How long should a WPA password be?

Questions about WIFI networks and devices
Forum rules
Before you post please read how to get help
User avatar
ganamant
Level 4
Level 4
Posts: 383
Joined: Sun Mar 29, 2015 4:08 pm

How long should a WPA password be?

Post by ganamant » Thu Mar 28, 2019 9:06 am

I have an 18 character long password for my WLAN, with mixed letters, digits and punctuation. No real words, birth dates or other silly things, of course. I was pseudo-randomly generated with a few dice rolls thrown in just for fun. I think i't secure enough, but feel free to say otherwise if for some reason you feel like it.

On the other hand, from time to time I need a guest password that I can easily write down and hand out to somebody. As I don't trust my guests to be diligent with it I revoke the password as soon as the need for it ceases and find something new next time. For this second scenario, I need something as easy, as short and as hassle-free as possible, while still retaining reasonable security over a period of time of a couple of days. What is the minimum recommended length? Ideally, I would prefer uppercase letters and digits only. There is also a cryptographic problem that I can't quite get the hang of: provided that an adversary has no idea that I left out lowercase letters on purpose, is such a password still less secure, or does it not count any more, since the cracker will still have to try upper/lowercase combinations, unaware of the fact that a smaller pool of characters would suffice in that case?

User avatar
Pjotr
Level 21
Level 21
Posts: 13146
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: How long should a WPA password be?

Post by Pjotr » Thu Mar 28, 2019 9:18 am

Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
AndyMH
Level 8
Level 8
Posts: 2384
Joined: Fri Mar 04, 2016 5:23 pm
Location: Wiltshire

Re: How long should a WPA password be?

Post by AndyMH » Thu Mar 28, 2019 7:46 pm

Doesn't answer your question on length, but I have thought of using https://what3words.com/ as a source for passwords that I might, just, remember.
Homebrew i5-8400+GTX1080 Cinnamon 19.0, 3 x Thinkpad T430 Cinnamon 19.0, i7-3632 , i5-3320, i5-3210, Thinkpad T60 19.0 Mate

User avatar
lsemmens
Level 8
Level 8
Posts: 2338
Joined: Wed Sep 10, 2014 9:07 pm
Location: Rural South Australia

Re: How long should a WPA password be?

Post by lsemmens » Fri Mar 29, 2019 2:29 am

How long is a piece of string? Depends upon what you need to secure will depend upon how much you can afford to lose. That said, my network is easily accessible, and I've only once had a breech and that was back when I had failed to change the default network password. My own fault. No, I did not lose anything, but I was accused of something quite heinous as a result. Yes, I understand the need for privacy, but, what is so critical that you need a gigabyte of passwords? Typically a relatively simple password is all you need.
Kernel: 4.15.0-46-generic x86_64 bits
Desktop: Cinnamon 3.8.9
Distro: Linux Mint 19 Tara

Laptop HP-ProBook-470-G2 8Gb RAM SSD
Server AMD Phenom 9650 - GEForce 9400GT 6Gb RAM
+ three other Mint machines
Out of my mind - please leave a message

gm10
Level 18
Level 18
Posts: 8683
Joined: Thu Jun 21, 2018 5:11 pm

Re: How long should a WPA password be?

Post by gm10 » Fri Mar 29, 2019 2:44 am

ganamant wrote:
Thu Mar 28, 2019 9:06 am
There is also a cryptographic problem that I can't quite get the hang of: provided that an adversary has no idea that I left out lowercase letters on purpose, is such a password still less secure, or does it not count any more, since the cracker will still have to try upper/lowercase combinations, unaware of the fact that a smaller pool of characters would suffice in that case?
That's not so much a cryptographic problem as much as it is you betting on the design of the rainbow table, dictionary or brute force algorithm somebody may be using to break your password. That's a bit like saying that the one-letter password "z" is more secure than "a" because an attacker would try "a" first. It can be true, but it can also be the opposite.

User avatar
Faust
Level 4
Level 4
Posts: 497
Joined: Thu Jul 14, 2016 3:40 am

Re: How long should a WPA password be?

