Router Security | WiFi Passwords |
Website by Michael Horowitz |
NOTE: The information here used to be on the WEP, WPA, WPA2 and WPA3 page
On Oct. 28, 2021 it was greatly revised and moved to this page.
With one exception, the rules for a Wi-Fi password are the same as the rules for all other passwords. For example, using just lower case letters is a bad idea; it is better to include both upper and lower case letters along with numbers. WPA2 passwords can also contain a host of special characters as shown in the examples below. And, of course, don't use passwords that someone who knows you might be able to guess.
Many routers include default Wi-Fi password(s). In some cases, the default passwords look like they were randomly chosen. Do not trust this. Always pick new passwords. Perhaps the passwords were generated using a formula that someone has figured out. Perhaps employees of the company that made the router have access to all the passwords. For more on this, see Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers Usenix (Aug 2015).
The one exception is that Wi-Fi passwords really need to be long. The biggest mistake you can make, when choosing a Wi-Fi password, is to pick one that is too short. This is because WPA2 (a.k.a. WPA2-AES and WPA2-CCMP and WPA2 PSK and WPA2 Personal) offers no protection from a bad guy capturing network traffic and using a brute force attack to decrypt it off-line. The phrase "brute force" refers to making billions of guesses. The only defense against brute force attacks is a long password.
Long passwords are not an ongoing hassle, since Wi-Fi devices save the password for each network that they join. A long password is an annoyance for literally a few seconds.
Another thing all passwords share is that random characters are not brutally important. The length of a password is generally considered more important than the randomness when it comes to defending against brute force guessing. So, yes, the password "D9fkhu28Fca4c5C9e3cc" is better than passwords such as "5BatteryHorseStaples" or "theSUNwillcomeupinAM" even though they are all 20 characters long. But a sufficiently long password does not need to consist of random gibbersih. It is also important that people are able to say and type the password. No one would want to type the first password. None of the suggested passwords below are random.
Curious about just how many billions of guesses bad guys can make? This will always vary based on the hardware used for guessing. In addition, Paul Moore says (Passwords: Using 3 Random Words Is A Really Bad Idea! October 2017) it varies based on the hashing algorithm. A computationally expensive algorithm, SHA512, slows things down (with his hardware) to 8 billion a second. If a password is encrypted with SHA256, then we can expect 23 billion guesses/second, with SHA1 expect 70 billion/second. The fastest, and thus least secure, algorithm is MD5. Moore says MD5 is still very common and it can be brute-forced at the rate of 200 billion guesses/second. An article linked to below discusses hardware that made 6,819,000 guesses/hashes per second.
The shortest password allowed with WPA2 is 8 characters long. A password of 14 or 15 characters should be long enough to defeat most brute force guessing. Still, 16 would be better. The German government recommends 20 characters as a minimum. In February 2023, the US National Security Agency (NSA) also said to use at least 20 characters. WPA2 passwords can be up to 63 characters long.
But wait, there's more.
Another type of attack guesses passwords using passwords that other people have already picked. This is called a dictionary attack and despite the name, it includes many passwords that are not words in the dictionary. Things like "Denver2013" or "I like MickeyMouse". Many websites have been breached over the years and bad guys can find massive databases of passwords that people have used in the past. Defending against a thorough dictionary attack means not using a password that any other human has used before. A tall order indeed, but not impossible.
For example, start with a name or address and then modify it a bit. If you live at 123 Main Street and like the Dallas Cowboys then maybe use "Dallas123MAINstreeetCowboys". This is unlikely to have ever been used before, even by another Cowboys fan with the same address. If I were to start with my name, I might use "xyzMICHAEL-horowitz" or "8888michaelQQQhorowitz". Neither is all that hard to remember and each is likely to be globally unique, even though my name is somewhat common.
Of course, there is no reason to start with a name or address.
Like history? Then how about "123LooeyTheXIV123". Chances are that other history buffs will not have used it.
