In the last part I briefly described why you should be concerned with your wireless network security. In this part I’ll describe the various ways, and indeed, the ease with which some passwords can be cracked.
But first you need to know what the various types of wireless encryption are. At least in the U.S., the basic types of encryption that you’ll run into from the major wireless router manufacturers are:
* WEP (Wired Equivalent Privacy) – You will not see this type of encryption used on any recent wireless router because it’s extremely unsecure. If you’re router is running this, and yes they’re still out there, you probably don’t have any option to change to another encryption method and should consider purchasing a new router as soon as possible. Believe it or not, there’s still two of these running in my neighborhood.
* WPA/WPA2 (WIFI Protected Access) – WPA replaced WEP in the early 2000’s, and has itself been replaced by WPA2. WPA2 is the standard encryption method on modern wireless home networks, with a few varieties to choose from. WPA-PSK(TKIP), WPA2-PSK(AES) and a few select others are normally options. WPA2-PSK(AES) is the highest level of encryption you can set in most recent wireless routers, and should be selected from among the various options your router may give you.
One work of advice regarding -PSK. PSK stands for “Pre-Shared Key”. Meant with the best intentions, PSK is a means of enabling connection to your wireless network through means of a PIN code instead of a password. Unfortunately PSK is unsecure and easily cracked as there are a finite number of PINS. Its best to disable PIN access to your wireless network all together, but if you intend to use PSK then try to use a wireless router than has a security feature that automatically disables PSK functionality after X number of attempts.
So here you are, with your brand new wireless router. You’ve selected WPA2-PSK(AES) as your encryption method and you’ve entered an 8 digit complex password (numbers, lower and upper case letters, and special characters). With your router plugged in and operating, you’re thinking to yourself how secure you are as you connect your phone to your new home wireless network. You’ve erected a virtual mote around your home castle, and no one is going to be able to storm your gate! Right?
Well, actually, you’re quite wrong. It’s actually very easy for someone within range of your router to probe your defenses. And in most cases, they can probe your defenses for considerable time without you ever knowing. I say “considerably”, but in actuality, I mean forever because the tell-tale signs they may leave while doing it are so innocuous that no one outside of the most security conscious individual would ever notice.
How could this be? How could someone try to hack my wireless router without me noticing? Well, for starters, the average person isn’t IT conscious at all. The average person wouldn’t know the difference between WEP and WPA/WPA2, or know what a handshake is, or even know that most recent wireless routers have a logging function (though disabled by default). Or even know what to look for even if they enabled it. And to be honest, probing can be done entirely passively. Meaning the adversary (mean hacker person) never actually actively attacks your network. He or she can speed this part of the process up a bit by employing an active “attack” that’s actually quite minor and wouldn’t be noticed by 9.9 of every 10 people even if they saw its effects during the actual “attack”. That’s because the “attack” is a normal network function, but in this case is done by a specific person for a specific reason instead of as it normally would, by your router without any prompting by an outside source.
I’m writing at a relatively high level here, and not intending to be technically specific in any detail. That simply isn’t my intent. Quite honestly, if you want to know more about this subject you can find everything you need very easily with just a few minutes in any search engine. I’m also very specifically not going into detail on actions you can take to combat some of the tactics that can be used against your network. Most of those details would be beyond the average home user anyway, and those users that are technically savvy will know where to find that information. Again, this blog post is not intended for those purposes.
Be that as it may, a person sitting in a car down the street from your home, or someone on another street in your neighborhood can very easily capture network traffic from your wireless router. Whenever a device connects to your network, those specific packets contain key information someone can then use to crack your password. All of this can be done entirely passively, without ever actually performing any action against your network. But as I said, if the individual wanted to speed this part of the process (reconnaissance) up, they could employ an active tactic to force your wireless router to send those packets. One way or the other, as long as you have a wireless router, and devices that need to connect to it, your router will send the packets that are needed for those devices to connect. And anyone listening can record them.
So, if your wireless network is so unsecure, why are there wireless networks at all? I said an individual who was listening could intercept the packets they would need to try to crack your wireless password. I never said your network was unsecure. In fact, this question touches on why I went into the math bit in part 1. Your phone needs to exchange information with your wireless router in order to connect. This is called the handshake, and there’s no way to successfully connect without some kind of a question and response dialogue between the two devices. This is what your adversary is listening to.
The handshake is intended to be secure, but its just the front line. Think of it as the mote around your castle. Its an obstacle and nothing more. Infinitely more important is your password, or pass phrase as its often also called that is passed from the end device (your cellphone) to your router during this handshake. All of the information is encrypted, but the packets of information that are passed between the two devices are in a standard form. So your adversary will know which encrypted bits are the network’s password and those that aren’t. He can’t read the password yet though, so the next step for him is to try to crack it. Again, this is why I went into the math in part 1.
Once someone has recorded at least one handshake from your network — that is an actual connection between an end-device and your wireless router — they have everything they need to begin the next phase, which is the password cracking. The adversary can’t do anything more until they do crack your password, so remember what I said about lengthier, complex passwords being best. And especially what I said about the type of encryption (WPA2 with AES).
The general gist of how someone goes about trying to crack your password is that once they have at least one set of handshake packets, to run the captured packets through a decryption program. There are many, and all of them are good at what they do, in their own specific way. Some programs are designed to use the the computers own computing power (CPU), while others are designed to use the computing power of the systems graphics card (GPU). In my experience, CPU intensive decrypting can be fast but nowhere near as fast as what can be achieved through GPU decryption.
