How Secure is YOUR WiFi Network?

แชร์
ฝัง
  • เผยแพร่เมื่อ 19 ธ.ค. 2024

ความคิดเห็น • 98

  • @kylereed3577
    @kylereed3577 11 หลายเดือนก่อน +27

    Thanks! You continually inform an old guy who thought he knew everything. This is going to help with an upcoming project and my home network.

  • @robertopontone
    @robertopontone 11 หลายเดือนก่อน +19

    your knowledge on details is impressive 😮 and you always manage to pick interesting topics which I cannot find on other channels. Thanks 👍

  • @lis6502
    @lis6502 11 หลายเดือนก่อน +23

    oh one more thing, thanks for making "OG youtube content" in 2024, full of passion and actual content over intros, background music, sketchy vpns and pcbways segways all over the place. i was considering RADIUS for some time, now i know that this is way to go and thanks to your other videos i have good base on implementation.
    Not to mention that after milk-v video i've ordered 10 pieces with IOB boards just to tinker and totally loved open cpu's concept!

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +4

      Glad you like it! VPNs have definitely taken over meaningful discussion on security.

  • @supremebeme
    @supremebeme 11 หลายเดือนก่อน +12

    man this content is absolute gold. ty sir

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +1

      no prob thanks

    • @valentinzeller8439
      @valentinzeller8439 7 หลายเดือนก่อน

      @@apalrdsadventures wanted to state something along the lines of the original commenter. But i see its taken care of already. Keep at it ;-)

  • @nhofonef
    @nhofonef 11 หลายเดือนก่อน +12

    I got EAP-TLS running with freeRADIUS a while back. Works great for computers, not so great for IoT and embedded devices unfortunately, so I still need to keep a PSK network around for them.
    Hard agree on disabling legacy Wi-Fi modes as well. I keep 802.11n as a minimum (and it's 15 years old already).

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +5

      By legacy I meant 802.11B/G, not N. Especially on 2.4Ghz.

    • @nhofonef
      @nhofonef 11 หลายเดือนก่อน +3

      Yep I think we're on the same page :)

  • @nicolaslavinicki4029
    @nicolaslavinicki4029 11 หลายเดือนก่อน +2

    You are the Best, man! You are really making a difference in the world! I wish you much success!

  • @AnniMM-lp4tk
    @AnniMM-lp4tk 6 หลายเดือนก่อน

    I love this, it's such a measured and practical take on WiFi setup; navigating the realities of device protocol support and cryptography techniques and what they mean for people's day-to-day network privacy at large.

  • @ttoni-youtube
    @ttoni-youtube 11 หลายเดือนก่อน +1

    Thanks for the great information you presented! I never knew password are so easy to brute force, even combined ones! It open my eyes, i will definitely change to wpa3 and put stronger passwords on my wifi networks.

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +1

      Glad it helped! It's only really possible to brute force when you can extract the hash and do it offline, which isn't possible in all protocols.

  • @neilfairbairn3775
    @neilfairbairn3775 8 หลายเดือนก่อน +1

    As well as a strong password, I use MAC Address Filtering, reserving each of my internal IP addresses to a device's MAC Address, and limit the number of IP Addresses to the number of devices I own. I do have a guest network running for friends and other family members that are not in my household. There are also several firewalls to segregate my network into gaming, entertainment and work.

  • @eschofield1
    @eschofield1 11 หลายเดือนก่อน +3

    Could you do a setup video on WPA Enterprise TLS? Would be interesting to see your take on how it would be configured.

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +2

      I'm working on that one

    • @joshs2022
      @joshs2022 11 หลายเดือนก่อน +1

      Also interested in a WPA Enterprise TLS video

  • @codydietrich4246
    @codydietrich4246 9 หลายเดือนก่อน +1

    Thanks for taking the time to explain it in detail!

  • @HarrySManback
    @HarrySManback 11 หลายเดือนก่อน

    Dude, you're killing it. Much respect.

  • @BertPdeboy
    @BertPdeboy 11 หลายเดือนก่อน

    really good work balancing the amount and depth of information! as a generalist I learned some news things.
    your demonstration of hashcat is very clear people of every skill level could follow, it's required learning material level 👍

  • @gunnargu
    @gunnargu 11 หลายเดือนก่อน +4

    My question WHY is it soo hard to setup a radius server? All I want is a USER FRIENDLY radius server that can do all the wifi auth modes. Just part of routers or as a vm appliance!

