Mixing
Details of a good WPA2 pre-shared key (password)?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
From the following answer, I understand a strong pre-shared key must be 15 characters at minimum and randomly generated:
https://security.stackexchange.com/a/56646/37051
However, from other reading, I understand that cryptographically strong passphrases can be made with diceware tools such as this one:
https://www.rempe.us/diceware/#eff
An example of a diceware-generated passphrase is:
under-chrome-obedience-navigator-shaping-stability-barracuda
Comparing that to a 15 character random password such as this, which is better as a WPA2 pre-shared key?
z9zaBQj&$#7&Fpg
If the usage was not WPA2, I would pick the diceware passphrase because it is much longer while also being easier to use correctly (memorize, enter, etc.). However, I assume WPA2 may change the decision in some way. So, what is the best WPA2 pre-share key generation method? And how long should it really be?
passwords wpa2 wpa2-psk
asked 4 hours ago
MountainX
1456
add a comment |Â
up vote
1
down vote
favorite
From the following answer, I understand a strong pre-shared key must be 15 characters at minimum and randomly generated:
https://security.stackexchange.com/a/56646/37051
However, from other reading, I understand that cryptographically strong passphrases can be made with diceware tools such as this one:
https://www.rempe.us/diceware/#eff
An example of a diceware-generated passphrase is:
under-chrome-obedience-navigator-shaping-stability-barracuda
Comparing that to a 15 character random password such as this, which is better as a WPA2 pre-shared key?
z9zaBQj&$#7&Fpg
If the usage was not WPA2, I would pick the diceware passphrase because it is much longer while also being easier to use correctly (memorize, enter, etc.). However, I assume WPA2 may change the decision in some way. So, what is the best WPA2 pre-share key generation method? And how long should it really be?
passwords wpa2 wpa2-psk
asked 4 hours ago
MountainX
1456
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
From the following answer, I understand a strong pre-shared key must be 15 characters at minimum and randomly generated:
https://security.stackexchange.com/a/56646/37051
However, from other reading, I understand that cryptographically strong passphrases can be made with diceware tools such as this one:
https://www.rempe.us/diceware/#eff
An example of a diceware-generated passphrase is:
under-chrome-obedience-navigator-shaping-stability-barracuda
Comparing that to a 15 character random password such as this, which is better as a WPA2 pre-shared key?
z9zaBQj&$#7&Fpg
If the usage was not WPA2, I would pick the diceware passphrase because it is much longer while also being easier to use correctly (memorize, enter, etc.). However, I assume WPA2 may change the decision in some way. So, what is the best WPA2 pre-share key generation method? And how long should it really be?
passwords wpa2 wpa2-psk
asked 4 hours ago
MountainX
1456
From the following answer, I understand a strong pre-shared key must be 15 characters at minimum and randomly generated:
https://security.stackexchange.com/a/56646/37051
However, from other reading, I understand that cryptographically strong passphrases can be made with diceware tools such as this one:
https://www.rempe.us/diceware/#eff
An example of a diceware-generated passphrase is:
under-chrome-obedience-navigator-shaping-stability-barracuda
Comparing that to a 15 character random password such as this, which is better as a WPA2 pre-shared key?
z9zaBQj&$#7&Fpg
If the usage was not WPA2, I would pick the diceware passphrase because it is much longer while also being easier to use correctly (memorize, enter, etc.). However, I assume WPA2 may change the decision in some way. So, what is the best WPA2 pre-share key generation method? And how long should it really be?
passwords wpa2 wpa2-psk
passwords wpa2 wpa2-psk
asked 4 hours ago
MountainX
1456
asked 4 hours ago
MountainX
1456
asked 4 hours ago
MountainX
1456
asked 4 hours ago
MountainX
1456
asked 4 hours ago
MountainX
1456
1456
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
1
down vote
accepted
The most common WPA attacks rely on capturing enough information by monitoring network traffic in order to guess the password used to derive the PSK.
The 2 main methods of guessing are brute Force and dictionary. If an attacker knew you were using the word-word-word approach that password could be subject to a modified dictionary attack.
The 15 character password could be brute foced if the attacker had enough resources ($$$ for cloud VMs). Every extra character makes the time to brute Force a pass exponentially more difficult.
In the end, as long as you at least slightly modify the word-word-word approach, that would be a far better password than a random 15 character one. When choosing a password it's not good to use a known format, soodifyi git slightly is a good idea.
