I would take the opportunity to switch from PSK to some type of EAP authentication if you can. Pre-shared keys are not scalable and there is a known vulnerability with the use of PSK and TKIP.
Pre-shared keys can be up to 63 printable ASCII characters or exactly 64 hexadecimal digits. Naturally, if you're going the passphrase route, I would use all 63 characters and just pick random ones (lower & upper case letters, numbers, and symbols). As long as the character is on your keyboard (at least for standard US layouts), it should work across all devices. Technically, the character produced by the space bar is printable, though I would avoid it, as some clients may not be able to connect if there is a space in the passphrase. I don't know of any client-specific issues with using a 63 character passphrase. However, even a 32 random-character passphrase should be sufficient to mitigate a brute force attack for some time to come. Charles Bisel Network Architect Bayer Corporation 100 Bayer Road Pittsburgh, PA 15205 EMAIL [email protected] WEB http://www.bayerus.com Nathan Hay <[email protected]> Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> 04/20/2009 12:09 PM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> To [email protected] cc Subject [WIRELESS-LAN] PSK best practices I have the opportunity to change the PSKs on two of our wireless networks when we make other changes this summer. Can anyone suggest best practices for coming up with a PSK? Length, characters to include, characters to not include, etc? Any compatibility issues with equipment depending on length and characters that are used? One network is WPA-PSK/WPA2-PSK mixed mode. The other is WPA2-PSK. Nathan Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. _______________________________________________________________________________________________ The information contained in this e-mail is for the exclusive use of the intended recipient(s) and may be confidential, proprietary, and/or legally privileged. Inadvertent disclosure of this message does not constitute a waiver of any privilege. If you receive this message in error, please do not directly or indirectly use, print, copy, forward, or disclose any part of this message. Please also delete this e-mail and all copies and notify the sender. Thank you. For alternate languages please go to http://bayerdisclaimer.bayerweb.com _______________________________________________________________________________________________ ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