What ever program the individual chooses to use they all go about the act of decryption in the same fashion. There are two widely, and most utilized methods of decryption and a few others that are less widely used. I’ll focus on the two most widely utilized methods: Dictionary and Brute Force attacks. In a dictionary attack, the program compares the encrypted password against a list of words, encrypted in the same method your network password is. And if a match is found, your password then becomes known. Dictionary attacks are the fasted method to decrypt your password, so here is where the math in part 1 should really start to take hold.
While creating word lists is trivially easy, it does get more complicated as you add complexity. A word list of just number combinations is smallest, whereas a word list containing possible passwords composed of numbers, upper and lower case numbers and a set of special characters can be gargantuan. So gargantuan in fact that it can be physically difficult for the system to work with. Especially if you realize the word list must have every permutation of complex words from 8 digits upward to some number.
Most word lists I’ve seen instead contains only possible passwords for numbers, lower and upper case letters from 8 to 12 digits in length. The word lists are very large, but manageable. And quite frankly, unless an adversary wants to get into your network specifically, and you aren’t some random network he’s simply probing, the harder you make that for him the better. So the random hacker isn’t looking for hard targets, he’s looking for easy targets. Someone’s network which password is between 8 and 12 digits long and which probably doesn’t use special characters. And most especially those networks which password is only numbers or which are comprised of actual dictionary words. Never, ever use a password that is only numbers, or is only an actual dictionary word. Ever. Because your password will be cracked in seconds to minutes, regardless of the type of encryption you employ. Trust me on this.
A dictionary attack can take an attackers computer seconds to minutes to compare your networks password against all the words on the word list. Depending on a number of factors, including how large the word list is mostly. Suffice to say the attacker will know within a few short minutes whether they can crack your password easily through this type of attack, or whether they’ll need to devote more time to it.
If your password was not among the word list the attacker has, and If they decide to devote more time to it there’s a second, more powerful method of attack. One that theoretically is capable of decrypting every possible password in existence. Given enough time. And there’s the rub.
The second widely used method of decryption is brute force, and means just as it sounds. Its a means of your computer trying every permutation of words against your networks password and seeing if it matches. Typically the Brute Force method is tried only after various dictionary attacks have failed because brute force attacks are much slower than a dictionary attack. The computing power the attackers program uses for decryption doesn’t really matter, but it does in a brute force attack. The more computing power the better, as more computing power enables the system to attempt more key sequences per second. Here’s where the math comes in.
In an 8 digit numeric only password example, there are 100,000,000 possible passwords. For the sake of argument lets assume someone decides to brute force the password instead of dictionary attacking it. If someone had attempted to dictionary attack a numeric only password they would absolutely cracked it, but for our example an attacker never tried that method and instead skipped right to brute force.
So here an attacker is with 100,000,000 possibilities and they launch a brute force attack to crack your password. How long do you think that might take them? Processing power is everything. In a relatively low powered laptop, using only CPU power, a system might be able to attempt 1,500 keys per second.
100,000,000 / 1500 = 18.5 hours. But within that 18.5 hours it would indeed crack that password. By comparison a dictionary attack against the same 8-digit numeric password took mere seconds.
a more robust system, using GPU power can easily attempt 30,000 to 100,000 keys per second. So the same 8-digit numeric password brute force attack would take between 18 to 54 minutes to crack. This isn’t a guess, this is mathematical certainty. Either way your numeric only 8-digit password will be cracked, its just a matter of time. Don’t make numeric only passwords, regardless of their length.
But lets look at the math for more complex passwords. How long could it take to crack an 8 digit password, 10 digit password and 12 digit password with increasing complexities. As above, we’ll assume that only Brute Force attacks are attempted, and that dictionary attacks were skipped entirely for some reason.
|Numbers Only (times in hours)|
|1,500 keys/sec||30,000 keys/sec||100,000 keys/sec|
|8 Digit Combo||18.5||0.9||0.3|
|10 Digit Combo||1,851.9||92.6||27.8|
|12 Digit Combo||185,185.2||9,259.3||2,777.8|
|Numbers & Lower Case Letters (times in hours)|
|1,500 keys/sec||30,000 keys/sec||100,000 keys/sec|
|8 Digit Combo||522,427.8||26,121.4||7,836.4|
|10 Digit Combo||677,066,377.8||33,853,318.9||10,155,995.7|
|12 Digit Combo||877,478,025,615.1||43,873,901,280.8||13,162,170,384.2|
|Numbers & Lower/Upper Case Letters (times in hours)|
|1,500 keys/sec||30,000 keys/sec||100,000 keys/sec|
|8 Digit Combo||40,433,352.9||2,021,667.6||606,500.3|
|10 Digit Combo||155,425,808,494.1||7,771,290,424.7||2,331,387,127.4|
|12 Digit Combo||597,456,807,851,463.0||29,872,840,392,573.1||8,961,852,117,772.0|
You can see complexity greatly increases the time it theoretically takes to crack a password, and I didn’t even display figures for passwords including special characters. The times assume that all possible combinations are tested and the actual password is the last tested in all cases. Which you should realize isn’t going to be the case. Also, these figures assume a single low to moderate system. The times decrease with the addition of systems and power, obviously. But again, the run of the mill hacker isn’t looking for a hard target, he’s looking for an easy target.
Make yourself a hard target. Most usually an adversary isn’t looking to spend days, weeks, or months trying to crack your password. Unless they know you, and dislikes you. In which case as long as you’re password is 12 digits or more and is complex, they’d have to dislike you a great deal to spend the time and resources that would be necessary to find your password.
Once someone has cracked your wireless password though, they can connect to your network at will. And unless you are unusually vigilant, you’ll almost assuredly never going to realize it. For all intents and purposes, once someone with the skill has broken into your network, they will have the freedom to explore your network and act against systems that are connected to it, or use your home’s internet connection for their own purposes.
I trust that you are now armed with enough knowledge not to become one of those people.