AES encrypted passwords

Alan DeKok aland at deployingradius.com
Fri Sep 30 15:47:30 CEST 2016 

On Sep 30, 2016, at 9:21 AM, freeradius-users at latter.org wrote:
> 
> On 30/09/16 13:57, Alan DeKok wrote:
>> On Sep 30, 2016, at 6:53 AM, freeradius-users at latter.org wrote:
>>> However I have just looked at the instructions we give to users
>>> wishing to connect their Windows 8 machine to the wifi network
>>> and have seen this:
>>> 
>>> - Untick “Verify the server’s identity by validating the certificate”
>> 
>>  Which means that you have no security.
> 
> ...in the event that someone goes to the effort of spoofing the SSID etc.

  Which takes all of 10min.

> But if I may be so bold: the problem with security professionals is
> that they often don't seem to recognise the concept of "Good Enough".
> They only seem to accept things that are mathematically provably
> secure.  And they can then end up with systems that are so complicated
> that hardly anybody actually uses them [0].

  I've explained that putting encrypted passwords into the DB adds zero security, but doesn't really harm anything.  I've also explained that disabling the server cert validation is terrible, and actively harms security.

  Your response complaining about security professionals concentrating on the wrong thing is *entirely* inappropriate.

  I'll say it again: Amateurs SHOULD NOT be designing security systems.  You, and your managers, and the marketing people, are security amateurs.

  Listen to the experts, or ignore their advice.  It's up to you.  But do *not* respond by belittling the experts.  It's ignorant and anti-social.

> Is providing Dot11 but not verifying the certificate Good Enough
> in this instance?  I would guess that you do not think so.

  Then you didn't understand my comments.

  It's *terrible*.  It destroys *ALL SECURITY* in your RADIUS configuration.  The only worse thing you could do is to print out all of the user names and passwords, and post them in a public place.

>  Other
> comments would be welcome.  I have not yet formed an opinion.

  Learn how to learn from the experts.

> I am moving towards Not Good Enough.
> 
> I do not profess to being a security professional.

  Then don't argue with the experts.

>  My main gig
> is writing code.  I am trying to improve things.

  Then learn from the experts.

  Honestly, I have no idea what the heck is going through peoples minds when they ask questions, and then argue with the answers.  It's completely narcissist.

  No, you're not the smartest person in the world.  You attempts at being humble are just ways to convince yourself that you can ignore the expert advice.

  Stop it.

  Alan DeKok.

More information about the Freeradius-Users mailing list