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +6

      RADIUS is a very troublesome protocol for everyone involved

    • @curtispavlovec
      @curtispavlovec 7 หลายเดือนก่อน +1

      Ubiquiti has a built in RADIUS server iirc

  • @GameDesignerJDG
    @GameDesignerJDG 11 หลายเดือนก่อน +2

    21:59 I love to be pedantic about entirely useless trivia, but there are 365.2425 days in a year. You're welcome.
    .
    ..
    ...
    ....
    .....
    Long explanation: 365 days + 1/4 (+1 leap day every 4 years) - 1/100 (-1 leap day every 100 years) + 1/400 (+1 leap day every 400 years). This random pointless fact brought to you mostly just as a joke, completely not as a criticism. 365.25 is a perfectly usable shorthand (only off by 3 / 400ths of a year) and this only matters after a lot of years.

  • @break1146
    @break1146 11 หลายเดือนก่อน +3

    This prompted me to change all the devices I manage to WPA3 (well I did a few, it's evening I'll continue tomorrow lmao), with transition mode enabled unfortunately because I also don't fancy breaking shit out on sea and there is a decent possibility there are still some legacy but mission critical devices out there. However, with this I don't think the fallout will be too high and we'll deal with it if it comes :).
    There also a lot of shitty passwords still out there, some from me and most of the worst ones not from me. Sadly changing passwords from under people's noses isn't much appreciated.
    This was a great video just giving an overview about it. Quite needed for me as well. Thanks!

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +3

      Glad it's working well for you on WPA3! A really good WPA2 password can be as secure as WPA3 passwords, but it's a lot easier for it to not be very good. WPA3 is still vulnerable to password sharing by humans of course.

    • @break1146
      @break1146 11 หลายเดือนก่อน +1

      @@apalrdsadventures The forward security thing is nice though. These vessels go everywhere so it's more of a just in case. The password sharing aspect isn't going away anytime soon for me. Many passwords are literally the SSID, with some capital letters, etc. It's going on my list of things to make a case about. I'm basically doing most of the IT alone for hundreds of vessels and they're all different owners/management and a whole backlog of setups that desperately need an overhaul and geostationary VSAT connections is making this a funny business. If the weather is particularly bad it can take half an hour (of trying) to change a single setting on a GUI, and when the device only has a GUI...
      I've basically been on a hardening and encryption rampage ever since I started working here and gained some footage. (also to the annoyance of some people but I'll fight them lol)
      Your videos are very useful also for the plans I have for my home lab, I'm collecting hardware here and there for either free or a good price. Thanks!

  • @fedemtz6
    @fedemtz6 11 หลายเดือนก่อน +4

    I have a WPA2/WPA3-Personal network. How does having mixed WPA 2 and 3 work? is there any benefit to having WPA3 if there are still some WPA2 only clients?

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +3

      WPA3 clients will use SAE (with forward secrecy / inability to decrypt even if you know the password).

  • @jvannoyx4
    @jvannoyx4 11 หลายเดือนก่อน +1

    @apalrdsadventures thank you for the great content. Always enjoy seeing your videos in my feed. I would like your insight on a Network Access Control (NAC) such as Packetfence NAC and how that can be used to secure a larger wifi environment. Thanks again.

  • @mtnsolutions
    @mtnsolutions 11 หลายเดือนก่อน

    Just set up wpa3 enterprise with my unifi u6pro and a self-hosted controller/third-party gateway. I do hide the SSID for my iot stuff because they’re not mobile. Very cool talk. I would love to see a demo of standing up a high-availability radius server with the TLS certificate you mentioned. Keep up the great work. Oh, btw, i also wish unifi would dedicate a bit more of their talent in supporting ipv6

  • @MrBoboka12
    @MrBoboka12 5 หลายเดือนก่อน +1

    Great video but missing a few things: WPA3 (AES -> not PPSK/PEAP/TLS/PASS) + WPA (AES/TKIP) + etc ... the stuff that you find in your average Jo home routers and even tho some of them are acronyms but Jo will have 0 idea.

    • @apalrdsadventures
      @apalrdsadventures  5 หลายเดือนก่อน

      WPA (1) and TKIP were only a transitional standard for pre-2004 clients who didn't have hardware support for AES

  • @fedemtz6
    @fedemtz6 11 หลายเดือนก่อน +1

    when I visited Spain last summer, I found that most places (and in the actual routers) shared the wifi password with a QR code and when I looked at the actual password, they were about 20 random numbers and letters long. That is not bad as long as it is not some id or serial number as I noticed with another ISP's old CPEs in Mexico. The ideal thing to make it easier for us wanting to connect to the wifi on our laptops is the XKCD type of word passwords, maybe just camelCase it and add some basic symbols or numbers.
    btw, the Mexican ISP used some serial number that was printed on the side of the CPE as the password and the last 4 digits were part of the SSID as -. That ISP was bought by another one and those CPE's have been mostly taken out of service.

