WPA Character Set

[schwasskin]

I have google searched for a few days, but I was hoping that someone could give me the answer I need.

What is the full character set for WPA/WPA2 passwords? I believe it is a minimum of 8 digits, but I have read that the maximum is 40 and also that it is 63. Could you please clarify?

I know we have all upper and lower case letters and the numbers 0-1, but I would like to know what special characters are allowed as well.

so what i have for sure is:

1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ

There must be some special characters to add onto that.

Thanks in advance.

[vailixi]

8-63 characters. Printable ascii character including things like !@#$%^&*()~`_-=[]{}\|;':"<>?,./ as well.

[cooper]

I was under the impression that unicode characters work just as well. The protocol demands 8-63 bytes, presumably because in Pascal-style the first byte indicates the length of the field. In other words, the password becomes a binary field rather than something containing just printable characters. That in turn means you'd be able to include '\0' (ASCII[0] - the nul byte) in there and the protocol wouldn't care even in the slightest. You yourself might have an opinion on the matter though, since you need to enter that value somehow so in most cases you're limited to what your keyboard is capable of producing. But if you have a cyrillic keyboard those characters should be allowed and interpreted correctly.

[schwasskin]

Thanks you vailixi and Cooper.

I have heard/read that it was printable ASCII characters only.

My question really stems from makeing sure I have the correct character set to brute force hashes during pen tests if my dictionaries fail.

So for my case I would want to use only characters that could be typed on a standard keyboard.

[cooper]

Be sure to also include the space (' ').

[schwasskin]

Right include the (' ') space.

Thanks again.

so I think this should cover most password combinations. This would take a long time to brute force.

1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()?><":;(' ')

[barry99705]

Right include the (' ') space.

Thanks again.

so I think this should cover most password combinations. This would take a long time to brute force.

1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()?><":;(' ')

The sun will burn up the earth by then, or you could hit the lottery and get it the first day.

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ with a space.

4.0806232493378206e+113 years, 358 days, 20 hours, 27 minutes, and 58 seconds

(3.991929703310228e+124 password combinations)

http://calc.opensecurityresearch.com/

[cooper]

Big numbers that you can just plain look at somehow fail to impress people, so let's put those numbers in some perspective.

The amount of valid characters you've restricted yourself to is 80 ASCII characters, down from the actual, valid 256 so just remember, we're already reducing the total keyspace to about a third its original size.

The length of the password is anything between 8 and 63 of these characters. Let's restrict this down to a maximum length of 40. Mind you, for each character you add the keyspace increases 80-fold, so we're seriously, SERIOUSLY reducing the total keyspace with this too.

The number of possible passwords then becomes: 13292279957849158729038070602803445760000000000000000000000000000000000000000

Not impressed? Didn't expect you to be. So let's consider that number like this:

Let's build a rig that tests 13 giga-hashes per second. If you dedicate a box with 2 fairly recent GPUs to the cause this is currently a feasible number. Next, go to your favourite spot on the equator. You're going to walk around the world along the equator, but take a very leisurely pace of one meter every billion years.

After you complete your round the world trip, remove one ice cube worth of water (10 ml) of water from the Pacific Ocean. Now do the same thing again: walk around the world at one billion years per step, removing one ice cube worth of water from the Pacific Ocean each time you circle the globe. Continue until the ocean is empty.

When it is, take one sheet of paper (standard paper thickness is 0.05mm) and place it flat on the ground. Now, fill the ocean back up and start the entire process all over again, adding a sheet of paper to the stack each time you’ve emptied the ocean. Do this until the stack of paper reaches from the Earth to the Sun.

Now take a glance at the number of passwords that you still need to test. The 5 left-most characters in that number have now gone from 13292 to 13283...

You're going to need to repeat the entire process another 1529 times before you've exhausted the keyspace.

(inspired by this article on how much 52! is, that being the number of card combinations that you can make with a single deck of cards)

[schwasskin]

Thanks again

I know the key space is large, and I've heard all of the comparisons to walking around the earth, digging holes to the sun and what have you. I really just wanted to know the entire character set because I didnt see it posted anywhere on the net.

