Take, for example, the hundreds of millions of WiFi networks in use all over the world. If they’re like the ones within range of my office, most of them are protected by the WiFi Protected Access or WiFi Protected Access 2 security protocols. In theory, these protections prevent hackers and other unauthorized people from accessing wireless networks or even viewing traffic sent over them, but only when end users choose strong passwords. I was curious how easy it would be to crack these passcodes using the advanced hardware menus and techniques that have become readily available over the past five years. What I found wasn’t encouraging.

First, the good news. WPA and WPA2 use an extremely robust password-storage regimen that significantly slows the speed of automated cracking programs. By using the PBKDF2 key derivation function along with 4,096 iterations of SHA1 cryptographic hashing algorithm, attacks that took minutes to run against the recent LinkedIn and eHarmony password dumps of June would require days or even weeks or months to complete against the WiFi encryption scheme.

What’s more, WPA and WPA2 passwords require a minimum of eight characters, eliminating the possibility that users will pick shorter passphrases that could be brute forced in more manageable timeframes. WPA and WPA2 also use a network’s SSID as salt, ensuring that hackers can’t effectively use precomputed tables to crack the code.

That’s not to say wireless password cracks can’t be accomplished with ease, as I learned firsthand.

MORE:  How I cracked my neighbor’s WiFi password without breaking a sweat | Ars Technica.

Unfortunately, according to Hammer those same big names are at least partly responsible for making OAuth 2.0 the fiendishly complex and convoluted spec that it has become. Hammer is not the first to question the usefulness of OAuth 2.0. In fact, we’ve previously argued that OAuth 2.0′s complexity is hurting the spirit of API experimentation on the web.

Hammer isn’t just questioning OAuth 2.0, he’s abandoned it entirely and completely erased himself from the project, calling it “a bad protocol… bad enough that I no longer want to be associated with it.”

In Hammer’s view OAuth 2.0 is “more complex, less interoperable, less useful, more incomplete, and most importantly, less secure” than its 1.0 cousin.

MORE:  Developer Quits OAuth 2.0 Spec, Calls It ‘a Bad Protocol’ | Webmonkey | Wired.com.