Long Wifi Password

1 view
Skip to first unread message

Adah Orhenkowski

unread,
Aug 3, 2024, 4:39:31 PM8/3/24
to unchetapar

Today I had to type the same password to connect to a WPA2-secured WiFi network several times, and got really annoyed with the length of the password. Especially since it is just a phrase repeated twice.

The amount of protection offered by implementing a password in any system will always vary in direct proportion to the password complexity, and the effort taken to protect that password. Wireless networks are no exception.

Where a strong hashing mechanism is in use, longer and more complex passwords will almost invariably put you in a better security posture. I strongly suggest you read some of the other passwords questions we have here. One of particular interest is:

It should be noted though, that a WPA2 network's PSK is only effective where WPS is either disabled or unsupported on the AP. Recent side-channel attacks allow an attacker to break WPS in a relatively short time, and gather the WPA2 PSK directly from the AP without having to actually crack the PSK itself.

Suggest I have a key of three letters and I can process about 5 words a second to the AP (fictional). One word can consist of 24 letters and 10 numbers. So your possibilities are (24+10)^3 = 39304. If we add one letter we get:(24+10)^4 = 1336336 possibilities. It would take 37 times longer to process those possibilities.

This post talks about brute-forcing a WPA password. The short answer is: yes, it is more secure to have a longer password. The question is the relative convenience of have a shorter password with a more secure one - if it's your home wifi, you probably don't need a crazy long password, but if it's something more important, you should think twice about it.

Generally speaking yes, however I reccomend never using words in your password and implimenting a MAC address filter. Is this still possible to penetrate? Yes, but in most instances who would want to bother with a long password and MAC address filtering. Then again there is the WiFi Pineapple: or 4G dongles are much more secure, but again everything depends on the full application and budget.

The answers have explained most already. In practice, how long does it need to be? Probably longer than what the average person uses in practice, but less than some of the suggestions seen on the web. I set out to find out a reasonably secure size that is still easy enough to handle. Secure enough for me would be that an adversary with access to 10 top of the range PCs in 5 years (the time I will keep the password for) will still only have a 2% chance of cracking the password in 1 month. Adjust the numbers as you please. A very powerful adversary may have access to more computing power but will be unlikely to use it for a whole month.

So if you use a truly random passphrase, you can get away with 12 lower-case letters or 9-10 alphanumeric characters (upper and lowers case letters plus digits). I like lower-case letters as you can type those into your mobile device easily. But there is absolutely no need to use overly complex, 50 character passphrases that utilise all kinds of special characters.

In general, yes! It is more secure to have a longer password since the more characters the password has, complexity is added thus making it harder for hackers to guess it using some of the tools available.

Agreed. Unfortunately, someone that sets a wifi network with a 64-character password and then sets another network SSID with a shorter password would remove the reason why the first SSID was set with 64-characters.
The chain is only as strong as its weakest link.

If your WiFi and networking is decent, you can HIGHLY restrict the capabilities of devices connected via that second SSID. My IoT network can ONLY access the internet, and is isolated from all the rest of my network.

My WiFi password is 63 characters long and I was able to connect my 955 to it. I think I used the Instant Keyboard when prompted by GCM this time around, which wasn't possible 6 months ago on my 945 LTE. Back then, I noted the following in a bug thread:

"I noticed a couple of WiFi password issues that have probably been around for a long time:
- When updating a password on the watch by using the Instant Keyboard in Garmin Connect Mobile for Android, there is a 24 character limit. The maximum key length is 63 characters for WPA-PSK/WPA2-PSK (actually, 64 if using only hex digits).
- When entering a password using the keyboard on the watch itself, it's not possible to input underscores (_). All ASCII characters should be available in order to account for all possible passwords.

Workaround for WiFi networks with a key length exceeding 24 characters and containing unavailable ASCII characters:
- In GCM, go to Garmin Devices > Forerunner 945 LTE > General > Wi-Fi > Add a Network, or select a previously added network and then Udate Password. When you're not using the Instand Keyboard triggered by the watch requesting input, there is no 24 character limit."

With one exception, the rules for a Wi-Fi password are the same as the rules for all other passwords. For example, using just lower case letters is a bad idea; it is better to include both upper and lower case letters along with numbers. WPA2 passwords can also contain a host of special characters as shown in the examples below. And, of course, don't use passwords that someone who knows you might be able to guess.

