Date: Wed, 5 Sep 2018 18:25:27 +0200 From: Jens Timmerman <jens.timmerman@...ars.be> To: john-users@...ts.openwall.com Subject: Re: Questions regarding WPA Password audit Hi, On 05/09/2018 10:34, JohnyKrekan wrote: > Hello, I would like to ask questions regarding WPA password strength audit. > 1. What steps or how many password you would try against a single WPA-PSK hash to mark this hash "strong enough" when your search will not find the right one. > my test consist of following steps: > 1. All 8+ words from lcommon languages. > 2. Two well known WPA wordlists which can be downloaded as torrent (approx 13 gb in size - see https://forums.hak5.org/topic/29308-13gb-44gb-compressed-wpa-wpa2-word-list-982963904-words/ I would also add weakpass_2_wifi from https://weakpass.com/download (I strongly suspect this list already includes the other lists linked above, but you can mail the admin to be sure) > 3. All 8 digit numbers (I have found that many routers use 8 digit decimal numbers) > 4. Slovakian (my nation) wordlist using password mutation rules (like adding numbers, changing cases, also I use those rules on common English wordlist...) > The mentioned rules are generating about 600 derived password from each word. > After passing these steps with no success, the password is considered "not so weak". I would phrase this a bit more nuanced as: strong enough to not be cracked by a skilled attacker <if you believe yourself to be skilled> with access to <insert your hardware resources/ monetary cost to run on a rented system here> in <insert the time you took for this here> > Questions: > 1. What other steps would you recommend to add to this password audit process? I would like to have a large list of wpa passwords that are actually used in the wild, generate a statistics file with these and run your cracker for let's say a week. If someone has these, I'm intrested :) (Most list I found are just normal wordlists with passwords < 8 and > 63 removed from them, not actually wpa keys that people (or tools) come up with. > 2. Have you encountered that 8 or 10 character hexadecimal numbers are used as WPA passwords? If yes what is the character case? Small or capital? > Thanx for any suggestions. > Johny Krekan Regards, Jens Timmerman Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.