asking and guessing for passwords are what regular non-hacker type people will do. Hackers will also ask for passwords, but they’ll do so in the form of social engineering. Social engineering is basically tricking the person into giving you the password by (most often) pretending to be someone they can trust, like an internal security or IT employee.

The brute force, common work, and dictionary attacks will be performed by hackers, but not necessarily in the manner described by the author.

How the Author Says These Work

The author of “Usability of Passwords” says that these methods are most likely performed at the computer, network, or website that the hacker is attempting to gain access to. And because of this fact the author leads the reader to believe that by allowing only a small number of attempts, followed by a “lock out period” that stops the hacker from logging in for an hour, is enough to keep his password strategy safe.

Before I go further, I want to say that limiting the number of attempts and instituting a lock out period is a good security practice, and should be implemented by large corporations.

How Hackers Really Hack Passwords

The author of “Usability of Passwords” is correct in the fact that hackers will use brute force and dictionary attacks to hack a password. But he’s incorrect in that they are used primarily at the login screens.
Most hackers (at least the good ones) will attempt to acquire the password through social engineering, and then failing that will work on getting the password hash file off a computer. What is a “password hash file” you ask? It’s a file that’s on a computer where the username and the hashed password of the user(s) of the computer is stored. Getting this file is generally a lot of work for the hacker and this is why they’ll usually just attempt to use social engineering.

Once the hacker has the password hash file, they’ll use various programs (I won’t link to them here, you can Google to see what I’m referring to) to then crack the password hashes on their local computers. It is this process where the hacker will use the brute force and dictionary attacks.

The other problem is that some of the dictionary hacking programs can be modified to try combinations of words thus making the idea of using multiple words in a password not nearly as secure as the author would lead you to believe. Is it secure? Not really. Will it take longer for the hacker to crack said password? Yes it will.

The Graphics Card Problem

Another fact that the author ignores (but is mentioned in the article’s comments”, is that graphics cards are incredibly fast. And there are applications available that allow a hacker to utilize their graphics card(s) processor (GPU) to crack password hashes at an alarming rate. More information on this process can be found by reading this article.

What this means is that utilizing brute force and dictionary attacks can be done in even less time.

Why Complex Passwords Are Better

So basically I told you all that to tell you this. Complex passwords are better than using dictionary words. Period.

A complex password is a password that meets following requirements:
At least 8 characters (a minimum of 12 is preferred)
Contains BOTH upper case and lower case letters
Contains numbers
Contains at least 1 special character (examples: !@#$%{^]&*)

Why are these better? Because they can’t be easily figured out with a dictionary attack. They also make brute force attacks more difficult. It’s hard to guess passwords if they have weird characters in them. Long passwords, that meet the other requirements will take years to crack, even when using graphics cards.

The idea is to make it difficult for the hacker to guess, or hack your password, even if they get that password hash. But complex passwords, or multiple word passwords don’t help get around the social engineering problem (the user willfully giving someone their password).

But I Can’t Remember Complex Passwords

The author’s point about using multiple dictionary words, along with the punchline of the xkcd comic, is that such passwords are easier to remember over complex passwords. And while this is an extremely valid point, it defeats the purpose of passwords. Passwords a form of security (some would argue they provide a false sense of security, but that’s a different topic). So passwords should themselves be as secure as possible. This idea of secure passwords comes at the cost of easily being able to remember your passwords, especially since to be really secure you should have a different password for each website that requires one.

This is where “password safes” come into play. Applications like Keepass, LastPass (what I use), and 1Password, allow you to store passwords for individual sites, and they all integrate into your web browser to some degree. All of these applications also have password generators that allow you to create complex, non-dictionary passwords. These generated passwords are then saved with the corresponding site you’ve generated for. What these applications allow you to do is to have a different complex password for each website you visit.

You’re probably asking “how can storing all my passwords in a single place be secure” and it wouldn’t be a bad question. The thing about the applications I’ve listed is they all use high quality encryption to store the passwords and they all require the use of a good “master password” and will warn you when your master password is insecure. You want to have a very secure (around 15-20 characters) complex password as your master password. And you want to make sure that you use that password only for accessing your password safe.

