A few weeks ago, Elcomsoft reported that is had developed a software to harness the power of a GPU to brute-force WPA/WPA2. What that could mean is that, for a scant $1,000 in hardware, one could break the encryption used on wireless networks. While this price may sound prohibitively high, two top GPUs in SLI is fairly common in high end gaming. People dedicated enough to break into corporate networks now have a means to do so.

That’s the theory, atleast.

As one keen commenter pointed out, the reality and sheer mathematics behind it is mind boggling. WPA2 can be 63 characters using lower case, upper case, numbers, symbols, provides 94 choices for each character. If I use a 63 character password, that 63 character password could be one of 1.9 * 10 ^126 possible choices.

If you want to have a 100% chance of brute forcing this key in one year one would still need to execute 6*10^118 trys a second.

It would be faster to attack the 256 bit hash as this only has 1.1*10^77 permutations.

So if one could issue 3.6 *10^69 commands per second one could guarantee a break in one year. Lets assume that it takes 10 flops (floating point operations) to test one key. As of August SETI@HOME is executing an average of 150 terra-flops (150*10^12). Therefore one would still need ~ 2.5 *10^56 SETI@HOME projects to break one key in one year.

The most efficient computer uses 2.8 watts per GFLOP. Therefore it would take 2.5*10^59 watts to break one key. Since the average usages of power for all people on the planet is 15 TW we would need 1.5*10^46 times the current power output of the planet to break one key.

Unless someone is using a weak password, like “aaaaaaaa”, it’s rather unlikely someone would be able to successfully crack WPA2.

Why am I taking the time to point this out? The short explanation is that I’m tired of lesser admins and specialists preaching to me that WPA2-PSKs are insufficient safeguards for wireless security, especially in a business/enterprise setting. This is simply not the case. While it may be optimal to use WPA2 Enterprise set ups in corporate environments, the reality is the many IT departments are run on a shoestring budget. The mark of a good IT consultant is not how fast, powerful, or secure they can make something with an unlimited budget… but how well they can make do on a budget resembling the McDonald’s dollar menu.

Some theorist suggest that link security, such as WEP and WPA, may eventually take a backseat to data security, such as VPNs.

So, for the time being, you can sleep soundly knowing that your WPA2 networks are secure… secure as you make them.