WiFi has had a rough security past. The 802.11a, the first WiFi standard, first came out, there wasn't much security set up around using it. The WEP security standard was added later, but has been easily broken and found to be as weak as not encrypting your connection. A new standard, WPA, was soon introduced, but it has recently been found to have a weakness that may lead to it being completely useless too.

So, how does WiFi security work and how do you protect your network and your communications when using it?

How WiFi Works

A wireless connection acts like a two way radio, where one side is the router and the other is your computer. Your computer identifies itself with an id number and then asks the router to get some information for it from the internet. the router then gets the information, whether that's email or your latest Twitter posts, and sends it back to your computer via that id.

When you visualize that, you might be thinking of the router sending long wavy lines to your computer and your computer sending wavy lines back to the router. But it's really not. Like a walkie-talkie, the router just broadcasts the data in all directions and just hopes your computer gets it. Also like a walkie-talkie, every other computer is getting the same signals, your signals with your data.

the way computers normally work is by checking that id that the router sends. Since it sees everything the router is sending and even everything every other computer in the area is sending, it checks each message to see if the message is for it. Does this message have my id? Nope. Ignore it. Does this message have my id? Yep, process it. And on and on for every single message it sees.

The Consequences

More importantly, there's nothing stopping the computer for taking every message anyway and doing whatever it wants with it. They can save it for later perusal, search it for passwords or upload it to another server somewhere. If you're on an open access point, say in the airport, hotel or restaurant, everyone in the are can see everything you're doing on the network.

Hotels and airports have actually become areas ripe for identity theft because of this. Many people still access their email and online accounts in an in secure fashion and, over an open network, all of that is available for anyone to steal.

The Solution

There are ways to secure an access point that you own. You should do the following steps for home and office access points that you are in control of.

Enable WPA2 Encryption

Open your access points settings and enable WPA2 Personal encryption with a nice strong password. You can get a truly random password to use via the GRC perfect password site. Feel free to write this down and keep it somewhere in your house or on your computer. It's not a password you'll want to forget and it's also not that bad of a password for someone to get their hands on since it will only allow them to log into your network.

Using WPA2 will encrypt your messages over wireless. Everyone will still be able to get them, but they'll just be so much garbage and impossible to crack. Also, by using WPA2, everyone else on the network will get a different key for the encryption, so even if you and a hacker are logged in, he still won't be able to read your messages. WPA2 is vital if you're using WiFi in your home or office.

Be Careful on Open Networks

Watch what you do on networks you don't have control over. If you must connect to check your email, make sure you connect in a secure way. that means SSL or TLS for email in Outlook, Thunderbird, or Mail.app and using https: for any web based email like GMail, Yahoo! Mail or MSN Mail. If you have to log into any other sites, verify https.

You can also set up a Virtual Private Network, but that can end up being a huge pain to set up and maintain. I'll try to cover some simpler ways to do it in later posts.

For now, just be fully aware of what you're doing on open networks. Assume everyone can see what you're doing and act accordingly.

Answer: Maybe

Is WiFi secure? Not open networks, and some secured networks aren't even very secure. If you use WPA2 encryption with a good password, you'll be okay. there's also WEP encryption, and if you know anyone using it, tell them to stop. It is no longer secure and can be hacked in a matter of minutes, putting all of your data right back out in the open.

Bottom line: be careful on open networks and use WPA2 on networks you control.

I work on a couple of websites that require user registration and I'm consistently surprised at how many people use really bad passwords. I mean really bad passwords, like 'password' or '123'. It's more than you might think.

Everyone says to pick strong passwords, but how do you choose a strong password that's hard to guess or crack and but easy to remember? The answer lies in looking at how passwords are cracked.

Dictionary Attack

The way most passwords are cracked is by a Dictionary Attack. A Dictionary Attack is done via a file of a bunch of words and common passwords called a dictionary file. The attacker checks each of those words against your password and, if your password is in that file, the attacker gains access to your account.

That is why you shouldn't use words you might find in the dictionary. Even simple things like replacing letters in a word with symbols isn't enough, since a lot of those have found their way into dictionary files too.

So how can you create strong passwords that are still easy to remember?

Password Selection

Easy, pick words out of the dictionary.

The idea is to turn a phrase or group of words into a strong password. We do that by joining the words with numbers or symbols in between them. So instead of the weak password "honeybee", we can make it a little stronger by adding another word with a number in between, "honeybee3tea".

If someone knew this system, they could devise a way to crack it via the dictionary file. They could try every word joined with every other word. If we assume that a dictionary file contains 100,000 words, to check two word combinations would be 100,000 x 100,000, which would be 10,000,000,000 or ten billion combinations. Adding any of 10 numbers in between would be 100,000,000,000 combinations.

This is hard on an attacker, but not impossible. With parallel and cloud computing getting easier and easier to access, attackers will be able to pull a lot of resources in to crack your password.