Conclusion

In the end, the author of “Usability of Passwords” makes a convincing case, but not if you know how hackers really operate. His intentions are good though, the idea of using harder to guess/hack passwords is noble regardless of how you say it should be done. But I believe that some of his ideas lead to a false sense of security because of a lack of understanding.

Hopefully, I’ve explained to you why some of the ideas presented in the original article were not so great, and have in turn caused you to think about your passwords, and how to create more secure passwords. I highly recommend that you begin using a password safe, and changing your passwords around the internet to more secure, complex passwords.

To begin, lets rehash what makes a strong password.  A strong password has all the following:

• Upper and lower case letters
• At least one number
• At least one special character (!,@,#,$,%,^,&*,(,), “,<,>)
• Absolutely nothing to do with you or someone close to your.

That last one is kind of important.  You want to avoid things like names, birthdays, anniversaries, and so on.  Children and pets’ names are also a huge no-no.  The more random the password and the less it has to do with you as a person, the better it is.

To test your password’s strength, you can look at this Javascript Password Strength Meter.  This meter gives you a score and tells you how secure your password is.  If you have anything less than mediocre, you should probably reconsider your password and create a new one.  On the same page there are tips on creating a secure password and even a link to a password generating application (and browser plugin).

Using a secure password is extremely important in a world where we have several passwords for many different services.  If you need help remembering your passwords, you should look into something like LastPass or KeePass.  Both are a type of “password safe” in that you can store passwords for different sites and only have to remember a single password to the password safe application.  Both of them also have built in password generators that you can utilize to create secure passwords for each site that you use that might require a password.

So again, I urge you dear readers to start using more secure passwords (if you’re not already).  It can save you a lot of heartache in the end.

The main issue revolves around data being stored in the computers RAM after a computer has been powered off or is in sleep/hibernation mode. Programs can be written to retrieve data out of RAM once the computer has been turned back on giving a malicious user access to the passwords used to access the encrypted drives. The article or the paper it references do not mention how long a computer needs to be turned off for the memory remnants to fully leave the system. Though they do mention that it can stay in memory up to a full minute at room temperature (even longer the colder it gets). You can read the full paper, at Lest We Remember: Cold Boot Attacks on Encryption Keys.

What does this mean exactly? Well it just further proves that no level of security is full proof. No matter how hard you try, someone can, with enough time and work, get to your data. This does not mean that one should make it easy for the hacker. The general idea behind security, no matter if its disk encryption or strong passwords, is simply to make the hacker’s life more difficult when it comes to getting to your data. The harder it is for someone to get to your data, the more chances you have of them giving up and moving on. There are plenty of people in the world that do not take the extra steps to secure their private data, so they will more often than not, move on to someone that does not take those steps. The general idea here is time spent versus rewards. Chances are, if you are taking those extra steps, you probably are smart enough to not have any data that is really worth having on the computer, or at least not in large quantities.

Security is important and more people should consider the data they store on their hard disks, USB flash drives, or anywhere else in digital format for that matter. If you are going to store sensitive data, take the extra steps to secure it. Even though the disk encryption programs have a flaw does not mean that the hacker is going to go through the trouble. Just because security can be broken does not mean that one should not take proper steps to ensure the security of their sensitive data.

Now, on to the question in the subject.  The new website Spread OpenID, is a play on the SpreadFirefox web site that has been around for quite some time now.  These websites are started as efforts to bring the product to a wider audience.  They offer up for download graphical icons that can be placed on websites or in forum signatures and so forth as a way of promoting the product.  Basically if you really like whatever it is they are trying to “spread” they offer some ways to do it.

