November 11th, 2005

How long does a WPA key need to be?

Posted by George Ou @ 1:38 pm

Categories: Mobile/Wireless, Networking, Security

Tags:

[Updated 11/15/05 2:32 AM: Fixed math error] I’ve spent years telling people how to secure their Wireless LANs, but what generated the most interested was an article on what not to do.  When my "Six dumbest ways to secure a Wireless LAN" blog struck a nerve, people wanted to know an easy way to secure a home Wireless network.  My advice to them has usually been for them to use WPA-PSK (Wi-Fi Protected Access Pre-Shared Key) because it was the lowest common denominator with a reasonable level of security.

The PSK is basically a secret string of character designed to offer a simple way of securing a home wireless network.  Because there are WPA-PSK cracking tools out there that can do offline dictionary attacks which allow for a fast exhaustive search of likely passwords, WPA-PSK is vulnerable when simple pass phrases are used.  There are many experts giving differing opinions on how long a Pre-Shared Key should be and many of them are telling users to use very long pass phrases well above 25 characters all the way up to 64.  This has not only caused some confusion among users, but may have also intimidated them from using WPA.  I’m going to try and settle this matter here and now and show why you really only need around 8 or 9 characters for a WPA-PSK key to be reasonably safe so long as your pass phrase is comprised of random a-z and 0-9 alphanumeric characters.

The following table shows you what happens when you increase the number of alphanumeric characters used for the WPA-PSK key and what happens when you increase the number of cracking computers.  To compute this table, I took in to account the following factors:

• The best WPA-PSK cracker can check 100 PSKs per second on a very fast PC
• Using a-z and 0-9 characters, there are 36 possibilities per character
• Combinations of PSKs equals 36 raised to the number of characters used
• Average cracking time (in years) equals combinations divided by 100 PSKs/sec divided by the number of cracking PCs divided by 60 sec/min divided by 60 min/hour divided by 24 hours/day divided by 365.24 days/year divided by 2

Based on the results, it’s clear that cracking an 8 character password is possible within a year using the computational power 1,000 PCs but would be very expensive and impractical to target a home user with this level of computing power.  Physically breaking in to your home would be much easier.  What this means is that it is perfectly safe using an 8 character alphanumeric pass phrase key to secure a home Wireless LAN using WPA-PSK or WPA2-PSK using these simple guidelines.  A simple random 8 character alphanumeric WPA-PSK key would look something like 2b8uwo35 which is very easy to handle.

Some people may ask why not use upper case letters too.  As it turns out, using upper case letters as well as lower case letters would increase the difficulty of cracking the WPA PSK 26 times more difficult.  However, using just one extra alphanumeric character would make it 36 times more difficult to crack and it’s much easier to type 9 lower case characters than 8 with mixed upper and lower case characters.  What’s important is the amount of security gained for a given amount of effort which makes lower case alphanumeric characters the best choice.  [My apologies for my sloppy math, my math teacher would be very ashamed of me now.  Upper case letters on an 8-character key would make it 26^8 77 times more difficult to crack which means using a few upper case letters would make the password much stronger and make it possible to use 7 characters instead of 8.  Thank you "rpmyers1" "CPUWZD" for pointing this out]  Using special characters is ill-advised because it not only makes the PSK harder to type, but also makes it susceptible to compatibility issues.  I’ve seen Wireless equipment that will ignore some special characters and cause connectivity issues.