Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Sep 2018 18:25:27 +0200
From: Jens Timmerman <>
Subject: Re: Questions regarding WPA Password audit


On 05/09/2018 10:34, JohnyKrekan wrote:
> Hello, I would like to ask questions regarding WPA password strength audit.
> 1. What steps or how many password you would try against a single WPA-PSK hash to mark this hash "strong enough" when your search will not find the right one.
> my test consist of following steps:
> 1. All 8+ words from lcommon languages.
> 2. Two well known WPA wordlists which can be downloaded as torrent (approx 13 gb in size - see
I would also add weakpass_2_wifi from (I
strongly suspect this list already includes the other lists linked
above, but you can mail the admin to be sure)
> 3. All 8 digit numbers (I have found that many routers use 8 digit decimal numbers)
> 4. Slovakian (my nation) wordlist using password mutation rules (like adding numbers, changing cases, also I use those rules on common English wordlist...)
> The mentioned rules are generating about 600 derived password from each word.
> After passing these steps with no success, the password is considered "not so weak".
I would phrase this a bit more nuanced as: strong enough to not be
cracked by a skilled attacker <if you believe yourself to be skilled>
with access to <insert your hardware resources/ monetary cost to run on
a rented system here> in <insert the time you took for this here>
> Questions:
> 1. What other steps would you recommend to add to this password audit process?
I would like to have a large list of wpa passwords that are actually
used in the wild, generate a  statistics file with these and run your
cracker for let's say a week. If someone has these, I'm intrested :)
(Most list I found are just normal wordlists with passwords < 8 and > 63
removed from them, not actually wpa keys that people (or tools) come up
> 2. Have you encountered that 8 or 10 character hexadecimal numbers are used as WPA passwords? If yes what is the character case? Small or capital?
> Thanx for any suggestions.
> Johny Krekan


Jens Timmerman

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.