Post by Faust » Fri Mar 29, 2019 3:37 am

How long should a WPA password be?

Infinitely long .... :mrgreen:
gm10 wrote:
Fri Mar 29, 2019 2:44 am
That's not so much a cryptographic problem as much as it is you betting on the design of the rainbow table, dictionary or brute force algorithm somebody may be using to break your password.
.......
Bingo !
Well said .

Just for chuckles , I've kept an internet-facing Raspberry Pi running 24/7 for months .
The hostname is the default "Pi" and I have deliberately left port 22 open ( so it looks like "low-hanging fruit" for Mr Robot wannabees )
Fail2ban logs all access attempts by human beans , skiddies , aliens , sniffer bots , and whatever else .

The password conforms to those typically "recommended " for wpa2 .
The logs can be fascinating !
" And so it goes " - Kurt Vonnegut
The modern reality and the satirical parody are rapidly converging .

jchelpau
Level 3
Level 3
Posts: 100
Joined: Mon Mar 25, 2019 11:19 pm
Location: Australia
Contact:

Re: How long should a WPA password be?

Post by jchelpau » Fri Mar 29, 2019 6:06 am

WPA2 passwords can be guessed offline, so let's do some math...
A GTX 1080 at the moment is $800 so let's assume your attacker has that.
According to this benchmark it gets ~8600 million SHA1 guesses a second.
According to this StackOverflow post a WPA2 password takes at least 4096 SHA1 guesses to guess. This gives around ~2.1 million password guesses a second.
There's around 2678400 seconds in a month (31 days.) So if you change the password monthly, that's 5,356,800,000,000 guesses a month.
So now we want to pick a search space that has that many passwords.
But if we do that, they'll 100% find it within a month. So let's multiply that by ten to give them a 10% chance of finding it.
Uppercase only letters and digits is 36 possibilities per character. So 53,568,000,000,000 log 36 is 8.8, rounding up to 9.
For something more memorable, pick words from a dictionary. A dictionary containing 2000 words (53,568,000,000,000 log 2000) is 3.8, rounded up to 4 words.
A 9 character random password or 3 words random from a 2000 word dictionary will hold off a basic attacker for a month.

User avatar
AZgl1500
Level 10
Level 10
Posts: 3474
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: How long should a WPA password be?

Post by AZgl1500 » Fri Mar 29, 2019 8:49 am

8 characters is usually enough for simple things that I don't care about, and can change easily and not be blocked from it even if it got hacked.

for my WiFi we were required to use 13 characters because of an Epson printer of all damn things!
it would not accept fewer than 13 characters.

for social media, I go 24 characters... :wink:

FWIW, my accounts have never been hacked, but I know of a lot that have.

I just don't tread where the bad hackers like to live. 8)

gm10
Level 18
Level 18
Posts: 8683
Joined: Thu Jun 21, 2018 5:11 pm

Re: How long should a WPA password be?

Post by gm10 » Fri Mar 29, 2019 8:57 am

AZgl1500 wrote:
Fri Mar 29, 2019 8:49 am
FWIW, my accounts have never been hacked,
How would you know?

My WPA2 password is 63 characters by the way, I don't understand why you would skimp on security, it's a one-time cost entering the thing in every device, and then you'll never have to worry about it again, nobody will ever brute force that unless a flaw in the algorithm gets detected (see WEP), at which point it wouldn't matter, anyway.

User avatar
AZgl1500
Level 10
Level 10
Posts: 3474
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: How long should a WPA password be?

Post by AZgl1500 » Fri Mar 29, 2019 9:06 am

gm10 wrote:
Fri Mar 29, 2019 8:57 am
AZgl1500 wrote:
Fri Mar 29, 2019 8:49 am
FWIW, my accounts have never been hacked,
How would you know?

