Is a WPA/WPA2 Wi-Fi network secure?
Table of Contents
Is WPA2 secure ?
We are going to analyze if Wi-Fi Protected Access version two WPA2 is secure, (WPA) security and Wi-Fi network protection are subjects of concern among network users and administrators, and is often said that WPA can be cracked. Though it is widely accepted that the old Wired Equivalent Privacy (WEP) standard is, in fact, insecure and should be avoided due to its high system vulnerability, not everyone knows how secure a WPA/WPA 2 password can be.
How long does a WPA or WPA2 network password have to be to be secure?
In short, it can be affirmed that a 12-character Wi-Fi network password cannot be decipher using today’s computing capabilities, since the time required to crack the password grows exponentially.
Complexity of cracking a Wi-Fi network password
The following chart shows the complexity of a WPA/WPA 2 Wi-Fi network password and the time required by a hacker to break it.
|
Character Types |
Key Length |
Time required to try all possible combinations Graphics Card |
Time necessary to compute all possible combinations FPGA |
| Lower case only / Upper case only
(26 possibilities) |
8 |
7 days | 1 day, 8 hours |
| Lower case only / Upper case and numbers only (36 possibilities) |
8 |
93 days | 18 days |
| Lower and upper case
(52 possibilities) |
8 |
4 years, 300 days | 353 days |
| Upper case, lower case, and numbers
(62 possibilities) |
8 |
474 years | 4 years |
| Lower case only / Upper case only
(26 possibilities) |
12 |
8645 years | 1,730 years |
| Lower case only / Upper case and numbers only
(36 possibilities) |
12 |
430,000 years | 85,858 years |
| Upper and lower case
(52 possibilities) |
12 |
35 million years | 7,083,000 years |
| Upper case, lower case, and numbers
(62 possibilities) |
12 |
292 million years | 58,460,000 years |
| Lower case only / Upper case only
(26 possibilities) |
16 |
Infinite | Infinite |
| Lower case only / Upper case and numbers only
(36 possibilities) |
16 |
Infinite | Infinite |
| Upper and lower case
(52 possibilities) |
16 |
Infinite | Infinite |
| Upper case, lower case, and numbers
(62 possibilities) |
16 |
Infinite | Infinite |
A WPA Wi-Fi network hash is the result of performing several mathematical calculations with a Wi-Fi password, and it can be used by a cracking process to check a password’s validity. To keep it simple, we can affirm that a hash is the same as a Wi-Fi network password. A powerful home graphics card (>€400) can process up to 350,000 WPA/WPA 2 hashes per second, that is to say, it can check the validity of 350,000 passwords in just one second. Commercial Pico FPGA hardware (>€1,000) offers a much powerful performance, being capable of processing 1,750,000 hashes per second. If the Wi-Fi network password is long enough, and it is not based on a dictionary (a predictable word or phrase), it will not be possible to crack it in a short period of time.
Wi-Fi Network Technical Aspects
In order to make sure a Wi-Fi network password is secure and to prevent it from being hacked, not only password complexity has to be considered, but also some other important aspects, such as:
- WPS (Wireless Protected Setup) PIN: Home-user Wi-Fi routers normally include WPS functionality for easier password exchange between an access point and a user, without the need for a Wi-Fi network password. This process can be abused by tools like Reaver or wpscrack, allowing the Wi-Fi network password be discovered, no matter how long or complex it could be. First, it is recommended to disable WPS, if supported.
- Wi-Fi Network Name: WPA or WPA2 encryption algorithm uses the Wi-Fi network name to generate the cryptographic key. In order to prevent cracking attacks by the use of rainbow tables, common or predictable network names should be avoided, such as ‘WLAN_66’, and new unrelated names should be used instead, such as WLAN-YTQZFJ.
- TKIP or AES CCMP: According to the 802.11 standard, WPA uses a signing algorithm called TKIP, and WPA2 uses the AES CCMP algorithm that is much more powerful and eliminates security breaches such as ‘Beck-Tews’ or ‘Ohigashi-Morii’ attacks. If possible, it is recommended to remove TKIP support, although these attacks are not frequent nowadays.
- Published Networks: Most devices (phones, PC’s, laptops, etc.) constantly refresh their list of wireless networks available within their reach by sending a Wi-Fi packet known as Probe Request frame. If a user configures a Wi-Fi network incorrectly, and the created password is the same as the network name, anyone using a Wi-Fi scanner will be able to see the network password requested by the user’s device.
- Administrator Passwords: ADSL routers or cable routers are often the access points for most home Wi-Fi networks. These devices’ default administrator user name and password combinations normally are, ‘admin/admin’, ‘1234/1234’, ‘support/support’, etc., and can be accessed from a web browser using HTTP protocol. Default administrator password has to be changed and access to router administrator panel from other networks, such the Internet, has to be restricted to prevent users from obtaining the Wi-Fi network password from the Internet thanks to a Wi-Fi router configuration bug.
Wi-Fi WPA Security Operative Considerations, is WPA2 secure ?
Based on the way we use our Wi-Fi network, there are certain security considerations to keep in mind:
- Former Personnel: For small to medium size companies, WPA is not recommended due to the inconvenient of changing the network password every time an employee leaves the company. If the password is re-used by several users, or integrated to devices like TPV’s, changing the network password to prevent former employees from accessing the network can be complex. This is why, for these types of environments, the use of Enterprise mechanisms with RADIUS-based authentication is recommended.
- Communications Interception: If a user intercepts the user authentication process with a Wi-Fi sniffer called 4 way handshake and cracks the Wi-Fi network password, or rather knows the password, he or she could decrypt the traffic of any other user connected to the Wi-Fi network. This is why WPA or WPA2 should be used only in home networks, where normally no network user would attempt to spy on other users’ traffic.
Wi-Fi Security Best Practices:
Below are some additional Wi-Fi security recommendations for keeping a Wi-Fi network secure.
- Change password periodically: Both home and corporate Wi-Fi WPA passwords should be changed from time to time. 12-character passwords should be changed every 6 months.
- Disable TKIP: The use of TKIP is not recommended and should be disabled. If TKIP must be used, make sure to use secure passwords of at least 12 characters.
- Analyze surrounding networks: Use either Acrylic WiFi Free or Acrylic Professional to analyze your surrounding wireless networks and their security settings.
- Measure signal strength: To improve Wi-Fi coverage and prevent wireless signal to propagate outside the intended coverage area, you can use site survey software such as Acrylic WiFi Heatmaps to measure wireless network coverage. This way, you can adjust your access point settings to avoid signal propagation beyond the intended coverage area, and improve Wi-Fi network performance by selecting an optimal position for the your AP.
Has knowing how WPA security works been useful to you? Please, leave us a comment. We also recommend you to check out our technical article on how secure a hidden Wi-Fi network can be.
Learn if WPA2 is secure enough.