FYI, you may want to
disable roaming features https://www.theregister.co.uk/2018/08/06/wpa2_wifi_pmkid_hashcat/
disable WPS https://null-byte.wonderhowto.com/how-to/hack-wpa-wpa2-wi-fi-passwords-with-pixie-dust-attack-using-airgeddon-0183556/
Both of those attacks are new to 2018.
answered 3 hours ago
Daisetsu
1,569412
Thank you. What are the "roaming features" referred to in that article? I am not aware of any setting on my router that would enable roaming.
– MountainX
3 hours ago
Roaming is used on enterprise configurations when a device moves to an area better served by another access point networkcomputing.com/wireless-infrastructure/…. You probably don't have it enabled already.
– Daisetsu
3 hours ago
add a comment |Â
up vote
1
down vote
Contrary to the accepted answer, a random multiword passphrase is not subject to what we usually mean when we say "dictionary attack". Your seven-word Diceware-based example above, if truly randomly generated, would be randomly located in a pool of 1.7x10^27 possibilities (we often use "keyspace" as shorthand for this).
This keyspace is roughly the equivalent of a 13-character password randomly generated from the entire 95-character printable ASCII character set. Even if the password hashing method was a very fast hash (such as MD5), a 1x10^27 password cannot be exhausted simply by renting a few (or a few racks) of GPUs.
If this seems counter-intuitive, I encourage you to do the math. If you calculate how long it would take to exhaust a 1x10^27 space - see this excellent Jeremi Gosney rant on Twitter - then unless the NSA is after you (in which case, they're not going to bother with your WPA2 passphrase), either of these password methods are more than sufficient ... even if your password is stored using a really fast/bad hash like MD5.
But in this case, we're not talking about MD5. We're talking about WPA2, for which cracking speeds are much slower - for example, on the order of 2.5 million hashes per second on a 6x 1080 GPU rig. That may sound fast, but again - do the math. Even if you assume capabilities of a trillion passwords per second (nation-state grade, which would be silly, as noted above) ... it would still take 1x10^27 / (1000000000000 * 60 * 60 * 24 * 365) or on the order of 10^7 or 10,000,000 years to fully exhaust the keyspace.
Your seven-word Diceware passphrase is not even faintly vulnerable to a "dictionary attack". You could literally tell a professional password cracker with a roomful of GPUs exactly which dictionary you used, what the separator is, that they're all lower case, and that there are seven words in the passphrase ... and they wouldn't be able to crack that WPA2 in your lifetime.
And even if I made three major errors in this math (which is likely, since I'm typing fast) ... and even each of those errors makes my math off by an order of magnitude ... that's still 10,000 years.
Diceware passwords are considered to be strong for a good reason: the math doesn't lie. And they're great for WPA2 because they're easy to type into all the weird wireless gear you have in your life.
answered 1 hour ago
Royce Williams
4,50311235
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
The most common WPA attacks rely on capturing enough information by monitoring network traffic in order to guess the password used to derive the PSK.
The 2 main methods of guessing are brute Force and dictionary. If an attacker knew you were using the word-word-word approach that password could be subject to a modified dictionary attack.
The 15 character password could be brute foced if the attacker had enough resources ($$$ for cloud VMs). Every extra character makes the time to brute Force a pass exponentially more difficult.
In the end, as long as you at least slightly modify the word-word-word approach, that would be a far better password than a random 15 character one. When choosing a password it's not good to use a known format, soodifyi git slightly is a good idea.
FYI, you may want to
disable roaming features https://www.theregister.co.uk/2018/08/06/wpa2_wifi_pmkid_hashcat/
disable WPS https://null-byte.wonderhowto.com/how-to/hack-wpa-wpa2-wi-fi-passwords-with-pixie-dust-attack-using-airgeddon-0183556/
Both of those attacks are new to 2018.
answered 3 hours ago
Daisetsu
1,569412
Thank you. What are the "roaming features" referred to in that article? I am not aware of any setting on my router that would enable roaming.
– MountainX
3 hours ago
Roaming is used on enterprise configurations when a device moves to an area better served by another access point networkcomputing.com/wireless-infrastructure/…. You probably don't have it enabled already.
– Daisetsu
3 hours ago
add a comment |Â
up vote
1
down vote
accepted
The most common WPA attacks rely on capturing enough information by monitoring network traffic in order to guess the password used to derive the PSK.
The 2 main methods of guessing are brute Force and dictionary. If an attacker knew you were using the word-word-word approach that password could be subject to a modified dictionary attack.