My WPA2 password is 63 characters by the way, I don't understand why you would skimp on security, it's a one-time cost entering the thing in every device, and then you'll never have to worry about it again, nobody will ever brute force that unless a flaw in the algorithm gets detected (see WEP), at which point it wouldn't matter, anyway.
I'm on the move so much, they can't find me.
I was in Savannah, Georgia 2 days ago.
today I am in a rural RV park south of Macon, Georgia, Tomorrow I will be near an Air Force base at a rest stop,

in 2 days I will be somewhere in northern Georgia camped out behind my son's house....

my LTE modem let's go where I want to go, I carry my internet with me now...

I think there is too much paranoia about passwords, except for cloud stuff like bank accounts.
there I use a password manager because I can't remember it anyway.

and on my bank account, I have instant SMS text message alerts for any transaction.

gm10
Level 18
Level 18
Posts: 8683
Joined: Thu Jun 21, 2018 5:11 pm

Re: How long should a WPA password be?

Post by gm10 » Fri Mar 29, 2019 9:16 am

AZgl1500 wrote:
Fri Mar 29, 2019 9:06 am
I'm on the move so much, they can't find me.
That's a fair point. I live in the city so I have to assume some script kiddy is maxing out their GPUs wardriving the neighbourhood. :mrgreen:

Pippin
Level 4
Level 4
Posts: 271
Joined: Wed Dec 13, 2017 11:14 am
Location: NL/DE/TH

Re: How long should a WPA password be?

Post by Pippin » Fri Mar 29, 2019 11:26 am

AZgl1500 wrote:
Fri Mar 29, 2019 9:06 am
I'm on the move so much, they can't find me.
Now they can:
I was in Savannah, Georgia 2 days ago.
today I am in a rural RV park south of Macon, Georgia, Tomorrow I will be near an Air Force base at a rest stop,
...
in 2 days I will be somewhere in northern Georgia camped out behind my son's house....
...
;)
Everything is electric.

fstjohn
Level 3
Level 3
Posts: 123
Joined: Fri Jan 02, 2015 3:21 pm
Location: Georgia

Re: How long should a WPA password be?

Post by fstjohn » Fri Mar 29, 2019 4:29 pm

Living in a rural area with no close neighbors the only WIFI signals I can see are my own, so not a lot of chance of an interloper. I use Lastpass for all my passwords including WIFI, but a simple one for the guest channel, so I don't have to look it up to pass it on to a guest. The master p/w for Lastpass is a rather long passphrase - a line buried in the middle of an epic poem that I memorized as a kid. BTW I use 2FA on Lastpass and everywhere else I can where it's offered.

fstjohn
Level 3
Level 3
Posts: 123
Joined: Fri Jan 02, 2015 3:21 pm
Location: Georgia

Re: How long should a WPA password be?

Post by fstjohn » Fri Mar 29, 2019 4:43 pm

jchelpau wrote:
Fri Mar 29, 2019 6:06 am
WPA2 passwords can be guessed offline, so let's do some math...
A GTX 1080 at the moment is $800 so let's assume your attacker has that.
According to this benchmark it gets ~8600 million SHA1 guesses a second.
According to this StackOverflow post a WPA2 password takes at least 4096 SHA1 guesses to guess. This gives around ~2.1 million password guesses a second.
There's around 2678400 seconds in a month (31 days.) So if you change the password monthly, that's 5,356,800,000,000 guesses a month.
So now we want to pick a search space that has that many passwords.
But if we do that, they'll 100% find it within a month. So let's multiply that by ten to give them a 10% chance of finding it.
Uppercase only letters and digits is 36 possibilities per character. So 53,568,000,000,000 log 36 is 8.8, rounding up to 9.
For something more memorable, pick words from a dictionary. A dictionary containing 2000 words (53,568,000,000,000 log 2000) is 3.8, rounded up to 4 words.
A 9 character random password or 3 words random from a 2000 word dictionary will hold off a basic attacker for a month.
Unless you're NSA, the Pentagon or ISIS Headquarters nobody's going to spend a solid month trying to break your WIFI password. Absolutely guaranteed. Just use a password manager or pick a reasonably obscure phrase you can remember. You'll be as safe as a baby in a crib.

