Ytdyklly

I have a wireless router, and I want a difficult password that is still, in a way, easy to remember.

I came up with this idea to take the MD5, SHA-1, SHA-256, or whatever hash of a common English word, such as "superuser" and use the hash as the WPA2 key.

For example, let's say that "superuser" was my word of choice. If I chose SHA-1 has my hash, I would then set up my WPA2 key to be8e67bb26b358e2ed20fe552ed6fb832f397a507d.

Is this a secure practice? Common English words are being used--in a way--in the key, but the key itself is actually a long, complex hexadecimal string.

Unless you reveal the method of how you generated your "long WPA2" key (which you just did), it's just a complex hexadecimal string which would normally be pretty secure. On the other hand, if someone knew that you were using "a common English word" and used a hash of that word as the key, anyone could quickly regenerate a sequence of hashes from a dictionary and use it as a rainbow table to break your password pretty quickly.

If you are looking for a "difficult password that is still easy to remember" why don't you come up with a longer pass phrase that means something to you but not easily guessed by anybody else. That would render widespread rainbow tables essentially useless. Start with a phrase (i.e. sequence of words, sentence, etc), mix in a sequence of digits that means something to you (avoid birthdays, phone numbers, etc), and generate a long key that is "easy to remember" that way.

It is as secure as any other key as long as you do not tell anyone.

At the end of the day, your key will be using 0-9, a-f... which is actually only gives 16 possible characters instead of just a-z which would give 26. Therefore, if you think you are being smart and tell someone "I am using SHA-1", you are actually cutting down their brute force combinations by quite a few.

Personally, I think you would be a lot better off just having a normal long word/s with a mix of case, then throw in some random numbers and symbols.

It is safe as long as nobody can possibly figure out the method. This of course includes bragging about it in the office, but also traces of any kind you may leave behind. As an example, if you are to connect a random user to your network, you'll probably use some kind of client-side application to generate the hash. If the random user then notices that there's an echo "superuser" | sha1sum in the log it's not too hard to add the two together.

Seeing as you'd have to generate the hash externally, much of the convenience disappears. Generally I'd say that hashing a common word might be an acceptable way to quickly generate a semi-random key, but the key must still be copied or remembered when entering to not pose a weakness.

The only other gain I can think of is that the key/phrase/password can be easily reproduced if lost. If above security-measures are taken I see no reason not to use hashed words as keys.

This is a real world example of security through obscurity. Where you assume that you are safe, or in your case, that you are safer, than users who just typed their passwords without this process.

The real problem is the false sense of security, if you use a weak password, 12345678 for example, using the SHA1 result as WPA2 password, it will result an almost impossible to crack WPA2 hash. So the users usually don't bother about the possibility of anyone be able to crack it, but soon as anyone knows your hidden secret, you hash will be cracked easily. If you properly choose a strong password, you won't have to worry, even if your secret is compromised, a good password will took much more time to be cracked than it will worth for the attacker to wait.

That will lead us to the question, is security through obscurity that bad ? IMHO yes, it is just because of the false sense of security, the same sense that automated low quality pentest tools bring when they show no vulnerabilities after a scan, or when an antivirus says that an executable is clean.