My question is, do the sites really work?  I mean Firefox is doing fine true, but that was more due to the full page New York Times ad that SpreadFirefox helped raise money for.  So while the website itself brought the community together for the purpose of marketing, is it the website or rather the efforts of those behind the website that are helping the products?  I guess one could argue that they are one and the same.  However, why create a second website?  OpenID already has a pretty nice looking website (OpenID.net).  Does it really need a second one to explain the benefits and such of OpenID?

Maybe products that have a strong following (life OpenID & Firefox) can benefit from websites such as these.  I think that it might be good to revisit this issue in one year’s time to see how much adoption OpenID sees.  The hard part of course is determining how much of that adoption was a result of the Spread OpenID website.

Robert Scoble, popular blogger, internet star has had his Facebook account disabled after running script from an unknown company against his Facebook account in an attempt to copy his “social graph” to other networks.

Now, the running of scripts against Facebook is definitely against the terms of service of Facebook.  However, is running scripts against your own data wrong?  It is really hard to argue this because the Terms of Service for a website is for the website site as a whole which in affect includes your data.

So it calls into question, who exactly owns the data on the social network sites?  We all automatically assume that because we put the data there, add the friends, make the connections, install the applications (linking them to their respective site where applicable) that we own that data.  After all the data is about us.  We input it, why should we not own it?  That is where the privacy issues come from.  If you don’t own the data on a social networking site, then  who does own the data, and what can they legally do with that data?  These are some serious issues to concern yourself with.  If you do not own that data and the site can do with it whatever it pleases, then you basically have zero privacy when it comes to your data on that particular site.

The solution for the problem at hand is to rework the terms of service to allow a user to copy the data they input.  There should also be switches in place to dictate what data can be exported to certain people.  Just like you can decide what’s public and so forth on Facebook, you should be allowed to decide what data your “friends” can export out.  A lot of people would probably turn this off, but that does not mean that the feature is not functionable.

I think first and foremost though, it needs to be determined who owns what data.  And it is a decision that all social networks should make (I am looking at you MySpace, LinkedIn, & Twitter).  Once the line has been drawn then the users can decide who they want to have their data.  I’m pretty sure most people are not going to cancel their accounts based solely on this issue (though several might).  But as the internet becomes a haven for your personal data on websites, who owns your data and the privacy implications of that question should be considered more and more.

But now there are rumors that Google is going to implement a Facebook News like feed for your Gmail contacts.  Many people are comparing this to both Facebook and Plaxo (a contact management website that allows you to sync your contacts and ask them update their contact info).  Plaxo is taking a little more heat for it’s Plaxo pulse which allows you to add things like your blog, your Flickr account, Twitter, and even your Amazon Wishlist to the pulse and have it send out updates to your contacts.  Why Plaxo is taking the hit for this, again I do not understand.  For one thing you have to actually opt-in for the service and two your friends have to “connect” with you to receive your pulse updates.  So both sides have to opt-in for it to work.

Now there is no word on if there is going to be an “opt-out” switch on this new Gmail contact news like feed, but I’m sure there will be.  But what has me a little annoyed is everyone freaking out about Google with regards to their data.  First off, Google has done very little (if anything) that is considered “evil” with your data.  Secondly, if you actually read the terms of service on several Google products you’d be surprised what they might be allowed to someday do.  By simply using Google products you are allowing them to look at and possibly use any data they can off of you.  Heck, Google does read your email but only so it can show Adsense ads that go along with what the email your reading is about.

Google pretty much controls the internet.  If you are like me, and use their products, they probably have a good amount of data on you.  Does this mean they are going to spread it out all over the internet?  Not really.  I think people are making a big deal about nothing with these issues.  Especially in comparing Google to Plaxo.  Plaxo’s terms of service is really creepy, more so than any of Google’s.  If you are really worried about what companies are going to be doing with your data, then you should start reading the terms of service and license agreements more frequently.  You might find out that you really just shouldn’t be storing personal data on the internet.

So how do we fix this? Well, the answer is both simple and complicated (as it usually is with security), and the answer is data encryption. There are a lot of kinds of data encryption, some that you use without ever realizing it. For example, when you make a purchase from Amazon.com, when you enter your address and credit card information, you are doing that over an encrypted connection (https). We are going to go over some of the various kinds of encryption today and then next week, we will look at a couple of programs to help you encrypt your important data and communications.