Like the St. Louis Cardinals? "StanTheMan" is not a great choice. Start with the address of Busch stadium and modify it. For example, "700-clark-AVENUE-63102" and "700#CLARK#avenue#StLouisMO" are great passwords and other Cardinals fans are not likely to have used them. As for "StanTheMan", it can be improved with "stan--THE--man" or, better yet, "stanTHEmanmanmanman" and still be reasonably easy to say, remember and type.
As an example of why you should change the default password, the BBC had a story in May 2021 about a family that went through "utter hell" for months after the police came to their home and took all their electronic devices as part of an investigation into images of child abuse being posted online. Most likely, an innocent family was accused because they had not changed either the Wi-Fi password or the router password. This is far from the only such story. Their router was no help, but a Peplink router can offer a ton of details, after the fact, that would have shown if bad guys had been on the network.
In October 2021, Ido Hoorvitch1 of CyberArk walked around his neighborhood and sniffed information from 5,000 thousand Wi-Fi networks. He took this data back to his office and, using hashcat and other software, was able to calculate the password for 70 percent of the Wi-Fi networks. He abused a relatively new Wi-Fi attack on WPA2 Personal. The attack is based on recording the SSID, the hash of the PMKID, the MAC address of the router and the MAC address of a router client. A PMKID is used for roaming between Access Points. If you have a single router, there is no need for a PMKID, yet it was often present. The cracked passwords were often just numbers or just lower case letters. The lesson to be learned is that longer passwords and varied passwords are more resistant to this brute force attack. He did not say if it the attack will work on WPA2 Enterprise or WPA3. He offered no advice on determining if your router is broadcasting a PMKID. See also 70% of Wi-Fi networks are easy to hack - how to protect yourself by Paul Wagenseil.
To get a feel for how bad guys crack Wi-Fi passwords, see How I cracked my neighbors WiFi password without breaking a sweat by Dan Goodin (August 2012). Even back in 2012, guessing every possible 8-character password was a do-able thing. One eight-character password was hard to guess because it was a lower-case letter, followed two numbers, followed by five more lower-case letters with no discernible pattern. That is, it didn't spell any word either forwards or backwards. Resisting the temptation to use a human-readable word made the guessing much harder.
kyPeQ3!khx (Too short and can't remember it)
DBF9fkhu28FF!ca4$cc5C1795ecc (can't remember it)
Dandelion (Never use a word in the dictionary)
Denver2012 (It is likely that someone else has used this before)
Yankee fan? 22New22York22Yankees22
Like red tulips? icansee789redTULIPS
Are you rich? myassistantchosethisoverlyLONGpassword
Like math? 6====ahalfdozen
Like golf? icandriveagolfball300INCHES
Like Disney? mickey.mouse.is.THE.best
Like Shakespeare? tobeornottobe->THATisthe?
From New York City? the-BIG-apple-rules!
From Boston? Yuck-The-Fankees!
Like XKCD comics? BatteryHorseStaple.etc.etc.etc.
Like to remember a date/place? Denver///2019///
Like your iPhone? IOSiscoolerthanandroidhahaha
Like being a smartass? >>>this.is.my.password<<<
See a funny tweet by Dan Edwards about needing to buy a drink at a bar before learning the Wi-Fi password.
In April 2018, New York Yankee manager, Aaron Boone, was being interviewed after a game at Fenway Park against the Boston Red Sox when the camera showed a bulletin board on the wall next to him. On the bulletin board was the Wi-Fi network name ("clubhouse") and password. This got attention because of the miserably insecure password: "baseball" The Red Sox could hardly have chosen a worse password. The team took it well, however, tweeting "Guess we need a new WiFi password". See The Red Sox clubhouse's Wi-Fi password does not rank high for creativity. And the SSID was likely attracting the attention of the many techies that are Red Sox fans.
As for storing the password(s), I suggest writing down both the Wi-Fi network names and passwords on a piece of paper and taping it to the router, face down. Or, keep it next to the router so as not to block any ventilation holes. The point being, to have it at the ready when needed in a place that couldn't be any easier to remember. You may also want to write down the router IP address, userid and password.
Note: The Ubiquiti AmpliFi mesh router defaults to using the same password for both Wi-Fi and administering the router. Chances are other routers do this too. It is a very bad idea. Each function should have its own password.