WiFi: Why-Guess

Published on 2025-11-09 by sobbing

Introduction

It is common knowledge (hopefully) nowadays that default credentials such as admin/admin are unsafe and should be changed immediately when setting up a service, but does this logic also apply to Wi-Fi passwords?

The Problem

At a glance, Wi-Fi passwords look like they are fully secure and randomized. While this is true to some extent, this can also quickly be debunked when understanding the keyspace that those passwords are based off of.

Let's image this scenario:

Bob tells us he has a fully randomized password. Bob tells us the password is 8 characters. Bob tells us he doesn't use special characters. Bob also doesn't like lowercase letters since they are too small. Bob tells us he doesn't like using letters passed F in the alphabet.

From all this info, what can we take away?

1. Password is 8 random characters: We know the alphabet has 26 lowercase letters and 26 uppercase which totals to 52. There are 10 numbers which totals to 62 possible characters. Lets not forget the 33 special characters (including space) which totals to 95 possible characters to choose from. This leads us to 95^8 possible passwords. Thats alright I guess, right?
2. Password doesnt use special characters: So now we go back to having just 62 possible characters which totals to 62^8 possible passwords. Not great, but surely it can't get worse than that right?
3. Password doesn't use any lowercase letters: We go from having 62 possible characters to choose from, all the way to 36 possible characters to pick from which totals 36^8 possible passwords. Lets not make this any worse than this Bob, please!!!!
4. Password doesn't use any character passed the letter F: We now have a total of 16^8 possible passwords. Although this may seem like a big number, it really isn't. Not even close.

If you are thinking "Wow, I would never let Bob configure my password ever in my life", you are completely right! But turns out Bob is actually your own ISP! This example was taken off of Bell's Wi-Fi password keyspace. This is just an example, but there are much much much more. Bell is not the only one so dont think you are safe just because you are using another provider. If you are using a default AP name, you are only a bigger target since you may give an attacker the information they need to find its keyspace to target you. For example, if an attacker sees you are using BELLXXX, they know there are a total of 16^8 possible passwords, whereas BELLXXXX will have a slightly larger keyspace since it now requires 10 characters instead of 8 characters. This can allow an attacker to get access into your network easily within a couple of days if they are able to capture something like the WPA-2 handshake which allows them to crack the passphrase offline.

Remediation

Change the defaults to something more secure. It really is that simple.