Types of Encryption

Asymmetri/Public Key

The way that “Public Key” encryption works is simple in that there are 2 keys, a public and private key, for a person. They post the public version of their key on the internet somewhere and others can download it and add it to their key ring. If Person “A” encrypts a message with their PRIVATE key, then anyone with the public key can decrypt that message. Now, if Person “B” encrypts a message with Person “A’s” public key, then Person “A” can decrypt it with their private key. This is a very popular form of encryption, made such by PGP (which we will get into next week).

Symmetric-Key

Unlike asymmetric encryption where the key to encrypt is different from the key to decrypt, in symmetric encryption the two keys are tied together in some way. It could be trivial or it could take multiple steps. Symmetric encryption is also known as secret-key, or shared secret. That means that all parties that can decrypt can also encrypt.

Which is Better?

Well, that is a question better left up to the purpose. Each one has a specific use but if I had to pick one, I would go with asymmetric. I like the idea of public/private keys. But this is personal opinion and they both do serve their own purposes just fine. There are systems that utilize both, and these are called “Hybrid” systems.

In Closing

That is pretty much it for this week’s write up. Next week we will look at various programs that use some of these encryption types. Be sure to check back to learn how to encrypt your data.

How Does Phishing Happen

A phishing attempt is most commonly started using email. You might have seen an email at one point or another that tells you that if you do not log into your PayPal account, it will be closed and you will lose any information or money in the account. Well there is usually a link or a log in “button” inside this email that is made to look like an official email that will take you to a site that looks like the originating site with a log in form. You log into this form and the phisher is either smart enough to then forward the login information to the actual website to log you in, or it shows you a log in error message. By this point, the damage is already done, the phisher has your information and can now log in as you.

How Can Your Protect Yourself Against Phishing

Remember in the previous articles about password security I advise that you change your passwords frequently? This is one of the reasons to do so. If someone gets your password and does not change it, when you change your password, you lock them out of the account again. However, most likely, the phisher is going to change the password and email address that is associated with the account. Locking you out of the account completely. If this was your PayPal account, then they now have access to your bank account and other personal information like home and work addresses. Possibly even phone numbers.

How can you avoid falling prey to this social engineering technique? There are a couple of ways.

• If you get an email that uses a “scare tactic” or you just want to be sure, you can always go and open the website on your own. Open a new web browser or tab and goto the website in question by hand typing the URL. So in the case of PayPal, you would enter “www.paypal.com” ensuring that you goto PayPal’s actual site and not some link someone sent you to that is trying to trick you into a false sense of security.
• Another Option is to use any anti-phishing tools included in your browser (we will get to this in a second)
• Finally, if your browser does not have anti-phishing tools built in, you can use an add on tool bar (more on this later as well).

Built-In Anti-Phishing Tools

Mozilla Firefox 2.0 or later

The good news is that with later browsers, there is anti-phishing tools built right in. No need to install extra software because they are already there. With Mozilla Firefox 2.0 or later, there is an option under the security settings in the Options dialog.

With Firefox, you get two options when it comes to using the Anti-Phishing tools. You can use a pre-defined “black list” of websites that is updated when the browser is updated, or you can use Google to check each website you go to. There are some privacy concerns when using Google to check the web site you visit, so be sure to read the user agreement.

Internet Explorer 7

Internet Explorer 7 comes with its own anti-phishing tools as well. Though you do not get to many options with it. You can turn it on and off, and it will only check against Microsoft’s database of sites. There is no option to use an internal predefined list, but it might do this by default if no internet connection is available. You can see where to turn the “Phishing Filter” tools on/off in the image below (Click to enlarge).

