Wi-Fi Security

Key Security Recommendations

To ensure your home network is as secure as possible, follow these critical best practices:

  • Change Your Default Password: Even if your ISP provides a random password, it's best to change it to something unique that only you know. This is the single most important step you can take.
  • Use WPA3 Security: When setting up your Wi-Fi, always choose the WPA3 option if it's available. It protects against the password cracking techniques described on this page. If WPA3 is not an option, use WPA2 with a very long and complex password.
  • Disable Unnecessary Features: Turn off features you don't use, especially WPS (Wi-Fi Protected Setup). As explained below, WPS has a major vulnerability that makes it easy for attackers to break into your network.
  • Update Your Firmware: Regularly check for and install firmware updates from your router's manufacturer. This is the only way to patch known security holes.

ISP Router Password Practices

For enhanced security, most major Internet Service Providers (ISPs) have stopped using universal default passwords (like admin/password). Instead, they provision routers with a **unique, randomly generated pre-shared key (PSK) for each customer.**

Password Composition:

The unique password is typically a random string of alphanumeric characters. While patterns vary, they are designed to be non-dictionary words to resist simple guessing. For example, a password could look like 9kFw4mJ7 or aBc8xZ2p.

Location:

The only reliable source for your unique Wi-Fi password (often called "WiFi Key" or "Password") is the **sticker on the back or bottom of the router itself**. This sticker will also list the default Wi-Fi network name (SSID).

WPA/WPA2 Handshake Vulnerability

The standard Wi-Fi security protocols before WPA3 are vulnerable to offline brute-force attacks by capturing the **4-Way Handshake**. This cryptographic exchange occurs when a client device connects to the network. An attacker in proximity can capture these frames without needing to be on the network.

The handshake itself doesn't contain the password, but it contains a message integrity code (MIC) that is derived from it. An attacker can use this captured data offline and attempt to crack it. Using modern **Graphics Processing Units (GPUs)**, which are highly efficient at parallel computations, an attacker can test billions of potential passwords per second against the captured handshake. With enough time and computational power, any password can theoretically be cracked. The goal of a strong password is to make this process infeasibly long.

The PMKID Attack (A Faster WPA/WPA2 Hack)

Discovered in 2018, this attack is a more efficient method for cracking WPA/WPA2 passwords. It targets the **Pairwise Master Key Identifier (PMKID)**.

  • No Clients Needed: Unlike the 4-way handshake attack, an attacker does not need to wait for a user to connect. They can directly query the Access Point (AP).
  • The Process: The attacker sends a single association frame to the AP. If the AP supports a roaming function (like 802.11r), it may respond with the PMKID in the first EAPOL frame. The PMKID is a hash derived from the PSK, the AP's MAC address, and the client's MAC address.
  • Offline Cracking: Since the attacker knows all other inputs, they can use the captured PMKID to perform an offline brute-force attack on the password, just like with the full handshake, often using tools like hcxdumptool and Hashcat.

The WPA3 Advantage

WPA3 is the current security standard and directly addresses the vulnerabilities in WPA2.

  • SAE Handshake: WPA3 replaces the WPA2 handshake with **Simultaneous Authentication of Equals (SAE)**, also known as "Dragonfly" Key Exchange. This method is resistant to offline dictionary attacks. Even if an attacker captures the authentication frames, they cannot be used for offline cracking. Each password guess requires a new, live interaction with the AP, making brute-force attacks impractically slow.
  • Protected Management Frames (PMF): WPA3 mandates the use of PMF, which protects against deauthentication and disassociation attacks. This prevents an attacker from forcibly disconnecting clients from the network, a common tactic used to initiate handshake captures.

Why You Should Disable WPS

WPS (Wi-Fi Protected Setup) is a major security risk and should always be disabled in your router's settings. While designed for convenience, its PIN feature contains a fatal design flaw.

The 8-digit PIN is not validated as a single number. Instead, it is broken into two halves: the first four digits are validated separately from the next three. The eighth digit is a checksum. This fundamentally flawed process reduces the total number of possibilities from 100,000,000 (for an 8-digit PIN) down to just 11,000 (10,000 + 1,000). This small number of combinations can be brute-forced in a matter of hours, revealing the WPA/WPA2 password regardless of its complexity.

A Note on Router Vulnerabilities & "Backdoors"

Over the years, numerous security vulnerabilities have been discovered in devices from all major router manufacturers, including TP-Link, Netgear, D-Link, Asus, and others. While the term "backdoor" implies malicious intent from the manufacturer, these issues are almost always critical programming errors or oversights that create a backdoor-like vulnerability. Common types of flaws include:

  • Hardcoded Credentials: Hidden or undocumented accounts with default passwords left in the firmware by developers for debugging.
  • Command Injection: Flaws in the router's web interface that allow an attacker to run malicious commands on the device.
  • Outdated Software: Routers often run older versions of Linux and other software components that contain well-known, unpatched vulnerabilities.

These vulnerabilities are what allow attackers to create botnets (like Mirai or Volt Typhoon) by taking over thousands of routers. This makes it absolutely essential to keep your router's firmware updated, as manufacturers release patches to fix these flaws once they are discovered.

Security Analysis & Wordlist Example

The Risk of Predictable Patterns

While a random password for each device is good, it's not perfect if the generation pattern is known. If an attacker knows an ISP always generates 8-character passwords using only lowercase letters and numbers, they don't have to try guessing from all possible characters. Instead, they can build a much smaller, targeted dictionary or "wordlist" containing every possible combination that fits that specific pattern. This makes a brute-force attack significantly faster and more likely to succeed.

Example Wordlist Generation Logic

This is a functional example to illustrate the logic. It will generate a small, safe sample of passwords that match a predictable pattern.


function generateSample(charset, length, count) {
    let sample = [];
    for (let i = 0; i < count; i++) {
        let password = '';
        for (let j = 0; j < length; j++) {
            password += charset.charAt(
                Math.floor(Math.random() * charset.length)
            );
        }
        sample.push(password);
    }
    return sample;
}

// Example usage:
const alphanumeric = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
const samplePasswords = generateSample(alphanumeric, 8, 5);
// console.log(samplePasswords);