This is a core protocol-level flaw in WPA2 wi-fi and it looks bad. Possible impact: wi-fi decrypt, connection hijacking, content injection.https://twitter.com/vanhoefm/status/919517772123721728 …
...but it's likely for any psk network since *every* device has the pw saved in clear & will reveal it if compromised.
-
-
Keeping passwords in the clear is a much bigger flaw. What did they think hashes are for?
-
You can't use a password that's hashed (without cracking it) hashing is for pws you need to verify, not ones you need to submit.
-
The right way is pubkey but wpa enterprise with pubkey is too much of a pain for users to setup, for too little benefit.
End of conversation
New conversation -
-
-
Some devices even auto-share wifi passwords, back them up to cloud, etc.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.