Why Pre-Shared Keys Suck

Wed, 01 Jul 2009 20:45:50 GMT

1. Guest comes to Owner's place and asks for wifi key.

2. Owner tells Guest that the password is "flibble".

3. Guest logs on.

4. Guest leaves and tells the world that Owner's wifi key is "flibble".

5. Owner must now change his wifi key from "flibble" to something else and then inform everybody else who uses the wifi (both humans and devices which store the pre-shared key) what the new key is.

6. Goto (1)

The alternative to pre-shared key systems is to have a user account system.

1. Guest comes to Owner's place and asks for wifi key.

2. Owner logs onto administration panel, taps in username and generates a password, then gives that to Guest.

3. Guest uses.

4. If Guest tells the world his wifi username and password combo, you revoke the password.

There is no reason why this setup should not be used in consumer wifi routers, except for the fact that the existing standards for wifi authentication are designed for mouth-breathing idiots who share their fucking MySpace passwords with each other and then wonder why their account gets "hacked".

And before anyone says FreeRADIUS, that's too complex. Yes, I can set up FreeRADIUS on my Linux box. But username/password authentication with integration at the OS level with Windows and UNIX (including OS X and Linux) should ship on consumer-level wifi routers. That wouldn't suck. Pre-shared keys do suck and are actually worse than useless.

Another thing I don't understand about wifi: why is it that the only way to get encryption of your packets across the air is to turn on authentication? Sometimes I want unauthenticated wifi but that doesn't mean I don't want my packets encrypted. Think of it like a club: just because there's no guest list doesn't mean that you don't need security. In fact, you probably need more security.

Tom Morris

Why Pre-Shared Keys Suck