15

My friend wants to keep his home network super-secure, due to some trouble that he's had with unwelcome Wi-Fi intruders. So, naturally, he devised an ultra-long WPA2 passphrase (on the order of 100+ characters) to thwart any would-be intruders.

Now, to my knowledge, even a simple 10-character alphanumeric passphrase would be quite secure for everyday use. Nonetheless, he insists on overkill. My question is, can this gigantic passphrase be detrimental to the performance of the network, or somehow cause slowdown at all? And, why or why not?

This question arose because I was having trouble connecting an older laptop, running Xubuntu, to his WPA2 network, whereas the laptop connects and functions fine with other WPA2 networks.

voithos
  • 253
  • 2
  • 7
  • 2
    Most routers I've encountered max the PSK at 63 characters. Are you sure that password is "100+ characters"? – Iszi Apr 29 '12 at 15:34
  • 3
    @Iszi: Well, I don't have it off hand to test my theory, but it definitely _looked_ ridiculously long. For the sake of argument, let's say that the password is indeed "just" 63 characters - I think that's still too long to be useful. – voithos Apr 29 '12 at 17:16
  • 7
    Is there such a thing as an unnecessarily long password? – Steve Apr 29 '12 at 17:39
  • 1
    @SteveS: I'd say, yes. When it's so long and random, that you can't hope to remember it (not in a million years), and have to resort to writing it on a piece of paper or holding it in a text file on your USB drive, then yes, I'd say it's **too** long. But I guess I'm just against the idea of trying to make security _really big_ in the hopes that it will work better. Or perhaps overkill makes me uncomfortable? – voithos Apr 30 '12 at 03:19
  • 3
    @voithos For something that you have to enter *one time per system* it's not so bad. Mine's 63 characters, randomly generated, stored on a text file in an encrypted volume. Add on MAC address filtering for the network, and you'd better have a *really good reason* to want to use my Wi-Fi when you ask. ;-) – Iszi Apr 30 '12 at 11:49
  • Really, though, it's not so bad once you get used to it. The worst are the smartphones and tablets, where you generally have to either manually enter the password or settle for e-mailing it in the clear. I usually try for the former, and typically get it right on the second or third try. – Iszi Apr 30 '12 at 11:53
  • 1
    @Iszi: Sure, if you make sure that the medium on which you hold the password is secured. An encrypted volume is secured. A piece of paper is _not_ secured. A text file on a thumb drive is usually _not_ secured. And really, if the password's going to be so long, why not just make it something memorable? At those lengths the admissible character set won't matter much anyway. Of course, this required an [obligatory XKCD strip](http://xkcd.com/936/). – voithos Apr 30 '12 at 16:13
  • 2
    @voithos Ah, and I forgot to throw this in earlier. Quote from a friend of mine. Not sure if it originates with him, or elsewhere. "Overkill is underrated." – Iszi Apr 30 '12 at 16:51
  • @Iszi: Fair enough. Although, the quote appears to originate from a certain `The A-Team` movie - or at least it is used in it. :) – voithos Apr 30 '12 at 17:57
  • @voithos, It can be **both** long and memorable. You can even have a 10 MB password (e.g. the full text of a story book). – Pacerier Feb 16 '15 at 08:05
  • I'd argue nowadays with the proliferation of password vaults/managers that remembering any password except the vault's password is unnecessary and perhaps even undesirable. That being said, I use modified Diceware passwords for some key sites that I often will have to log into on other computers over entirely random gibberish. – Nick Bedford Mar 13 '18 at 06:16

2 Answers2

21

No. It doesn't matter how long your passwords are because that value is never transmitted during the WPA-PSK Key Exchange. Instead a CMAC is calculated based on the secret key, the client and server id, as well as client and server provided large random values.

Regardless of how large your password is the resulting CMAC for WPA2-PSK will always be 128 bits:

MAC_P = CMAC-AES-128(AK, ID_P||ID_S||RAND_S||RAND_P)
rook
  • 47,004
  • 10
  • 94
  • 182
6

No. A long passphrase will not cause slowdown.

The passphrase you type in is first converted to a fixed-size cryptographic key (e.g., a 128-bit key); no matter how long the passphrase, the cryptographic key will be the same size. Encryption and decryption take exactly the same amount of time, regardless of the length of your passphrase.

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • @Pacerier A hash is always used to convert a passphrase into a key. I believe WPA2 uses 4096 rounds of PBKDF2-SHA1. This is basic crypto and doesn't need a citation as you can simply search for it online or read any number of questions here. If a long passphrase takes any longer, it would be on the order of nanoseconds (e.g. the cost of operating with another SHA1 block and padding). – forest Mar 13 '18 at 03:05