The 15 character password could be brute foced if the attacker had enough resources ($$$ for cloud VMs). Every extra character makes the time to brute Force a pass exponentially more difficult.
In the end, as long as you at least slightly modify the word-word-word approach, that would be a far better password than a random 15 character one. When choosing a password it's not good to use a known format, soodifyi git slightly is a good idea.
FYI, you may want to
disable roaming features https://www.theregister.co.uk/2018/08/06/wpa2_wifi_pmkid_hashcat/
disable WPS https://null-byte.wonderhowto.com/how-to/hack-wpa-wpa2-wi-fi-passwords-with-pixie-dust-attack-using-airgeddon-0183556/
Both of those attacks are new to 2018.
answered 3 hours ago
Daisetsu
1,569412
Thank you. What are the "roaming features" referred to in that article? I am not aware of any setting on my router that would enable roaming.
– MountainX
3 hours ago
Roaming is used on enterprise configurations when a device moves to an area better served by another access point networkcomputing.com/wireless-infrastructure/…. You probably don't have it enabled already.
– Daisetsu
3 hours ago
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
The most common WPA attacks rely on capturing enough information by monitoring network traffic in order to guess the password used to derive the PSK.
The 2 main methods of guessing are brute Force and dictionary. If an attacker knew you were using the word-word-word approach that password could be subject to a modified dictionary attack.
The 15 character password could be brute foced if the attacker had enough resources ($$$ for cloud VMs). Every extra character makes the time to brute Force a pass exponentially more difficult.
In the end, as long as you at least slightly modify the word-word-word approach, that would be a far better password than a random 15 character one. When choosing a password it's not good to use a known format, soodifyi git slightly is a good idea.
FYI, you may want to
disable roaming features https://www.theregister.co.uk/2018/08/06/wpa2_wifi_pmkid_hashcat/
disable WPS https://null-byte.wonderhowto.com/how-to/hack-wpa-wpa2-wi-fi-passwords-with-pixie-dust-attack-using-airgeddon-0183556/
Both of those attacks are new to 2018.
answered 3 hours ago
Daisetsu
1,569412
The most common WPA attacks rely on capturing enough information by monitoring network traffic in order to guess the password used to derive the PSK.
The 2 main methods of guessing are brute Force and dictionary. If an attacker knew you were using the word-word-word approach that password could be subject to a modified dictionary attack.
The 15 character password could be brute foced if the attacker had enough resources ($$$ for cloud VMs). Every extra character makes the time to brute Force a pass exponentially more difficult.
In the end, as long as you at least slightly modify the word-word-word approach, that would be a far better password than a random 15 character one. When choosing a password it's not good to use a known format, soodifyi git slightly is a good idea.
FYI, you may want to
disable roaming features https://www.theregister.co.uk/2018/08/06/wpa2_wifi_pmkid_hashcat/
disable WPS https://null-byte.wonderhowto.com/how-to/hack-wpa-wpa2-wi-fi-passwords-with-pixie-dust-attack-using-airgeddon-0183556/
Both of those attacks are new to 2018.
answered 3 hours ago
Daisetsu
1,569412
answered 3 hours ago
Daisetsu
1,569412
answered 3 hours ago
Daisetsu
1,569412
answered 3 hours ago
Daisetsu
1,569412
1,569412
Thank you. What are the "roaming features" referred to in that article? I am not aware of any setting on my router that would enable roaming.
– MountainX
3 hours ago
Roaming is used on enterprise configurations when a device moves to an area better served by another access point networkcomputing.com/wireless-infrastructure/…. You probably don't have it enabled already.
– Daisetsu
3 hours ago
add a comment |Â
Thank you. What are the "roaming features" referred to in that article? I am not aware of any setting on my router that would enable roaming.
– MountainX
3 hours ago
Roaming is used on enterprise configurations when a device moves to an area better served by another access point networkcomputing.com/wireless-infrastructure/…. You probably don't have it enabled already.
– Daisetsu
3 hours ago
Thank you. What are the "roaming features" referred to in that article? I am not aware of any setting on my router that would enable roaming.
– MountainX
3 hours ago
Thank you. What are the "roaming features" referred to in that article? I am not aware of any setting on my router that would enable roaming.
– MountainX
3 hours ago
Roaming is used on enterprise configurations when a device moves to an area better served by another access point networkcomputing.com/wireless-infrastructure/…. You probably don't have it enabled already.