  • @Nathan-q6y
    @Nathan-q6y 11 หลายเดือนก่อน

    Love this video and as always thanks for the great content!!😊😊

  • @d3wy
    @d3wy 11 หลายเดือนก่อน

    Wonderful video, I also love them googly eyes. I want a dream router just to do that now!

  • @curtispavlovec
    @curtispavlovec 7 หลายเดือนก่อน

    Excellent synopsis. WPA3/SAE is the only way to go today for the home user. Unfortunately too many devices still in 2024 do not support it. So we are forced to put printers and IOT devices for example on a separate WPA2 network.

  • @TheMonemone2
    @TheMonemone2 10 หลายเดือนก่อน +1

    thanks for the vid. I've learnt a lot!

  • @VizionHUN
    @VizionHUN 8 หลายเดือนก่อน

    OMG, very informative video again. If a very good encryption method was available since the '70, why did ppl develop something not-so secure? Thx for the great content!

    • @apalrdsadventures
      @apalrdsadventures  8 หลายเดือนก่อน

      When WiFi was drafted in 1997 (and WEP was part of the original spec), the US still considered any encryption over 40 bits to be an export-controlled munition, so a lot of encryption in the 90s was known to be weak even when it was designed. This is why the original SSL usually used 512-bit RSA and 40-bit RC4, despite the protocol supporting 1024-bit RSA and 128-bit 3DES or RC4 for companies who could jump through the hoops to only distribute their software to US citizens. Eventually the EFF would challenge this by publishing the source code to cryptographic algorithms in a book.
      There's also the concern that the authentication ciphers in WiFi are virtually always implemented in software (while the stream ciphers are in hardware), so doing ECDH for each auth can be a lot of work for the AP. Modern WPA3 has to consider that the increased crypto work to authenticate new clients can potentially cause a DoS for the AP, so APs implement rate limiting on how fast they will process new clients. A few decades ago this would have been too much for the CPU in the AP.

  • @ronm6585
    @ronm6585 11 หลายเดือนก่อน +1

    Great info, thank you. 👍🏻

  • @astacc
    @astacc 7 หลายเดือนก่อน

    26:30 lot IoT devices barely support wifi4, I have them in separate IoT network without internet or access to other VLANs.. locking all the questionable devices in it's own corner is better than having them in main network, but still not great

  • @UnderEu
    @UnderEu 11 หลายเดือนก่อน +3

    Tip for a secure password: Put someone you don’t like that much to close up vim 🙃

  • @neilquinn
    @neilquinn 11 หลายเดือนก่อน +1

    How risky is using an ancient actiontec mi484wr just as a router? (have a more modern AP attached and the radio disabled on the actiontec)

  • @subrezon
    @subrezon 11 หลายเดือนก่อน +2

    I used to have an xkcd-like password, except that I combined 4 words from 4 different languages. If whoever is cracking my password has a wordlist with russian transliterations and a rule that correctly leetifies russian - honestly, they deserve the W.
    (not my password strategy anymore)

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +1

      Oh wow now I need to find multi-lingual word lists

  • @Akadjjoel
    @Akadjjoel 11 หลายเดือนก่อน +1

    Excellent video

  • @stelas9307
    @stelas9307 9 หลายเดือนก่อน

    Wow! Amazing info for free!!! Thank you!!!

  • @alexaka1
    @alexaka1 11 หลายเดือนก่อน +2

    I gotta go and rotate some passwords is the new I gotta go return some videotapes.

  • @WndSks
    @WndSks 11 หลายเดือนก่อน

    Before OWN the advice used to be that WPA PSK with the password on the store wall/window was better than Open. I never looked into it but I suppose it helps if each client gets their own session key.

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน

      Posting the password on the wall in theory makes sure someone walking by doesn't use your network, but realistically everyone in the area will know your password and that's not really useful security.