Many routers include default Wi-Fi password(s). In some cases, the default passwords look like they were randomly chosen. Do not trust this. Always pick new passwords. Perhaps the passwords were generated using a formula that someone has figured out. Perhaps employees of the company that made the router have access to all the passwords. For more on this, see Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers Usenix (Aug 2015).

The one exception is that Wi-Fi passwords really need to be long. The biggest mistake you can make, when choosing a Wi-Fi password, is to pick one that is too short. This is because WPA2 (a.k.a. WPA2-AES and WPA2-CCMP and WPA2 PSK and WPA2 Personal) offers no protection from a bad guy capturing network traffic and using a brute force attack to decrypt it off-line. The phrase "brute force" refers to making billions of guesses. The only defense against brute force attacks is a long password.

Another thing all passwords share is that random characters are not brutally important. The length of a password is generally considered more important than the randomness when it comes to defending against brute force guessing. So, yes, the password "D9fkhu28Fca4c5C9e3cc" is better than passwords such as "5BatteryHorseStaples" or "theSUNwillcomeupinAM" even though they are all 20 characters long. But a sufficiently long password does not need to consist of random gibbersih. It is also important that people are able to say and type the password. No one would want to type the first password. None of the suggested passwords below are random.

Curious about just how many billions of guesses bad guys can make? This will always vary based on the hardware used for guessing. In addition, Paul Moore says (Passwords: Using 3 Random Words Is A Really Bad Idea! October 2017) it varies based on the hashing algorithm. A computationally expensive algorithm, SHA512, slows things down (with his hardware) to 8 billion a second. If a password is encrypted with SHA256, then we can expect 23 billion guesses/second, with SHA1 expect 70 billion/second. The fastest, and thus least secure, algorithm is MD5. Moore says MD5 is still very common and it can be brute-forced at the rate of 200 billion guesses/second. An article linked to below discusses hardware that made 6,819,000 guesses/hashes per second.

Another type of attack guesses passwords using passwords that other people have already picked. This is called a dictionary attack and despite the name, it includes many passwords that are not words in the dictionary. Things like "Denver2013" or "I like MickeyMouse". Many websites have been breached over the years and bad guys can find massive databases of passwords that people have used in the past. Defending against a thorough dictionary attack means not using a password that any other human has used before. A tall order indeed, but not impossible.

For example, start with a name or address and then modify it a bit. If you live at 123 Main Street and like the Dallas Cowboys then maybe use "Dallas123MAINstreeetCowboys". This is unlikely to have ever been used before, even by another Cowboys fan with the same address. If I were to start with my name, I might use "xyzMICHAEL-horowitz" or "8888michaelQQQhorowitz". Neither is all that hard to remember and each is likely to be globally unique, even though my name is somewhat common.

Like the St. Louis Cardinals? "StanTheMan" is not a great choice. Start with the address of Busch stadium and modify it. For example, "700-clark-AVENUE-63102" and "700#CLARK#avenue#StLouisMO" are great passwords and other Cardinals fans are not likely to have used them. As for "StanTheMan", it can be improved with "stan--THE--man" or, better yet, "stanTHEmanmanmanman" and still be reasonably easy to say, remember and type.

As an example of why you should change the default password, the BBC had a story in May 2021 about a family that went through "utter hell" for months after the police came to their home and took all their electronic devices as part of an investigation into images of child abuse being posted online. Most likely, an innocent family was accused because they had not changed either the Wi-Fi password or the router password. This is far from the only such story. Their router was no help, but a Peplink router can offer a ton of details, after the fact, that would have shown if bad guys had been on the network.

In October 2021, Ido Hoorvitch1 of CyberArk walked around his neighborhood and sniffed information from 5,000 thousand Wi-Fi networks. He took this data back to his office and, using hashcat and other software, was able to calculate the password for 70 percent of the Wi-Fi networks. He abused a relatively new Wi-Fi attack on WPA2 Personal. The attack is based on recording the SSID, the hash of the PMKID, the MAC address of the router and the MAC address of a router client. A PMKID is used for roaming between Access Points. If you have a single router, there is no need for a PMKID, yet it was often present. The cracked passwords were often just numbers or just lower case letters. The lesson to be learned is that longer passwords and varied passwords are more resistant to this brute force attack. He did not say if it the attack will work on WPA2 Enterprise or WPA3. He offered no advice on determining if your router is broadcasting a PMKID. See also 70% of Wi-Fi networks are easy to hack - how to protect yourself by Paul Wagenseil.

c80f0f1006
Reply all
Reply to author
Forward
0 new messages