How strong does your WiFi password need to be?

Regardless of what you may think about your appeal as a hacking target, cyber security is a real issue for everyday people in the 21st century. Whether it be organised criminals wanting to profit off your identity and empty your bank accounts, or some vindictive script kiddie wanting to mess with your life over some perceived online slight, we have a responsibility to protect ourselves and our families information.

The subject of Home cyber security could take us in many directions, but as our homes become increasingly wireless it seems like a good time to revisit the first line of defence. You’re front door, and the key used to open it, is now your WiFi network and it’s authentication process. You might say that’s all well and good, but what use is the hassle of a strong complex password if the system can be hacked regardless. The good news is that the current wireless security standards are still reasonably robust, but that concern is valid, so we should stake a look at the state of play first.

WiFi Vulnerabilities

There is one wireless feature that should absolutely be disabled on any router that still offers it. WPS, or WiFi Protected Security, is a standard that was introduced to make it easy for folks to join the default WiFi network of their fancy new router. The problem is that the standard was poorly designed, and the 8 digit PIN that is provided to connect to the network can actually be split in half and guessed as two 4 digit PINS. As a 4 digit PIN only has 10,000 possible combinations, this can be brute forced trivially. Rest assured that any newer routers won’t even support this, thankfully, but don’t take any chances. Check your router settings, and make sure to turn it off if it’s there.

The next point of attack would be the authentication to the network. This is the algorithm that defines how passwords are handled and what encryption is used between devices, which in turn allows communication on the network. There have been a handful of accepted standards in the life of the common WiFi protocol (IEEE 802.11), notably WEP and WPA. Both WPA and the older WEP protocol are open to attack. The level of difficulty is what matters though. WEP is fundamentally flawed, and with the use of freely available tools on the internet can be broken in a matter of seconds.

WPA has the option of two security mechanisms to manage keys and encryption, TKIP and AES. TKIP is vulnerable to a packet injection attack, and is considered legacy as it was only created to provide an upgrade path for WEP devices. It has since been deprecated, and should not be used if your router offers it. What remains is using the AES encryption protocol via PSK (Pre-Shared Key). The AES cipher remains robust, and as such there is no attack able to break the encryption itself. That leaves brute force guessing of the password.

Bute Force attack is the most common threat to password based security. It basically means running through a bunch of character combinations to find the one that works. This can obviously be very time consuming, so dictionary attacks are combined to speed things up. A ‘dictionary’ in this case is a pre-defined list of common passwords, dictionary words (with typical substitutions included, P@$$w0rd anyone?), and phrases that are known or thought to be used as passwords. This list can contain millions of possibilities and are constantly evolving based on leaked password databases and social trends.

Doing this on the actual network is not viable as it’s too slow. But WPA is vulnerable to a handshake capture attack. This is where the password can be captured during the connection phase and taken offline. Once in the hands of an attacker they can run highly accelerated guesses on the password at their leisure. This is where the password strength comes in.

Password Strength

In terms of protecting against brute force attack we need to consider several elements. The search space (the number of possible characters in use), key length (how long is it), and dictionary attacks. 

What the search space does is change how many combinations of characters an attacker has to guess, for each character in the password. If you only use numbers, then the search space is 10 (the digits 0 to 9), and if you only use lowercase letters, it’s 26. The key thing to remember is that any other character that you use increases the search space by a lot because an attacker doesn’t know where it was used, or how many times. If there is a letter in there somewhere, all letters have to be checked on every character. Using all lowercase letters with a single digit in the password somewhere increases the search space to 36. Adding a capital letter increases it to 62, and so on. When multiplied by the number of characters in the password, it has an exponential effect on the number of possible guesses required. 

By way of example: A 16 letter password using only lower case letters yields a brute force time of about 14 years. Adding a single upper case letter increases this to over 400,000 CENTURIES.

To see the effect of this on your passwords, you can use the free Password Haystacks tool (to see if you’re hiding your needle in the haystack of possible guesses effectively) . The effectiveness of brute forcing tools increasing rapidly with computing power, but this tool uses a very conservative estimate for the guess rate to compensate. To be sure, base your results on the last option (Massive Cracking Array Scenario). Even today, this is an unlikely rate for real world hackers, but with dedicated FPGA cracking hardware out there, the guess rate is shooting up for those that have the cash.

You may be sceptical about putting your password into a webpage, but remember that the password in isolation is useless without context (what is it the password for?). Also note that the tool does not take your password anywhere. The calculations are done purely in your browser by embedded scripts. You can examine the JavaScript on the page to confirm it’s not doing anything nefarious if you wish, but I’ve already done that for you.

Pracitcal Passwords

As the note on the haystacks page points out, length and a large search space are useless if the password is in a dictionary, so we need to consider what we use in the password as well. Does this mean you need a horrible long, complex, indecipherable password to be safe? Actually, no. One of the best explanations of this has been around for a while in the form of a comic from XKCD.

 Image: XKCD.com

Image: XKCD.com

What this is saying, essentially, is that length is more important than funny characters. If you choose 4 or 5 memorable words and glue them together, so long as they don’t make sense together, you’ll be better off than trying to come up with something random.  Long random passwords are best, of course, but in a world where we need to be able to enter this password many times on mobile keyboards, and on-screen with remote controls (Smart TVs, DVRs, and streaming devices for example) we need something that is secure AND usable. A long multi-word passphrase with a number and/or capital letter thrown in somewhere, will provide a high level of security which is also practical to use.