2

I'm the admin for my company and unfortunately, the majority of the company is tech-skills limited. I need to impress upon them the need and reasoning for updating publicly WiFi hot-spots at our locations so that the passwords change weekly.

Does anyone know of any good white papers or articles that discuss the dangers associated with keeping the same password for extended periods of time?

To explain further, the wifi is at restaurants which have been plagued by homeless that "squat" in there without purchase, others using the free wifi to download porn and torrents, and other physical security issues. The wifi is offered free to customers but needs limitations and uses the same modem that the point of sale operates on (in the DMZ though). Security (both physical and virtual) is limited so I update the passwords weekly to help improve our protection. But explaining how leaving a simple WiFi password on an publicly visible and accessible hotspot opens the door to penetration and exposure is difficult to explain to non-security minded persons.

schroeder
  • 123,438
  • 55
  • 284
  • 319
RedLabelle
  • 29
  • 1
  • 1
    You might need to explain to us why you want to change the wifi password weekly. – schroeder Jun 28 '17 at 14:51
  • 3
    Changing the password is not a solution to any of the threats you outline. – schroeder Jun 28 '17 at 15:02
  • Investigate WPA-Enterprise - in short, you could have a per-user password, time limited, which staff could provide with purchases. It would require more setup, but would directly address the issues you're seeing. – Matthew Jun 28 '17 at 15:15

3 Answers3

4

Changing the password regularly won't stop some of your problems (ex.: downloading porn or illegal stuff), as the users will still be anonymous and/or unidentified and/or non-customers.

To prevent that, you could change the way the login at your Wifi is made.

A common technique is to have a public Wifi that redirects to a login page. In that page, your customers will provide some information (ID? Name? Facebook login? A specific code delivered together with their order?). Once that information is provided, they'll be able to access the internet.

And yes, you can setup a proxy / firewall rule blocking some sites, some downloads, etc.

For example: http://www.dd-wrt.com/wiki/index.php/Chillispot

woliveirajr
  • 4,462
  • 2
  • 17
  • 26
-1

Changing the password has been shown to be ineffective. The reason it is ineffective is that users will then choose standard naming conventions like fall2016pa$$word, Winter2016Pa$$w0rd, etc. Which from a penetration testing standpoint, is great for us but, horrible for companies. Black Hills Information Security preaches that password spraying on AD is extremely effective for companies who retain the one upper, one lower, one special, 8+char min passwords.

The best password naming conventions are word based long passwords 15char+ if not more. Allow your users to use common English words, the data behind this method states it works very very well.

As for the WiFI, you can re-direct the user to your login page where they have to authenticate is some fashion (OAuth2.0, etc). Set-up whitewashing rules and block known malicious/against policy domains.

Joshua Faust
  • 638
  • 3
  • 8
  • your first 2 paragraphs do not apply - your last paragraph might have applied, but it's a bit of a fragment – schroeder Jun 28 '17 at 16:06
-1

To prevent users from visiting unwanted sites, you should use firewall rules to drop connections to certain domains, or even certain top-level domains (.ru, .ch, etc.) if you feel so inclined.

To prevent users from torrenting, you can block certain port numbers 6881-6889 and 6969, which are typically used by BitTorrent clients.

Password rotation is not a truly effective method of authenticating users. To achieve the goal of generating one-time use logins for customers who purchase goods at your location, look into setting up a RADIUS server.

Jon Behnken
  • 139
  • 2
  • dropping country top-level domains is a way to inconvenience customers from those countries - the point of the proposed scheme is not to authenticate users and does not apply to customers – schroeder Jun 28 '17 at 18:06
  • Sure, it would inconvenience people trying to visit sites on certain cc-tlds, however in terms of practicality, restaurant or coffee shop visitors use the WiFi for social media or for light browsing, so it could be argued that blocking some cc-tlds offers some benefit for minimal inconvenience. To quote the OP, "*the wifi is at restaurants which have been plagued by homeless that "squat" in there without purchase*", is that not an authentication issue? – Jon Behnken Jun 28 '17 at 18:32
  • how do you authenticate a patron? – schroeder Jun 28 '17 at 18:58
  • The POS system can be configured with a RADIUS server to generate a username and password combination after a purchase is made – Jon Behnken Jun 28 '17 at 19:21