    • @WndSks
      @WndSks 11 หลายเดือนก่อน

      @@apalrdsadventures Everyone is supposed to know the password, the point is to provide slightly better security than a plain open AP. WPA PSK will handshake each client and give them their own temporary key that is used to encrypt the traffic between the client and AP. (That was the theory 10 years ago anyway)

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +2

      yeah, that's like the perfect use case for OWE. If everyone knows the password, it's trivial to decrypt all of the WPA2 PSK traffic anyway, SAE doesn't have this problem (and SAE is used for both OWE and WPA3 Pass-based).

  • @lumisonic48-io5xw
    @lumisonic48-io5xw 11 หลายเดือนก่อน

    Excellent video, can't wait for the follow-up. Will you talk about cert based radius? I have a few PCs with corporate issued certificates for corporate Wifi, my dream is to once have my own Wifi with FreeRadius to accept these certificates.

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน

      Yup, it's cert based RADIUS. Although most of the video covers the CA / issuing certs bits and not much on FreeRADIUS.

    • @lumisonic48-io5xw
      @lumisonic48-io5xw 11 หลายเดือนก่อน

      @@apalrdsadventures so, that will be an adventure for me to figure out :)

  • @MrSephkeene
    @MrSephkeene 11 หลายเดือนก่อน +1

    Great video as always. Is there an updated discord link?

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน

      It should be correct?

    • @MrSephkeene
      @MrSephkeene 11 หลายเดือนก่อน

      I get invalid or expired.

    • @ougonce
      @ougonce 11 หลายเดือนก่อน

      Works for me. You've probably been banned.

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน

      It's not a ban from my side. But here's another 7-day link to try: discord.gg/E2EbWdtx

    • @MrSephkeene
      @MrSephkeene 11 หลายเดือนก่อน

      On Android, both links fail, on desktop, works a charm. Thanks again!@@apalrdsadventures

  • @JonathanSwiftUK
    @JonathanSwiftUK 11 หลายเดือนก่อน +1

    You didn't mention MAC filtering / restrictions, and whether they have any merit.

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +1

      In general, MAC filtering causes headaches in the enrollment phase (you often need to connect a device to a network to capture the MAC, then move it over to a secure network). It's also trivial to spoof a MAC on the air, so it provides little security by itself, but it can be extremely useful for higher level segmentation (assigning VLANs / PPSKs by MAC using RADIUS).

  • @SamuelSkottenborg
    @SamuelSkottenborg 11 หลายเดือนก่อน +1

    Is that an Asrock X300 on your desk?

  • @InShadowsLinger
    @InShadowsLinger 11 หลายเดือนก่อน

    Almost didn’t watch thinking “what knew could I possibly learn?“. Boy, was I wrong. I am still kind of stuck in early 2010s

  • @tomkelley4119
    @tomkelley4119 7 หลายเดือนก่อน

    With your password generator, I capitalize the first letter of words, and I add punctuation to make things more obvious on what the phrase means to me.

  • @gorgonbert
    @gorgonbert 11 หลายเดือนก่อน +1

    Have a WiFi network with whatever the best encryption is you can manage, but that network can only access the router. Run VPN on the router (WireGuard, openvpn, whatever) to access the rest of the network 👍

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน

      Do you mean VPN from the client to router (over wifi)? That's not going to provide any advantages over WPA-Enterprise.

    • @gorgonbert
      @gorgonbert 11 หลายเดือนก่อน

      @@apalrdsadventures just another layer of protection… you can hack that wifi password all you want… I don’t care… 👍
      I like your point about multiple SSIDs too… using VPN as added layer of protection, that one single WiFi could even have internet access for all I care and the password can be shared with friends and family… no guest SSID needed… also if you happen to have some IoT crap, those can talk to their clouds… I wouldn’t let devices like that on my network, but if you have to at least they can’t get to the precious stuff…

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +3

      WPA3-Enterprise (and WPA2 with PMF + cert checking) is essentially the same process and level of encryption used in IPSec + IKE with per-client keys and cert-based authentication. So if you are using WPA-Enterprise there's no reason to layer anything else on top, and WPA-Enterprise support is a lot easier to deal with on clients than IPSec and there's nothing to install like Wireguard.

  • @AlyssaNguyen
    @AlyssaNguyen 11 หลายเดือนก่อน

    I once had a (temporary!) connection I called "Spaceball One" and set the password as "onetwothreefourfive" 😂

  • @TheOisannNetwork
    @TheOisannNetwork 11 หลายเดือนก่อน +1

    Thanks!

