Why do people complicate WiFi passwords to the point where they either have to look it up themselves or recite them like instructions—‘Capital A, everything small,’ or ‘At the rate, 54321, dollar sign’?” It’s a password that you have to share often and input frequently, so it seems foolish to make it complex.
Your WiFi is not a bank account. There’s little incentive for anyone to hack into yours (except maybe to get free internet). If you’re worried someone can use your Internet to do something nefarious, remember that there are far less risky ways to do shady stuff (VPNs, residential proxies) as compared to using something that requires close proximity.
Even for a determined attacker, hacking the WiFi password is extremely difficult—unless you use a very commonly used password.
A possible attack vector on WiFi (WPA2) is capturing the 4-way handshake — the short exchange that happens when a device connects to the network. Tools like aircrack-ng can sniff this handshake packet from the air, without needing to be part of the network.
This handshake packet contains data that includes a PBKDF2 hash, which is derived from the Wi-Fi password and the network name (SSID). Once an attacker has this hash, they can try millions (or even billions) of passwords offline, without needing to interact with the network again.
Here’s the catch though: PBKDF2 is a computationally expensive function.
PBKDF2 takes your password and runs it through a hashing algorithm — in the case of WPA2, SHA-1 — thousands of times. With WPA2, that number is fixed at 4096 iterations. So, just to check one password, the computer must run SHA-1 4096 times. Even with a powerful system, that would only amount to testing a few hundred to a thousand hashes per second.
The effort/reward ratio is simply terrible when it comes to brute-forcing. Unless you’re using a super-commonly used password (e.g, 12345678), I wouldn’t worry about anyone hacking your WiFi.
Last of all, is the password even a secret? Most people don’t have any qualms about handing it out to anyone who comes to the house. How many people use something like guest networks to restrict access or check access logs of their router?
Why not make them easy?
WiFi passwords should be easy, dumb, and pronounceable. Something you can remember and say easily, and the other person gets it without confusion. Two easy words. A single phrase. A single long word.
-
“recycle bin”
-
“writing legend”
-
“air force”
-
“common sense.”
-
“hexadecimal”
-
“house is blue”
And that will be enough! Security is important—but Wi-Fi passwords don’t need the same level of security as your online accounts.