I am looking at connecting in a reasonably secured way mobiles to an enterprise WiFi network. The current solutions would be user certificates on the mobiles (they are unfortunately exportable) or PEAP-MS-CHAP-v2.
PEAP-MS-CHAP-v2 is vulnerable to offline bruteforce attacks, I am therefore trying to estimate the required entropy of passwords in three scenarios:
- pure bruteforce attack
- psychologically-clever bruteforce (which assumes as a start that people will probably use a capital letter at the beginning and end up with a digit - if there two are enforced)
- reasonable dictionnary attacks (of the form "if there is a 20 chars passphrase, it will likely be made up of 4 or 5 words")
All this coupled with current average CPU/GPU capabilities when performing the attack.
Has anyone seen a realistic estimation of the required complexity? I use the word realistic because this is an enterprise network so 20 characters with 3 digits, two capitals and 3 symbols will not be cheered with joy (people need to work, in addition to entering their passwords :))
There are many places which compute raw estimates, usually for generic bruteforce. Have you seen anything which takes into account some of the aspects above?
Thanks!