– Daisetsu
3 hours ago
Roaming is used on enterprise configurations when a device moves to an area better served by another access point networkcomputing.com/wireless-infrastructure/…. You probably don't have it enabled already.
– Daisetsu
3 hours ago
add a comment |Â
up vote
1
down vote
Contrary to the accepted answer, a random multiword passphrase is not subject to what we usually mean when we say "dictionary attack". Your seven-word Diceware-based example above, if truly randomly generated, would be randomly located in a pool of 1.7x10^27 possibilities (we often use "keyspace" as shorthand for this).
This keyspace is roughly the equivalent of a 13-character password randomly generated from the entire 95-character printable ASCII character set. Even if the password hashing method was a very fast hash (such as MD5), a 1x10^27 password cannot be exhausted simply by renting a few (or a few racks) of GPUs.
If this seems counter-intuitive, I encourage you to do the math. If you calculate how long it would take to exhaust a 1x10^27 space - see this excellent Jeremi Gosney rant on Twitter - then unless the NSA is after you (in which case, they're not going to bother with your WPA2 passphrase), either of these password methods are more than sufficient ... even if your password is stored using a really fast/bad hash like MD5.
But in this case, we're not talking about MD5. We're talking about WPA2, for which cracking speeds are much slower - for example, on the order of 2.5 million hashes per second on a 6x 1080 GPU rig. That may sound fast, but again - do the math. Even if you assume capabilities of a trillion passwords per second (nation-state grade, which would be silly, as noted above) ... it would still take 1x10^27 / (1000000000000 * 60 * 60 * 24 * 365) or on the order of 10^7 or 10,000,000 years to fully exhaust the keyspace.
Your seven-word Diceware passphrase is not even faintly vulnerable to a "dictionary attack". You could literally tell a professional password cracker with a roomful of GPUs exactly which dictionary you used, what the separator is, that they're all lower case, and that there are seven words in the passphrase ... and they wouldn't be able to crack that WPA2 in your lifetime.
And even if I made three major errors in this math (which is likely, since I'm typing fast) ... and even each of those errors makes my math off by an order of magnitude ... that's still 10,000 years.
Diceware passwords are considered to be strong for a good reason: the math doesn't lie. And they're great for WPA2 because they're easy to type into all the weird wireless gear you have in your life.
answered 1 hour ago
Royce Williams
4,50311235
add a comment |Â
up vote
1
down vote
Contrary to the accepted answer, a random multiword passphrase is not subject to what we usually mean when we say "dictionary attack". Your seven-word Diceware-based example above, if truly randomly generated, would be randomly located in a pool of 1.7x10^27 possibilities (we often use "keyspace" as shorthand for this).
This keyspace is roughly the equivalent of a 13-character password randomly generated from the entire 95-character printable ASCII character set. Even if the password hashing method was a very fast hash (such as MD5), a 1x10^27 password cannot be exhausted simply by renting a few (or a few racks) of GPUs.
If this seems counter-intuitive, I encourage you to do the math. If you calculate how long it would take to exhaust a 1x10^27 space - see this excellent Jeremi Gosney rant on Twitter - then unless the NSA is after you (in which case, they're not going to bother with your WPA2 passphrase), either of these password methods are more than sufficient ... even if your password is stored using a really fast/bad hash like MD5.
But in this case, we're not talking about MD5. We're talking about WPA2, for which cracking speeds are much slower - for example, on the order of 2.5 million hashes per second on a 6x 1080 GPU rig. That may sound fast, but again - do the math. Even if you assume capabilities of a trillion passwords per second (nation-state grade, which would be silly, as noted above) ... it would still take 1x10^27 / (1000000000000 * 60 * 60 * 24 * 365) or on the order of 10^7 or 10,000,000 years to fully exhaust the keyspace.
Your seven-word Diceware passphrase is not even faintly vulnerable to a "dictionary attack". You could literally tell a professional password cracker with a roomful of GPUs exactly which dictionary you used, what the separator is, that they're all lower case, and that there are seven words in the passphrase ... and they wouldn't be able to crack that WPA2 in your lifetime.
And even if I made three major errors in this math (which is likely, since I'm typing fast) ... and even each of those errors makes my math off by an order of magnitude ... that's still 10,000 years.
