Today I had to type the same password to connect to a WPA2-secured WiFi network several times, and got really annoyed with the length of the password. Especially since it is just a phrase repeated twice.
So, when using WPA2 with a WiFi router, is it always more secure to use longer passwords?
A short paragraph from another answer I have here pretty much covers this, though not in much detail:
The amount of protection offered by implementing a password in any system will always vary in direct proportion to the password complexity, and the effort taken to protect that password. Wireless networks are no exception.
Where a strong hashing mechanism is in use, longer and more complex passwords will almost invariably put you in a better security posture. I strongly suggest you read some of the other passwords questions we have here. One of particular interest is:
XKCD #936: Short complex password, or long dictionary passphrase?
It should be noted though, that a WPA2 network's PSK is only effective where WPS is either disabled or unsupported on the AP. Recent side-channel attacks allow an attacker to break WPS in a relatively short time, and gather the WPA2 PSK directly from the AP without having to actually crack the PSK itself.
It depends, but in general: yes.
To attack a WPA2 key (and considering WPS is dissabled!) you need to bruteforce it, so the longer the key the longer it takes.
Suggest I have a key of three letters and I can process about 5 words a second to the AP (fictional). One word can consist of 24 letters and 10 numbers. So your possibilities are (24+10)^3 = 39304. If we add one letter we get:(24+10)^4 = 1336336 possibilities. It would take 37 times longer to process those possibilities.
The longer the phrase, the more possibilities, the longer it takes to attack an AP.
Note: HOWEVER, if you take normal words you need to mind dictionary attacks. They just use a dictionary and test all the words in there, it significantly reduces possibilities.
Is it always more secure? No, though it usually is.
As a counter-example, 1234567890 is much weaker than B9xZbA six randomly generated alphanumeric characters, despite being longer. The difference is the informational entropy content of the password. Basically, when the sample space of a similarly created passwords is smaller, the password is easier to crack. These sorts of calculations are a bit difficult to do in practice, but a few general points can be learned. Expanding the space of the randomly chosen items is less effective than increasing the length of the password. For example, a 10-char lowercase password (26-letters) of random characters has 2610 ~ 1014 possible passwords, while an 8-digit password that randomly mixes case (52-letters upper-lower case) has 528 ~ 5 x 1013 password can be cracked in about half the time.
As a better example for a wifi-password, you generally want a high-entropy passphrase. Passphrases may be easier to remember than an equivalent password. Diceware is a good way to generate a passphrase. I just generated glory pew golf iambic clip fee in a few seconds with a random number generator. Each word was generated by 5 rolls of a dice (65 ~ 7776 choices), so a six word (630 ~ 1023) passphrase would take about a billion times longer to brute force than a ten character lowercase. An equivalent lower case password would be ~17 lowercase characters vjdipotnbwpnzjvzr or ~14 mixed case (tkydzwULzRzSFs) or ~12 mixed case and special characters (Unsv9[}[g2Pk).
Now when you have a password that falls into an easy pattern like 1234567890 the entropy is very low; e.g., you could say you have a choice for start character (80 choices), and way you ascend or descend characters (say 4 possibilities), and length of password (say 1-30 characters). This has 80x4x30=9600 ~ 103 is 10 billion times easier to crack than ten random digits. You may say, well this only would be cracked if the algorithm for cracking searches for this sort of special type of passwords, and that is true. But its not hard to initially check for a few of these types of passwords (and its much more likely that these types of passwords appear in leaked password lists).
Similarly, if I chose a meaningful phrase like the entropy is much lower, as there are small lists of meaningful phrases that an attacker in principle could use in their attacks.
You also have to make sure there are not other attacks against the system, e.g., you are using WEP or WPS or another broken system so the complexity of your password is irrelevant.
This post talks about brute-forcing a WPA password. The short answer is: yes, it is more secure to have a longer password. The question is the relative convenience of have a shorter password with a more secure one - if it's your home wifi, you probably don't need a crazy long password, but if it's something more important, you should think twice about it.
Generally speaking yes, however I reccomend never using words in your password and implimenting a MAC address filter. Is this still possible to penetrate? Yes, but in most instances who would want to bother with a long password and MAC address filtering. Then again there is the WiFi Pineapple: http://revision3.com/hak5/pineapples 3G or 4G dongles are much more secure, but again everything depends on the full application and budget.
The answers have explained most already. In practice, how long does it need to be? Probably longer than what the average person uses in practice, but less than some of the suggestions seen on the web. I set out to find out a reasonably secure size that is still easy enough to handle. Secure enough for me would be that an adversary with access to 10 top of the range PCs in 5 years (the time I will keep the password for) will still only have a 2% chance of cracking the password in 1 month. Adjust the numbers as you please. A very powerful adversary may have access to more computing power but will be unlikely to use it for a whole month.
According to hashcat, a top of the range PC with 8 top of the range graphics cards can manage to check just over 2.2 million passphrases (actually: hashes) per second. If we assume performance doubles every year, in 5 years, 1 top PC will be able to check 71 million hashes per seconds. So 10 of those PCs could do 714 million hashes per second, or around 1,879,149,888,000,000 hashes in 1 month. Since we require a chance of only 2% that the password will be cracked, we need to have a password creation rule that allows for 93,957,494,400,000,000 possibilities.
So if you use a truly random passphrase, you can get away with 12 lower-case letters or 9-10 alphanumeric characters (upper and lowers case letters plus digits). I like lower-case letters as you can type those into your mobile device easily. But there is absolutely no need to use overly complex, 50 character passphrases that utilise all kinds of special characters.
Furthermore, if you are not aware: you need to use an ESSID that is not common enough that someone has calculated a rainbow table for it already.
In general, yes! It is more secure to have a longer password since the more characters the password has, complexity is added thus making it harder for hackers to guess it using some of the tools available.