Other Browsers

On older browsers, like Firefox 1.5 or Internet Explorer 6, you do not have built in anti-phishing tools. Instead you need to rely on a third party toolbar to do this job for you. There are several toolbars out there on the internet that will not only help protect you against phishing attacks, but will also allow you to perform other tasks like searching the web, bookmarking, and so forth. Two of the more popular toolbars come from Google and Yahoo. The links will take you to the respective toolbars for each company. Both of these have built in security features that will help you against phishing attacks.

Storing all your passwords in a single location is unsecure in that all your passwords are in a centralized location. If someone was able to get the file they could crack it and get all your passwords. However, most password safes use 256-bit AES encryption so the chances of someone cracking your password safe’s file is pretty small. Doable? Most certainly. But quickly, that is a totally different story. This is the part that makes it secure. Also, some of the better password safe programs out there (like KeePass) are open source, so you can see the source code and see if your passwords are being sent anywhere (they are not).

So if a password safe is so cool, why do more people not use them? Well for pretty much the same reason that they do not use more secure passwords. It is extra steps, it takes extra cycles, and it means an added process to their internet experience.  People like to keep things simple when it comes to using the internet and they get lazy where they honestly should not.  A password safe to them is nothing more than an added complication.

Now, that you have heard about password safes, you want to start using one.  What are some of the better ones out there?  Well below is a list:

• KeePass -  This is the password safe that I currently use.  The latest version (currently in Alpha testing) shows incredible promise and awesome new features.  The current version only lacks one feature that I could use and is perfect otherwise.  The missing feature is the ability to load a file off of an FTP site so that you can access the same password safe file from multiple locations.
• PassPack – I just found out about PassPack recently.  I began using it just to test it out and see how it compares to KeePass.  The great thing about PassPack, is that it is online.  While this might scare people, they do a really good job on their website of convincing you that your data is perfectly safe.  I have no honest opinion at this point other than that some of the features they offer, are pretty spiffy.
• Password Safe -Like KeePass, Password Safe is another open source password safe.  However, I find its interface lacking overall and it seems to be not as good as KeePass.  However, it is incredibly popular and many people recommend it.  If you were to ask me, I would recommend KeePass before Password Safe.

Do you know of another password safe that you like using?  If so, leave a comment below and tell us about it.

Why You Need Secure Passwords

I get asked a lot when I go off on my diatribe about strong passwords because people think, “What’s the big deal? Let them read my email.” Well if someone can get access to your email, they can get a hold of a lot of information. Think about it, what goes to your email? Your bank information, PayPal, eBay, personal letters, maybe even personal info like social security numbers and addresses. Also, chances are the password you use for your email is the same one you use on at least a couple of those websites I mentioned. Even if it is not, if someone has your email address password, they do a “Forgot Password” where it will email the password or a link to change to a new password to your email address which they already have access to. So having a secure password on your email (for starters) is extremely important. You really do not want to stop there, you want as many of your passwords to be as secure as possible. Best practices recommends that you have a different password for every thing you log into. That can make things difficult to keep track of.

What is a Secure Password

Before we can really recommend that you use a secure password, we really should go over what exactly a “secure” password is. But even before we do that we must preface this with the following statement: a password is only secure as the person hiding it. If you tell others your password, it is no longer secure. Also, there is no such thing as a completely secure password. Any password can be cracked given enough time and resources. The real question is, do you want to make it easy for the person trying to get your password or make them work for it?

So with that in mind, a secure password contains the following:

• A combination of UPPER & lower case letters
• At least 1 number
• A special character like, !, %, ^, &, *, >, ~,`, or a #.
• Also, it is somewhere between 8-14 characters in length

Now, here is the downside, not all websites out there allow for passwords that contain special characters, so the best thing to do in those situations is to use a long password that contains letters and numbers, with the numbers placed through out the password rather than on the end or at the beginning.

Creating a Secure Password

So with those specifications in mind, how do we go about creating secure passwords that are easy for us to remember? The key is to use a password that really has nothing to do with you, this way a cracker can not figure it out easily. Fortunately for us, there are couple of websites that will help us create some secure passwords.