  • @kwinzman
    @kwinzman 11 หลายเดือนก่อน

    hate to use the TH-cam comment system because it seems to delete or shadowban half of what I write, but I have to give you some feedback.
    You said: if your device hasn't had a firmware update in the last 5 years to add WPA3 support do you really want to use it?
    After I watched your comment I got motivated, and set my AP to WPA3 only.
    It turns out there are a lot of good devices that regularly get security updates which don't support WPA3: Intel laptops with Wireless AC 7265 has no WPA3 capable driver for Windows, the iPhone 6S still gets security updates but doesn't support WPA3, my soundbar gets regular updates but doesn't support WPA3, my Raspberry Pi4 gets regular security updates but only supports WPA3 with great troubles (I believe since THIS week there is finally a solution if you completely swap the firmware and the wpa supplicant that comes with the raspberry), and two label printers that I have that get roughly 1 security update per year still but won't support WPA3. So, no that part of the video is just misleading to be frank.
    I hope this feedback helps. And doesn't get deleted by TH-cam.

  • @l0gic23
    @l0gic23 11 หลายเดือนก่อน

    Great vid

  • @ws_stelzi79
    @ws_stelzi79 11 หลายเดือนก่อน +2

    I guess the Chinese were searching for good WiFi signal a couple of thousand years before considering Confucius already wrote about security! 😉😏🤯

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน +4

      In ancient Lu, Confucius, intrigued by tales of the mystical "Wifi-zen," embarked on a quest to find the best signal. Armed with teachings from wise elders, he journeyed through crowded markets, serene gardens, and sacred temples, raising his smartphone to the heavens at each location.
      Encountering interference in markets, weakened signals in gardens, and elusive connections in temples, Confucius persisted, adjusting settings and offering sage advice. It became clear that, like the pursuit of virtue, finding the best Wifi-zen signal required balance and patience.
      After days of exploration, Confucius stood atop a hill, where the Wifi-zen signal surged with strength. Reflecting on his journey, he shared wisdom: "Navigate interference, seek balance, and embrace patience for the highest connection."
      The people of Lu marveled at the sage who not only imparted virtue but also triumphed in the quest for the best Wifi-zen signal. Content with his discovery, Confucius continued his journey, leaving behind a city united by ancient wisdom and the invisible threads of the digital realm.

  • @subari5875
    @subari5875 11 หลายเดือนก่อน

    Damn, I always assumed that WPA2 without password still used an encryption key, just without authentication. Who the hell thought that it was a good idea to communicate without encryption, especially over air? WPA2-PSK too, it boggles my mind how this level of poor encryption could even be an IEEE standard.

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน

      'without encryption' is how wifi was originally designed, back in the 90s it was an expensive and niche system.

  • @yuraetoh
    @yuraetoh 9 หลายเดือนก่อน

    So in other words Ethernet is the best type of WiFi

  • @BenState
    @BenState 6 หลายเดือนก่อน

    sub from me for this great content

  • @GR3YS0RG4N1CS
    @GR3YS0RG4N1CS 9 หลายเดือนก่อน

    Downvoted for the sinophobia.

  • @AdrianuX1985
    @AdrianuX1985 11 หลายเดือนก่อน +1

    On my old AP with OpenWrt, I added to CRON:
    1 0 * * * uci set wireless.default_radio0.key=$(head /dev/urandom | tr -dc '0-9a-zA-Z' | cut -b1-56); uci commit wireless; wifi;
    In your opinion, how long would it take for the GeForce RTX 4090 to crack the above alphanumeric password of 56 characters?

    • @apalrdsadventures
      @apalrdsadventures  11 หลายเดือนก่อน

      If I know it uses those characters only (no symbols) that's 62 possibilities per symbol. I also know it's 56 symbols (hypothetically) so I don't have to try all the shorter permutations first.
      So total guesses is 62^56 = 2.36e100. RTX 4090 can optimistically do 1.5MH/s (I have no benchmarks but the 3090 can do 1.15MH/s), so roughly 5e86 years on a single card.
      However I could instead brute-force the PSK. PSK = SHA1 hash of SSID + Passphrase roughly and is 256 bits long. That's 1.15e77 possibilities, and since there are less steps in the computation of each guess it can also be done faster. But we're still at some wildly high computation times, on the order of 1e50 years.
      Realistically by chaining in SHA1 attacks you might be able to get it down to ~100 GPU-years. I haven't seen any research on that applied to WPA2.

    • @flintthuang
      @flintthuang 11 หลายเดือนก่อน +1

      How does the UE know the password after cron is executed?