Diceware passwords are considered to be strong for a good reason: the math doesn't lie. And they're great for WPA2 because they're easy to type into all the weird wireless gear you have in your life.
answered 1 hour ago
Royce Williams
4,50311235
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Contrary to the accepted answer, a random multiword passphrase is not subject to what we usually mean when we say "dictionary attack". Your seven-word Diceware-based example above, if truly randomly generated, would be randomly located in a pool of 1.7x10^27 possibilities (we often use "keyspace" as shorthand for this).
This keyspace is roughly the equivalent of a 13-character password randomly generated from the entire 95-character printable ASCII character set. Even if the password hashing method was a very fast hash (such as MD5), a 1x10^27 password cannot be exhausted simply by renting a few (or a few racks) of GPUs.
If this seems counter-intuitive, I encourage you to do the math. If you calculate how long it would take to exhaust a 1x10^27 space - see this excellent Jeremi Gosney rant on Twitter - then unless the NSA is after you (in which case, they're not going to bother with your WPA2 passphrase), either of these password methods are more than sufficient ... even if your password is stored using a really fast/bad hash like MD5.
But in this case, we're not talking about MD5. We're talking about WPA2, for which cracking speeds are much slower - for example, on the order of 2.5 million hashes per second on a 6x 1080 GPU rig. That may sound fast, but again - do the math. Even if you assume capabilities of a trillion passwords per second (nation-state grade, which would be silly, as noted above) ... it would still take 1x10^27 / (1000000000000 * 60 * 60 * 24 * 365) or on the order of 10^7 or 10,000,000 years to fully exhaust the keyspace.
Your seven-word Diceware passphrase is not even faintly vulnerable to a "dictionary attack". You could literally tell a professional password cracker with a roomful of GPUs exactly which dictionary you used, what the separator is, that they're all lower case, and that there are seven words in the passphrase ... and they wouldn't be able to crack that WPA2 in your lifetime.
And even if I made three major errors in this math (which is likely, since I'm typing fast) ... and even each of those errors makes my math off by an order of magnitude ... that's still 10,000 years.
Diceware passwords are considered to be strong for a good reason: the math doesn't lie. And they're great for WPA2 because they're easy to type into all the weird wireless gear you have in your life.
answered 1 hour ago
Royce Williams
4,50311235
Contrary to the accepted answer, a random multiword passphrase is not subject to what we usually mean when we say "dictionary attack". Your seven-word Diceware-based example above, if truly randomly generated, would be randomly located in a pool of 1.7x10^27 possibilities (we often use "keyspace" as shorthand for this).
This keyspace is roughly the equivalent of a 13-character password randomly generated from the entire 95-character printable ASCII character set. Even if the password hashing method was a very fast hash (such as MD5), a 1x10^27 password cannot be exhausted simply by renting a few (or a few racks) of GPUs.
If this seems counter-intuitive, I encourage you to do the math. If you calculate how long it would take to exhaust a 1x10^27 space - see this excellent Jeremi Gosney rant on Twitter - then unless the NSA is after you (in which case, they're not going to bother with your WPA2 passphrase), either of these password methods are more than sufficient ... even if your password is stored using a really fast/bad hash like MD5.
But in this case, we're not talking about MD5. We're talking about WPA2, for which cracking speeds are much slower - for example, on the order of 2.5 million hashes per second on a 6x 1080 GPU rig. That may sound fast, but again - do the math. Even if you assume capabilities of a trillion passwords per second (nation-state grade, which would be silly, as noted above) ... it would still take 1x10^27 / (1000000000000 * 60 * 60 * 24 * 365) or on the order of 10^7 or 10,000,000 years to fully exhaust the keyspace.
Your seven-word Diceware passphrase is not even faintly vulnerable to a "dictionary attack". You could literally tell a professional password cracker with a roomful of GPUs exactly which dictionary you used, what the separator is, that they're all lower case, and that there are seven words in the passphrase ... and they wouldn't be able to crack that WPA2 in your lifetime.
And even if I made three major errors in this math (which is likely, since I'm typing fast) ... and even each of those errors makes my math off by an order of magnitude ... that's still 10,000 years.
Diceware passwords are considered to be strong for a good reason: the math doesn't lie. And they're great for WPA2 because they're easy to type into all the weird wireless gear you have in your life.
answered 1 hour ago
Royce Williams
4,50311235
edited 1 hour ago
answered 1 hour ago
Royce Williams
4,50311235
answered 1 hour ago
Royce Williams
4,50311235
answered 1 hour ago
Royce Williams
4,50311235
4,50311235
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195226%2fdetails-of-a-good-wpa2-pre-shared-key-password%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