So what to do?

Add more words! "honeybee3tea9is&great" this password will be very hard to crack via the attack mentioned above, needing the ability to check over 100,000,000,000,000,000,000,000 combinations to try and crack a password of this length. this is outside of the realm of possibility, especially since there are so many easy passwords to crack these days. You can make it even harder by changing the case of the words. "HoneyBee3Tea9is&great".

You're probably thinking that you don't want to type that much when picking a password, so I'll let you know that three words is probably enough. Sadly, password security is a little like out running a bear, you don't have to be the best, you just have to better than the other guy. If a hacker can crack 10% of the passwords on a site, he'll have enough personal information to work with that he won't spend the extra time to get yours.

Other Methods

Before I get a lot of nasty emails, this is not the best way to choose a password, but is the first step in picking better passwords than most people out there use. I will have future posts about some other ways to pick passwords, including my favorite, Password Hashes. Most people don't know the danger of picking simple words by themselves. If you do use simple passwords now and start using the above technique instead, you'll be much better off.

If you have a Windows computer, make sure you have the latest patches installed. There's a nasty botnet worm growing in size from a bug in Windows that was patched in October. If you're not up to date, I'd recommend running the updates as soon as possible.

Like now.

TrueCrypt is one of those applications that no one has heard about, but everyone needs. If you have sensitive documents that you keep on your computer, like tax returns, confidential client data or a file with all of your passwords in it, you need TrueCrypt to protect that data in case of theft.

How It Works

TrueCrypt is a way to create a strongly encrypted virtual file system. With TrueCrypt, you create a new TrueCrypt volume, which is just a file that you save on your computer. You could think of it as kind of like a zip file; it's a file that holds other files. You then use TrueCrypt to mount the TrueCrypt volume. The volume displays as a regular hard drive to your computer. On Windows, it'll just be another G: or H: drive and under the Mac, it'll show up as a hard drive, just like a USB key would. You can then copy files to it, edit files on it, or delete files from it. When you unmount the drive through TrueCrypt, everything gets encrypted and stored in your TrueCrypt file. And TrueCrypt is protected by strong encryption, so if someone gets their hands on your TrueCrypt file, they won't be able to do anything with it without the password.

Cost

The best part is that it's all free. TrueCrypt is an open source project that is constantly being upgraded and made stronger. They are now at version 6.1 and it has gotten reviewed by security experts every step during it's creation. There's also a full list of precautions you can take to protect yourself better.

Uses

TrueCrypt is one of those applications that I think everyone could be using to increase the security of their data. As I said above, I use it to store tax returns, my passwords file and quite a few other financial documents that I don't want getting out if my computer is stolen. I also use it as a way to keep documents on Dropbox that I want encrypted. It's so easy to create a volume and store things in it that, even if what I'm storing isn't super secret information, I can still protect it with a minimum of effort.

There are actually a few other ways to use TrueCrypt, including full disk encryption and USB key encryption. I won't go into those here, but you can read about them on the TrueCrypt website if you're interested.

Installation

It's very easy to install, but the steps to create a volume are a little involved. Download TrueCrypt and then have a look at this document to see how to create a volume with it. I would recommend using AES-256 encryption, the same level of encryption used for Top Secret US documents.

If you have sensitive documents on your computer or, worse, your easy-to-steal laptop, put them in a TrueCrypt volume today. You really don't want that stuff getting out.

Just remember the password.

I wonder how secure most people think email is, especially when a company emails me my password or login information. There seems to be a lot of people that write things in email that they wouldn't want other people to see, so I want to be clear...

Email Is Not Secure

Not no how, not no way. Even if you connect to your email server over SSL, even if your ISP tells you it's secure and even if you've been sending things for years and haven't had a problem yet, email is not secure.

A lot of people think that email is a lot like regular mail; you put your message in an envelope, address it, hand it to your faithful US Post Office and off it goes through the US mail system, hand delivered to it's destination. If email worked like that, I would consider it secure.

But it doesn't work like that.

Think of email more like a postcard that's not in an envelope. And instead of being sent through the US mail system, you hand it to your neighbor who then continues to hand it down the line until it gets to it's destination. Everyone along the way can read your message and, more importantly, photocopy your message so they can read it later. Everything is right out in the open, including everything you wrote, and anyone can come along in the middle and take a look at the messages as they go by.

It's not exactly like that, but it's darn close. Even if you're careful about your email password and take care not to get your email account hacked, the person you send the email to, or one of the servers in between, might not be so careful.

I'm not saying don't use email, just be aware of what you're sending. You should never send passwords, personal information or anything confidential over email.

This is more of an FYI than anything, but future articles will talk about ways in which you can secure your email by putting it into a virtual envelope. The hard part here is getting everyone you send email to to do the same. Subscribe to the feed so you don't miss those posts.