Social engineering works the best. Get to know someone and half the time you can guess the password.

Case in point - was in a buddy's office, asked to use his PC for a minute, and it was pw protected. Jokingly he said to guess his password. Got it in one. He then changed the password, got it in one again. It helped I knew him fairly well, what he was into, and some other personal data. Half the time, look at someone's desk - pictures, plaques, name plates, awards, that stuff. The password is usually right there.

That's when the addition of a strange character increases the security substantially.

REDACTED I'm trying to make a point about entropy, not the security of a particular set up. Besides, you're talking wifi sniffing, aren't you? I'm using a Remote Desktop example.

OK, throw in a VPN to an RDP login with a lock out after three wrong attempts. Then back to my point about the entropy of dictionary words versus random text passwords. If someone is trying to brute force a password in a rate limited scenario, the password does not have to be as complicated compared to a situation where someone can freely brute force a password as fast as their hardware allows, so the entropy gain in using non-dictionary words may not matter, practically speaking, and may actually be a detriment if these passwords are more easily forgotten.

Lots of good information everyone, so to summarize

i) Upgrade your routers firmware to the latest version

ii) Use the highest router security settings encryption your clients will support.

iii) Use a long password using random character string preferably more than 256 bits i.e. > 16 characters

iv) Create a MAC address filtering list.

v) Ensure your router password is just as strong.

vi) The SAS wannabe thunderflash bang throwing Walter SWAT team may still turn up at your front door before kicking it in. Counter terrorism/police stupidity is sometimes difficult to counter act or prepare for.

http://www.youtube.com/watch?v=62OmbAWC08o