How long would it take to brute force an 11 character single-case alphanumeric password?

  • My previous home wifi router's WPA2 password was permanently fixed to FZ4HBCKHGC8.

    How long would it take to crack via brute force?

    Or more pragmatically:

    How long would it take to exhaust all possible iterations of this 36 character set {A..Z}+{0..9}?

    Yes, cause if your WPA2 has been permanently fixed to `FZ4HBCKHGC8`, it now takes no time to crack it.

    @M'vy has succinctly captured a deep truth of password cracking here. If you don't understand why, ponder it until you do.

    @M'vy As snarky as that is, that is an answer not a comment. No, really. It takes 1 try to crack a password fixed to `FZ4HBCKHGC8`.

    Ponder further. :)

    I don't get the pondering meme, can someone explain?

    @user1306322 They are commenting on the fact that the password that the OP posted now requires only 1 attempt to crack because the fact that they posted it on this site means that it is now public, operating under the assumption that the password shown here is not a placeholder password and that someone can correctly locate the user's router somewhere in the world, given their user information here. There is no meme, just a joke.

    Is this pondering meme from Breaking Bad scene?

    oh, I thought OP wouldn't be so silly as to post the actual hardcoded password, and so I thought the joke was somewhere else. Also, it's a meme to call regular jokes and pretty much anything a "meme". Thought I should explain in turn :p Sorry, this is just how it is.

    @user1306322 OP said "previous" so since he's not using that router anymore, he may not care anymore.

  • The speed of WPA2, and the speed of modern GPUs, are essential to this answer.

    A reasonable prosumer-sized (~US$5K) GPU cracking rig with 6 GTX 1080s can try around 2 million hashes per second - but there are 36^11 candidates to try!

    For demo purposes, this is an actual attack, using the example WPA2 hash from the hashcat website:

    $ hashcat -a 3 -m 2500 -2 ?u?d hashcat-wpa2.hccapx ?2?2?2?2?2?2?2?2?2?2?2
    hashcat (v4.1.0) starting...
    OpenCL Platform #1: NVIDIA Corporation
    * Device #1: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
    * Device #2: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
    * Device #3: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
    * Device #4: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
    * Device #5: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
    * Device #6: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
    Session..........: hashcat
    Status...........: Running
    Hash.Type........: WPA/WPA2
    Hash.Target......: 8381533406003807685881523 (AP:ae:f5:0f:22:80:1c STA:98:7b:dc:f9:f9:50)
    Time.Started.....: Tue Apr 24 06:51:26 2018 (54 secs)
    Time.Estimated...: Sun Oct 11 02:45:49 4105 (2087 years, 168 days)
    Guess.Mask.......: ?2?2?2?2?2?2?2?2?2?2?2 [11]
    Guess.Charset....: -1 Undefined, -2 ?u?d, -3 Undefined, -4 Undefined
    Guess.Queue......: 1/1 (100.00%)
    Speed.Dev.#1.....:   336.2 kH/s (6.89ms)
    Speed.Dev.#2.....:   330.8 kH/s (7.03ms)
    Speed.Dev.#3.....:   332.0 kH/s (6.96ms)
    Speed.Dev.#4.....:   331.1 kH/s (6.97ms)
    Speed.Dev.#5.....:   334.2 kH/s (6.90ms)
    Speed.Dev.#6.....:   333.8 kH/s (6.90ms)
    Speed.Dev.#*.....:  1998.0 kH/s
    Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
    Progress.........: 108544000/131621703842267136 (0.00%)
    Rejected.........: 0/108544000 (0.00%)
    Restore.Point....: 2539520/3656158440062976 (0.00%)
    Candidates.#1....: 82TCFESS123 -> 8MXVZONANDA
    Candidates.#2....: 9JGXQW12345 -> 9O3QWESS123
    Candidates.#3....: 9BBZPANANDA -> 93M1YONANDA
    Candidates.#4....: 96RCZONANDA -> 9WMXQW12345
    Candidates.#5....: 5S3O3123456 -> 59QC6678999
    Candidates.#6....: 40QC6678999 -> 4CUZPANANDA

    But don't feel too reassured by the "2087 years" estimate. Fixed passwords often do not require brute force to be cracked. Many permanently fixed WPA2 passphrases are algorithmically generated, and many of those algorithms are either known, or discoverable by reverse-engineering the device's firmware.

    How is your rig going to "try around 2 million hashes per second"? Where does it get a test function to tell it whether a guess is correct or not?

    @R.. Normally an attack like this captures some information for offline brute forcing.

    @JohnV.: I'd really like to see how you think that happens.

    @R.. ... Are you asking how people capture WPA2 handshakes in order to crack them? Tools to do this have been around for a loooong time. The algorithm for WPA2 is public, and tools like hashcat generate candidates, hash them, and compare them to the original hash - at speed. This isn't a new thing. Maybe we're not understanding your point?

    I forgot the hashed password was part of the handshake. This does however presuppose there is some device present which knows the password and can authenticate with the access point, no? If not, I don't see how you're going to get the hashed password or any means of brute-forcing it. So I wouldn't so much call this brute-forcing but intercepting.

    @R.. It's both. You definitely have to intercept it first, so you to have to have physical proximity. But then you *also* have to crack it (bruteforce is only one approach, and less useful for a slow hash like WPA2; wordlists, masks, etc. would come first). Both interception and attack are necessary, but neither is sufficient. :) You might be interested in ZerBea's hcxtools - it has many features that help with both aspects.

    Well, strictly speaking, it's hashcat that helps more with the attack side. :) The two projects work closely together.

    @R.. There's no hashed password in the handshake, nor device present, cracking WPA2 basically consists on creating keys and testing against the MIC in the 2nd or 3rd packet of the four way handshake. So... **once captured** the handshake you don't need the AP, nor the Supplicant ("Victim"/Station). The test function part it's not that hard, just input X quantity of "passphrases" pass them through the PBKDF2 function (4096 times hashed each pass) and mean the time by X.

    What is ?2?2?2?2?2?2?2?2?2?2?2 and ?u?d in the command above...Maybe someone knows...or can point me to the necessary part of the documentation. Thanks

    See the output of `hashcat --help`

  • Your password is 11 characters long and has 542,950,367,897,600 combinations. It takes 10,534.62 hours or 438.94 days to crack your password on computer that tries 25,769,803,776 passwords per hour. This is based on a typical PC processor in 2007 and that the processor is under 10% load.


    enter image description here source:

    enter image description here


    Helpful sources but this assumes the router will accept attempts at a really high rate. I would be surprised if a home router actually accepts password attempts at 1 million per second.

    @JimmyJames me too ! I answered just his "pragmatically" question. After all in a real life scenario no need to bruteforce the router... it's all about cracking the handshake.

    You assume the router will be used to authenticate the password. It won't. The attacker will capture the handshake used for authentication and brute force it offline.

    _"This is based on a typical PC processor in 2007"_ Given the processing speed increases in the past decade I don't find this data particularly useful for current cracking estimates.

    … especially since this is exactly the kind of operation that hugely benefits from the embarrassing parallelism of GPGPU, let alone FPGAs and ASICs.

    Stuffing three answers that disagree into one "answer" is not helpful. Which one is right? Possibly none of them are computer using the same assumptions as the question?

    One hundred billion guesses per second?

    For asecuritysite, you have [a-zA-Z] checked, not [a-z0-9]

    These images don't seem to indicate what algorithm was used to encrypt the password, which greatly affects speed. WPA is on the slower side. My 2020 graphics card does not come close to the speeds indicated in this answer. If you assume MD5 instead of WPA, then it does.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM