WiFi (in)Security - Even WPA can't compensate for a weak password

WPA replaced the broken WEP security protocol in 2004 but still doesn't force the user to use strong passwords. In this blog I will show you if your password is up to the job of protecting your network and just how easy it is to break WPA or WPA2 security.



WiFi Protected Access (WPA) was created in response to several major security flaws being found in its predecessor Wired Equivalent Privacy (WEP). On top of many improvements to the security protocol itself, WPA allowed for a much larger key (or password) to be used for the WiFi network. A larger key means there are more possibilities an attacker would have to guess to brute force the key, thus increasing the strength of the key. The main problem with WPA is that it only enforces a minimum key length of 8 characters. There are also no complexity requirements enforced on the key and this can result in the user creating a very weak key or the manufacturer supplying devices with weak keys pre-installed.

To create a strong key you shouldn't use only words that can be found in a dictionary. You should use upper and lower case letters, numbers, digits and try to use as much of the available 63 character length as possible. In the example video below the password for the WiFi network is revealed to be "SuperSecretPassword". There are some basic steps that you can take to increase the strength of your password.

  • Substitute letters for numbers, perhaps the letter 'e' for the number 3: Sup3rS3cr3tPassword
  • This will remove most of the dictionary words.
  • Stretch the length of the key, even an extra few digits helps: Sup3rS3cr3tPassword12345
  • A longer key is harder to crack.
  • Add a couple of random symbols on the end too: Sup3rS3cr3tPassword12345@#
  • Using symbols expands the possible options an attacker has to guess exponentially.


These very simple steps have taken the initially very weak key and turned it in to a key that would be, realistically speaking, impossible to find using a brute force or dictionary attack! To further demonstrate the effectiveness of key stretching (making the key longer) which of these 2 passwords do you think would be more difficult to crack?

- or -


The answer, interestingly, is the first one. The first password contains upper and lower case letters, numbers, symbols and is 15 characters in length. The second password also contains upper and lower case letters, numbers and symbols but is only 14 characters in length. An attacker has no idea what your password looks like and even though an advanced dictionary may have the word 'Sc0tt' in it, it doesn't help the attacker at all guessing part of the password. As the saying goes, close only counts in horseshoes and hand grenades! The only thing an attacker knows is if he has guessed an exact match or not. It's also a common misconception that entropy (the randomness of data) helps to make a password strong. As you can see in the example the first password has far less entropy than the second yet is still a much stronger password. A basic password padding policy could help you to greatly increase the strength of your passwords. Always remember, once an attacker has tried all the easy to guess passwords he simply has to brute force all possible guesses. At that point the most important factor in password strength is the length.

Take a look how easy it is to bypass WPA or WPA2 security when using a weak key.

Download darkc0de.lst here.
List of commands used here.


Whilst typing a strong key in to your devices to connect them to the WiFi network can be cumbersome, it's better to employ proper security than risk the consequences of not doing so. My previous blog post in the WiFi (in)Security series on WEP goes over other steps that are regularly advised to improve the security of your network. It turns out that many of them actually offer such little protection, or no protection at all, they are just an inconvenience to the user. Be sure to check it out!

Short URL: https://scotthel.me/CrackingWPA

Author image
About Scott
Researcher, blogger and international speaker. I'm the creator of report-uri.io and securityheaders.io, free tools to help improve online security.