That WPA/Amazon Crack Story

It's remarkable how a little information can span the globe so quickly: The Reuters story on 7 January about a new WPA crack overstated the case, as I remarked in "WPA Cracked? Unlikely, Despite Headlines." I tried to get some clarification from Thomas Roth, the researcher cited in the story, who will present details at an upcoming Black Hat conference. He responded to my first request confirming that it was just an enhanced brute-force attack, but not to my second, asking how many characters in a random WPA/WPA2 passphrase could his method crack in the time he cited. (Subsequent attempts to get a response haven't been answered.)

Roth did give more detail to New Scientists, however: his 20-minute Amazon.com cloud computing hosted crack broke a six-character password, which he hasn't revealed. (A short passphrase is unlikely to be random.) Roth says that he has sped up the operation since by a factor of 2.5x.

This is impressive, but shouldn't cause anyone to quiver in their boots about a "WPA crack." It's been known for some time that short WPA/WPA2 passphrases, which are converted through an algorithm into a long TKIP or AES-CCMP key, are weak, but the algorithm isn't vulnerable to a way to speed up brute forcing. Each additional character you add to a WPA passphrase dramatically increases computational difficulty.

At present, I wouldn't risk a passphrase shorter than nine characters randomly derived with a mixed of numbers, punctuation, and upper and lower case. That might hold against cracking (unless quantum computation becomes practical) for decades to come.

Can WPA Protect against Firesheep on Same Network?