Brian Livingston has filed an exhaustive article about Windows and Wi-Fi security at Windows Secrets Newsletter: Brian interviewed me for the article, which was entertaining as we sorted out a lot of the issues about WEP and WPA, and his article is an incredibly clear set of the best advice I've seen on the topic. Every Windows user employing Wi-Fi needs to read his article and make sure you've done what he suggests.
One of the conclusions I reached while being interviewed by Brian is that WEP truly is dead. There are WEP algorithms in updated firmware that eschew the weak initialization vectors that make it trivial for a cracker with free, simple software to extract a WEP key. But there's no way a consumer could possibly know whether a given device had strong or weak IVs. Further, a single network device with weak IVs makes a WEP-protected network vulnerable.
So I have to agree with Brian: there's no reliable way for the average person to use WEP and not have vulnerability that can exploited in seconds to minutes. If you don't live near anyone else at all, WEP (or no security) may still be viable. Otherwise, WPA or WPA2, and WPA Enterprise or WPA2 Enterprise is even better.
Hi,
I think if you wanna talk about security, I'm not sure you could really call a shared secret a good ground basis for security.
As my granny used to say, something that is known by more than three people isn't a secret anymore!
Whenever you go in a company using that kind of shared secret you just need to use a "social attack" and try the usual "huh what's the wifi key again?..."
If security really matters to you, unique authentication of the user is a must have. Moreover there are many simple & reliable solutions adapted to WiFi on that regards.
I personnaly use WaveStorm's MeetingPoint (check
http://wave-storm.com/en/index.php?Area=Products&ContentLeft=Meeting%20Point )
Cheers
The main purpose of this article is about WPA/WPA2, arguing that you need to junk your old hardware that doesn't support WPA.
But this is totally wrong, this isn't a hardware issue but a driver one. I use a old (really old) Orinoco wireless card with WPA on Linux. The Windows drivers doesn't support this but wpa-supplicant does.
I mean this is a new argument to buy a new wireless card, but it's a lie. And best at all wpa-supplicant seems to have a win32 port.
[Editor's note: The article is about how four required EAP types for WPA certification aren't part of the WPA2 update from Microsoft. You don't need to trash your hardware at all--but if you want to use native WPA2 encryption with EAP-TTLS or PEAP, you cannot use Microsoft's built-in software at this point. This is about confusion over a standard because the standard changed mid-stream without requiring backwards updates from already certified products.--gf]