Thread: Time Analysis of WPA brute-forcing

1. Stop TALKING ;D Get on Bruteforcing ....you know time is running fast ;D

2. Originally Posted by Reeth
Stop TALKING ;D Get on Bruteforcing ....you know time is running fast ;D
Pyrit's author has posted some new results along with a new version. Here's a back-of-the-envelope calculation to whet your appetite(or make you cry yourself to sleep tonight):

Assume you wish to crack an 8-character password consisting of all lowercase English letters. That means:
26^8 = 208,827,064,576 different passwords.
208.8 Billion * (1 second / 215 keys) * (1 hour / 3600 seconds) * (1 week / 168 hours) = 1605.9 weeks = 30.88 years(!)

If you can crack faster, change the 215 keys to a larger number. As of 10-Jun-2009, pyrit’s author reports a quad-SLI equipped machine running 4 GTX-295 cards will do 84,718 keys per second. That means:
208.8 Billion * (1 second / 84,718 keys) * (1 / 604800) = 4.0756 weeks.

Running a brute force for 4.0756 weeks is within the realm of possibility.

I expect follow-up posts explaining why 8 lowercase letters will probably not be chosen by the typical router admin, but the numbers speak for themselves. My point is that the "low-hanging fruit" of weak WPA passwords just got a bit easier to discover, with time and money.

As always, only run a crack against your own WPA password, collected from your own network, or one you have permission to test. Let's not break any laws folks.

References:
pyrit - Google Code
Pyrit

3. Originally Posted by kidFromBigD
My point is that the "low-hanging fruit" of weak WPA passwords just got a bit easier to discover, with time and money.
Don't forget motivation.

Just because something is possible does not mean anyone has interest in wasting resources (time/money/effort) attacking you.

Motivation (which in this case is highly tied to the data you possess/process) is an important factor when performing a Threat & Risk Assessment of your network and the ways you protect it.

4. WPA vs WPA2

My Security admins keep asking when will we move from WPA to WPA2
Given a password between 20 and 63 random chars
What advantages will WPA-2 PSK bring?

5. Originally Posted by rexnik
My Security admins keep asking when will we move from WPA to WPA2
Given a password between 20 and 63 random chars
What advantages will WPA-2 PSK bring?
Did you read any of this thread??

6. Originally Posted by Barry
Did you read any of this thread??
Yes I have read the thread.

My belief before reading the thread was that provided the key was a reasonably long random "string" then WPA-1 is currently uncrackable.
The thread seems to confirm this although no mention is made (or I missed it) as to whether the calculations are for WPA-1 or WPA-2.

I asked the question because I couldn't reconcile why the sec admins keep pushing for WPA-2 PSK

7. Originally Posted by rexnik
Yes I have read the thread.

My belief before reading the thread was that provided the key was a reasonably long random "string" then WPA-1 is currently uncrackable.
The thread seems to confirm this although no mention is made (or I missed it) as to whether the calculations are for WPA-1 or WPA-2.

I asked the question because I couldn't reconcile why the sec admins keep pushing for WPA-2 PSK
Because it's more secure, wpa2 with a good password is fairly uncrackable. Wpa2 uses better encryption, AES. Wpa2 also has better roaming capability between access points on the same network.

Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•