• PCTools Secure Password Generator: This website allows you to get real specific about your passwords, you can choose several options and interchange them at will. You can also pick a quantity so that you can get more than one password generated at a time.
• GoodPassword.com: Like the PCTools site, this website allows you to pick from some options for your password, but rather then get real specific you get to chose the length, and whether or not you want special characters. Also, if you have a favorite password or phrase, you can choose to create a “l33t” password out of that password or phrase. A “l33t” password is a word with some of the letters changed to numbers and special characters. This allows you to have a password you will easily remember, but is slightly more secure.

How Strong is Your Password

If you have some passwords you like, and they already contain numbers and letters in alternating case you can also check the strength of those passwords online using a couple of tools.

• Microsoft Password Checker: I will probably take some flack for this, but it doesn’t ask for a user name and it’s done with javascript so it is all client side. Just type in the password and it will tell you it’s strength.
• Javascript Password Strength Meter: This one is pretty nifty because it gives it a score and also a “points” breakdown about why your password is strong or weak. Again all client side so no worries about it going anywhere.

Knowing if you have a secure password can tell you if you need to utilize the password generators. If you have weak passwords, use the password generators to create a few stronger passwords.

Password Safes Preview

Like I stated earlier, best practices recommends that you have a different password for every thing you log into. That can make things difficult to keep track of. Something that can help you keep track of all these secure passwords would be a big help right? Well, there are programs out there called password safes that store passwords in an encrypted file so that you can only access the file with a password. We will be going into more detail about password safes next week, so be sure to come back for that.

For this week’s technology article, we are going to look at securing a wireless network. We are going to look at various ways to do this. We will go over some easy ways to secure it as well as some of the more difficult methods. So lets get into the why.

Why?

Why would you want to secure your wireless network? Well quite simply if your wireless network is open to the public a number of things can happen. First and foremost, an open network allows anyone with in range of your house can utilize the open network to access the internet. Anything they do can be eventually traced back to you and proving that someone else was on your wireless network is incredibly difficult to accomplish.

Imagine if you will that you have an open network and a person sits down the street from your house, just inside the range of your wireless router. They start pirating music, movies, and maybe even child pornography. Since, to the outside world and your internet providers logs the traffic is all going to and from your house, you are instantly suspect number one if someone wishes to come after to person downloading the questionable content. The child pornography example is a little extreme but it really puts things into perspective when you realize what someone could be doing over your network without your permission.

Secondly, a person doing stuff on your wireless network is utilizing your bandwidth. Which means that they are slowing down your internet connection. Sorry, but I do not like paying for other people to use my internet connection without my permission.

And last but not least, if someone is on your network they have access to anything open on that network. Any computer, file shares, or traffic is open to that user. If that person has the correct tools, they can hack into your computers, crack your passwords, or even read your documents. This is as I like to say, a bad thing.

The Basics

With the “why” out of the way, lets start with some basics, not all routers are wireless capable. If your router has antenna connected to it, then it most like has wireless. On most wireless routers there is a tab, menu option, or button of some sort that says “Wireless” on it. Normally all the wireless settings can be found under this option. The various options can all be on one page or they can be under sub headings of some kind. It would take too long to go over every option on every possible router, but most settings are named the same across brands and settings pages. If you can not find where to set the wireless settings on your router, please consult the documentation that came with your router.

SSID

The simplest way to secure your wireless network is to make invisible and the easiest way to achieve that is to turn of the SSID broadcast option. The SSID is the name of the wireless side of your router. It is what is used to connected a wireless computer to the router for network use. When wireless computers try to connect to wireless networks they search for SSIDs that are being broadcast over the air. When it finds a list of them it asks you to pick the one you want to connect to. If your SSID is not broadcasting, a computer scanning for open networks is not going to see it and thus a person will not be able to connect to it.

This means that are when setting up a new computer on the network all that you need to type in is the SSID of your wireless router and you will be on the internet.

