Dear applications: WEP keys are not passwords

May 24, 2008

Every so often, I have the dubious pleasure of entering WEP keys in order to get access to some wireless network around here. Invariably, the applications treat the WEP key like a password, and has me type it in a text box where all the feedback I get is a '*' for each character that I type.

(We use WEP keys mostly as a way to keep random passers-by out. Not so random passers-by can crack the WEP key, at which point other precautions keep them from doing anything useful with their new-found wireless connection.)

Almost no feedback is okay for a password that is relatively short and that you will type frequently, so that you get good at it. WEP keys are neither; for example, a 128-bit WEP key being entered in hex mode is 32 characters that I will type once in a blue moon and in fact I am not typing it from memory, I am trying to transcribe it from a piece of paper. In this sort of situation, lack of effective feedback is frustrating, especially because the only way to correct any mistakes is to try entering the WEP key again and see if it works this time around.

And both in theory and in practice, WEP keys are not passwords. They're not in theory because a WEP key can be cracked with relative ease, so trying to keep it secret gets you almost nothing; they're not in practice because they are almost never entered in a situation where obscuring what you are entering has any effect on security.

So: application authors, please stop making everyone's life harder; just use a plain text box for entering WEP keys. (For bonus points, give us a better interface for entering hex keys, since those aren't going to be very readable even in plain text.)

Written on 24 May 2008.
« Frequent password changes as security mythology
The risks of forcing frequent password changes »

Page tools: View Source.
Search:
Login: Password:

Last modified: Sat May 24 01:19:51 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.