Bobb24
Level 1
Level 1
Posts: 20
Joined: Sun Mar 10, 2019 12:12 pm

Re: How long should a WPA password be?

Post by Bobb24 » Thu Apr 18, 2019 5:30 pm

I just assumed that 63 is what everyone was using if not using default so I just opened text editor and typed random keystrokes and left a space between each group of five characters so I could easily see that I had hit 60 . Then I typed 3 more and saved the file. Copied it to a flash drive and copied it to each device.Copy and paste to connect when needed. I've changed it a couple of times but that's how I did it since I'm not knowledgeable about security matters. Nobody else doing this ?

gm10
Level 18
Level 18
Posts: 8683
Joined: Thu Jun 21, 2018 5:11 pm

Re: How long should a WPA password be?

Post by gm10 » Thu Apr 18, 2019 5:38 pm

Bobb24 wrote:
Thu Apr 18, 2019 5:30 pm
Nobody else doing this ?
It's easier with a password generator. But copying it between devices in one way or another, certainly, I'm not going to type it by hand.

Bobb24
Level 1
Level 1
Posts: 20
Joined: Sun Mar 10, 2019 12:12 pm

Re: How long should a WPA password be?

Post by Bobb24 » Thu Apr 18, 2019 6:06 pm

I had to type it by hand for an Ipad in the house because I couldn't connect a USB to it. Onscreen keyboard is a pain in the ass to switch between characters , numbers and symbols. Really find Ipad to be useless.

gm10
Level 18
Level 18
Posts: 8683
Joined: Thu Jun 21, 2018 5:11 pm

Re: How long should a WPA password be?

Post by gm10 » Thu Apr 18, 2019 6:14 pm

Bobb24 wrote:
Thu Apr 18, 2019 6:06 pm
I had to type it by hand for an Ipad in the house because I couldn't connect a USB to it. Onscreen keyboard is a pain in the ass to switch between characters , numbers and symbols. Really find Ipad to be useless.
Definitely. Another option in such a case is to set a simple 1 character password on the wifi just long enough to copy the real password over, then put the real password in on both ends.

jchelpau
Level 3
Level 3
Posts: 100
Joined: Mon Mar 25, 2019 11:19 pm
Location: Australia
Contact:

Re: How long should a WPA password be?

Post by jchelpau » Thu Apr 18, 2019 7:11 pm

Bobb24 wrote:
Thu Apr 18, 2019 5:30 pm
I just assumed that 63 is what everyone was using if not using default so I just opened text editor and typed random keystrokes and left a space between each group of five characters so I could easily see that I had hit 60 . Then I typed 3 more and saved the file. Copied it to a flash drive and copied it to each device.Copy and paste to connect when needed. I've changed it a couple of times but that's how I did it since I'm not knowledgeable about security matters. Nobody else doing this ?
Humans don't provide enough randomness for this to be a good key. Consider using a random password generator instead.

User avatar
lsemmens
Level 8
Level 8
Posts: 2338
Joined: Wed Sep 10, 2014 9:07 pm
Location: Rural South Australia

Re: How long should a WPA password be?

Post by lsemmens » Fri Apr 19, 2019 11:06 pm

jchelpau wrote:
Fri Mar 29, 2019 6:06 am

Uppercase only letters and digits is 36 possibilities per character. So 53,568,000,000,000 log 36 is 8.8, rounding up to 9.
Most people also use lower case letters too, so that increases possibilities by another 26. so, assuming your algorithm is correct it would be
53,568,000,000,000 log 62 = 9.6 rounded up to 10 x 10^13
Kernel: 4.15.0-46-generic x86_64 bits
Desktop: Cinnamon 3.8.9
Distro: Linux Mint 19 Tara

Laptop HP-ProBook-470-G2 8Gb RAM SSD
Server AMD Phenom 9650 - GEForce 9400GT 6Gb RAM
+ three other Mint machines
Out of my mind - please leave a message

Post Reply

Return to “Wireless”