Though it pains me to say, this method is not 100% secure. Even though nothing is truly 100% secure, this way is open to a variation of attacks. A smart scanner will still be able to find your network with the right tools. The upside is though, that extra work they would have to do will cause them to move onto other easier targets.

WEP & WPA(2)

The next and second easiest method is to simply use a password. Using an encrypted password will help protect your wireless network from hackers. But standard password rules apply. Use variations on of capital letters, lower case letters, numbers, and special characters to create a secure password. The more secure the password, the harder for it to be cracked later.

But what are these 2 main passkey methods on your wireless router. Wired Equivalent Privacy (WEP) an older, outdated technology and Wi-Fi Protected Access (WPA) which is the current preferred wireless encryption method. Both methods encrypt the traffic over the wireless network as well as require the use of a passphrase (password) to even connect to the router. While WEP is the older standard, it is also easily hacked and should be avoided. The new, more secure method is WPA and if both your router and wireless network card can support it, WPA2. The technology used for WPA is far more advanced and utilizes a continually changing key to keep the network secure. There are currently two different variation of WPA (and WPA2) labeled TKIP or PSK. Either one of these modes is fine and offer quality encryption.

I am trying to stay fairly non-technical on describing exactly what these two encryption methods do. If you would like more information you can click the following links to Wikipedia for a more encumber some explanation.

WEP (Wikipedia)
WPA (Wikipedia)

To use encryption, simply find the place in your routers settings for the encryption settings. This will usually be under the main wireless settings or under a sub heading of “Encryption” or “Wireless Security” and you will be given a different set of options depending on how old your router is. If you have a fairly new router (within the last year or two), you should be able to select WPA (or even WPA2). Select this option if available, again either TKIP or PSK will do but make sure that you pick something that is compatible with the other wireless devices in your house. WPA (TKIP) should work on almost all devices including Xbox 360, Playstation 3, and even the Wii. If WPA is not an option for you, you can still go with WEP. Even though WEP is easier to crack than WPA, a person searching for an open network is probably going to just move along rather than take the time to crack your WEP key. You will also need to pick a passkey. I would pick something fairly lengthy but easy to remember. I find that song lyrics work well for this kind of thing.

Just like with hiding the SSID, these methods are not completely secure. However, utilizing them will more often then not cause someone looking for an open wireless network to move on to someone else.

Allow Certain Mac Addresses Only

The final, most secure way to lock down your wireless network is to only allow certain network cards to connect. How do you allow only certain network cards access to a network? You simply tell it which Mac Addresses are allowed. A mac address, is an unique identifier that is assigned to every network card created. Every network card has its own mac address thus allowing us to tie access to a single network card. By only allowing network cards that you know about onto your network, you instantly block out every other network card that is not on the list of allowed cards. If someone can not even connect to your network, they will not be able to do anything on it, including steal your bandwidth or hack your networked computers.

The downside to this method however, is that is not supported by every router. Most newer routers should have a feature like this. You will usually find it in the “Advanced Settings” section of your router’s configuration and it might not necessarily be under the wireless settings section. To even begin to implement this option, you will need to know the mac addresses of all the network cards on your network. The mac address of your laptop’s wireless card should be somewhere on your laptop, probably on the bottom. A mac address is a 16 character letter/number combination so look for that, it is also in HEX so you will not find any letters above “F” in the address. You can find the mac address on your windows machine by opening up a command window (Start\Run\cmd) and typing “ipconfig /all” (without the quotes) and looking for the “Physical Address” setting. Once you have complied a list of mac addresses in your house, you can start adding them to the list.

Like I said before, this is probably the most secure way to lock down your wireless network. If you want to get crazy secure, you can utilize all three methods but that might be overkill.

Conclusion

I honestly hope that some of my readers take this article to heart. Security is important and you really do not want other people using your network without your knowledge. If you are currently running an unsecured wireless network, please consider using some of the methods I have discussed here today. Less problems come to those that take the time to secure themselves.

[Technorati Tag: Technology]
[Technorati Tag: Security]
[Technorati Tag: Wireless]