Respectfull

- S

[vailixi]

Wow I did not know that. Cooper is right about the Unicode characters. I had to look this up.

You can add your favorite Futhark symbols, Kanji, Sanscrit. तथदधनपᚠᛉᛒ仃仄ण6859

So you can use the entire unicode set which is 1,114,112 which would make your password significantly secure than just using ascii characters.

1,114,112^83 possible passwords

And I suppose if you were a total nut job on wifi security you could make your own Unicode character like some companies do. ⌘

I typically keep a Latin character dictionary with English, German, and Spanish words.

Brute forcing a full unicode password would fairly difficult. Hypothetically I could write a program to do it. But without the hardware to crunch all of the data it wouldn't be practical.

Edited January 22, 2016 by vailixi

[cooper]

When you use Unicode the storage space for your password characters doesn't magically become larger. It's 63 bytes. Unicode can use multiple bytes to represent a single character, but your WPA password, represented as bytes, cannot exceed 63. So the keyspace you're, for all intents and purposes, confronted with should be considered 256^63. Which is just ridiculously large. It's a shame so few people manage to pick genuinely good passwords.

[vailixi]

When you use Unicode the storage space for your password characters doesn't magically become larger. It's 63 bytes. Unicode can use multiple bytes to represent a single character, but your WPA password, represented as bytes, cannot exceed 63. So the keyspace you're, for all intents and purposes, confronted with should be considered 256^63. Which is just ridiculously large. It's a shame so few people manage to pick genuinely good passwords.

So only characters that can be represented by a single byte. So when it's only 8bit characters they're not actually unicode their code page ascii values. Which are languages specific where you are swapping out extended ascii chars ie if it were Greek you are swapping out 80-AF or char(129)-char(175)

α-Ψ

So if you wanted to make a wordlist for said character set you wouldn't need to create a string array of \u 0391-\u03c8 you can want just use regular ascii chars and just look up the OEM code page for whichever language you want to use. so the corresponding byte value of 1000 0000 would be the same where it's in English as A or in Greek as α

80 = U+0391 : α

AF = U+03C8 : Ψ

I was thinking Unicode characters were 32 bits and it wasn't quite making sense. Am I kinda on the right track here?

for (int i=129; i<175; i++){
System.out.println(Integer.toBinaryString(i));
}

Edited January 24, 2016 by vailixi

[cooper]

byte != character.

Read this.

UTF-8 is the default for Java, UTF-16 is the default for lots of Microsoft, UTF-32 is the norm for Python, but they realized the error of their ways so they play tricks to reclaim some of the lost space.

The point I'm making is that since there is no predefined encoding assumed by the protocol (it's just 63 bytes as far as it's concerned) the valid range is 256^63. You can artificially limit that by assuming only characters that you can provide via most common keyboards are allowed, reducing the keyspace to about 100^63. But if you picked the wrong keyboard, you're going to have a hard time finding a working sequence.

[vailixi]

Hmmm. Interesting point. I was looking a Flash exploit that used two different encodings. So you encode with the greater bytes but it take the smaller bytes and you can cause an overflow with the different encoding. It's in the TIT tags. I don't know action Flash scripting at all but I remember it because its a TIT tag. (+)(+)

Edited January 30, 2016 by vailixi

[tallship]

You can add your favorite Futhark symbols, Kanji, Sanscrit. तथदधनपᚠᛉᛒ仃仄ण6859

So how might one easily enter characters in the form of those from the Futhark, I noticed you had input the characters, Elhaz, Berkana, etc., and wanted to know of simple ways without say, holding down left-alt and entering an ASCII code, for example - can you point to applications that can be launched to change keyboard mappings to that of, say, the Futhark, etc., on a quick and temporary basis?

Or what methods and resources/links describign methods for inputting special Unicode characters do you prefer/suggest looking into?

Thanks!

[cooper]

You'd need a keyboard that carries these symbols. I'm sure you can find a weird-language keyboard for, say, your phone to provide the sequence. You can probably copy-paste the characters from a Wikipedia article written in that language if you need to reproduce that sequence on a more limited platform.