We’ve all seen it: you walk into a new job, or you’re visiting an office to make a sales call and see that the shared wireless password is written on every whiteboard. Even if it’s not written down everywhere, it is probably easy to guess – try the company name with 123 at the end, or the E’s substituted with 3s.
Even for those companies with hard-to-guess wireless passwords, the chances that the password was rotated the last time someone left the company are slim. After all, it’s a major productivity disruptor.
This is obviously not good password hygiene; a shared (and possibly easy to guess) password that’s rarely rotated is hardly secure.
But does it really matter?
The answer, like just about everything, is “it depends.” There are scenarios where a compromised wireless network is a real threat to the production system, and there are scenarios where (through careful design) the office network needs no password at all.
However, for most businesses, network security is vital, and unsecure passwords can create a major vulnerability.
What’s wrong with a shared wireless password?
There are several major risks with a shared wireless password. Having a shared password increases the likelihood that an attacker can discover it and access your corporate LAN.
While fewer companies maintain confidential resources on their corporate LAN, your office still represents a concentration of employees, who may have relaxed the fire-sharing or firewalling services on their laptops. Some companies keep local network attached storage (NAS) for backups. Even if hackers can’t access confidential resources, an attacker will still be able to print “pwn3d” on your office printer until it runs out of paper.
In the most likely instance, the attacker can take advantage of an increased level of access granted by sending traffic through your office’s public IP address. Many companies whitelist access to production servers and resources based on the office’s IP address or exempt multi-factor authentication from traffic from office IP addresses. In these cases, an attacker has a path to attack your sensitive data from your parking lot, and you probably won’t notice.
Whitelisted SSH access from your office to your servers is relatively low risk, but one of the worst holes is an “admin” web interface to your production service that’s whitelisted to the office. Admin web interfaces are usually very low on the priority list for security patches, since they are “just for internal use.” But an admin interface running code with known vulnerabilities is an easy target to compromise your entire production database.
An ex-employee with an axe to grind can present another risk. Companies are especially vulnerable here, since such an employee would have specific knowledge about your company and your architecture. They can still access your network without even entering the building and use this knowledge to attack a known weak spot.
When is a shared password or no password okay?
A wireless network with no password can be useful for guest networks. Guest networks should not use the same public IP address that your employee networks use, and these networks should probably have strict bandwidth limits on them. The data will not be encrypted, but since so much traffic is over SSL, this isn’t as big of a concern as it used to be.
For offices, a shared password is okay if you rotate the password whenever an employee leaves. As a precaution, it’s recommended that you have zero local devices and don’t whitelist the IP anywhere. Anyone accessing production resources should need to use their employee credentials (don’t forget multi-factor authentication!) and/or use a VPN to access them.
How do I move away from a shared wireless password?
The next step in wireless security is moving to a log-in system that asks for a username and password.
Every major operating system has support for this built in. This means when your computer tries to sign into a network using WPA2-Enterprise, it will ask not for the network’s shared password (which you are used to seeing by now) but instead will pop-up a dialog box asking for the employee’s unique username and password. On the backend, your access point communicates that name and password to a RADIUS server, which will return a “yes” answer if the name and password are valid, or a “no” otherwise.
As a result, organizations can keep their networks secure and block unauthorized users, while employees can log in and connect with greater ease than ever.
This requires a RADIUS server. If you don’t have one, there are cloud-provided RADIUS offerings (like Foxpass) that can validate usernames and passwords against internal databases or external sources (like Google Apps accounts).
When you want secure network access and security, Foxpass is the way to go, bringing cloud RADIUS and access control to businesses of all sizes. Foxpass has a free 30-day trial and a super easy set-up process, so there’s no reason you can’t have this protection today. We’re also free for organizations with fewer than 10 users!
Wi-Fi is a trademark of Wi-Fi Alliance®
