Recommend Length for Wi-FI PSK?

  • I currently have a network set up with WPA2 and AES encryption, the password is 8 characters long but was randomly generated and contains no dictionary words. However I'm concerned about the increasing power of computers and their ability to crack handshakes, as such I was considering increasing the length.

    I'm aware that I can go up to 63 characters if I were extremely paranoid, but unfortunately I have to type this password into Android phones and other devices so I'd rather keep it reasonably short to allow for it to be easily typed.

    Would a 16-character random password be enough to secure a WPA2 encrypted network? What is the current recommendation for password lengths, especially for wireless networks and what password length would be sufficient to protect my network against a standard attack?

  • D.W.

    D.W. Correct answer

    9 years ago

    Yes, 16 characters is more than sufficient, if they are randomly generated using a cryptographic-strength PRNG. If you use lower-case, upper-case, and digits, and if you generate it truly randomly, then a 16-character password has 95 bits of entropy. That is more than sufficient. Actually, 12 characters is sufficient; that gives you 71 bits of entropy, which is also more than sufficient for security against all of the attacks that attackers might try to attack your password.

    Once your password is 12 characters or longer, the password is extremely unlikely to be the weakest link in your system. Therefore, there's not much point choosing a longer password. I see people who recommend using a 60-character password, but I don't think there's any rational basis for doing so. My view is that usability is very important: if you make the security mechanism too hard to use, people will get annoyed and may be more reluctant to use it in the future, which isn't good. A secure mechanism that isn't used isn't doing anyone any good. That's why I prefer to choose a shorter password, like 12 characters or 16 characters in length, as it is perfectly adequate and more usable than a monstrous 60-character beast.

    Be careful how you choose the password. You need to use a cryptographically-strong PRNG, like /dev/urandom. For instance, here is a simple script I use on Linux:

    # Make a 72-bit password (12 characters, 6 bits per char)
    dd if=/dev/urandom count=1 2>/dev/null | base64 | head -1 | cut -c4-15

    Don't try to choose passwords yourself. Human-chosen passwords are typically easier to guess than a truly random password.

    One very important caveat: There are other issues as well, beyond password length. It is very important that you turn off WPS, as WPS has major security holes. Also, I recommend that you use WPA2; avoid WPA-TKIP, and never use WEP.

    Thank you for your advice, I plan on using KeePass to generate the password which should be secure for generation as far as I know. It's also quite handy as I can specify rules to keep it to ASCII leaving and keeping it at around 16 characters. The one problem I face is that it needs to be shared among family members, to be honest I could just print it out and stick it to the back of the router. At that point you'll have access to my house and the router so I have much worse problems. Luckily for me I'm using DD-WRT which doesn't even support WPS, so I'm in the clear there.

    Is the 71 bits of entropy recommendation still relevant in 2020?

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM