Is a longer WiFi password more secure?

A short paragraph from another answer I have here pretty much covers this, though not in much detail:


The amount of protection offered by implementing a password in any system will always vary in direct proportion to the password complexity, and the effort taken to protect that password. Wireless networks are no exception.


Where a strong hashing mechanism is in use, longer and more complex passwords will almost invariably put you in a better security posture. I strongly suggest you read some of the other passwords questions we have here. One of particular interest is:

XKCD #936: Short complex password, or long dictionary passphrase?

It should be noted though, that a WPA2 network's PSK is only effective where WPS is either disabled or unsupported on the AP. Recent side-channel attacks allow an attacker to break WPS in a relatively short time, and gather the WPA2 PSK directly from the AP without having to actually crack the PSK itself.


It depends, but in general: yes.

To attack a WPA2 key (and considering WPS is dissabled!) you need to bruteforce it, so the longer the key the longer it takes.

Suggest I have a key of three letters and I can process about 5 words a second to the AP (fictional). One word can consist of 24 letters and 10 numbers. So your possibilities are (24+10)^3 = 39304. If we add one letter we get:(24+10)^4 = 1336336 possibilities. It would take 37 times longer to process those possibilities.

The longer the phrase, the more possibilities, the longer it takes to attack an AP.

Note: HOWEVER, if you take normal words you need to mind dictionary attacks. They just use a dictionary and test all the words in there, it significantly reduces possibilities.


Is it always more secure? No, though it usually is.

As a counter-example, 1234567890 is much weaker than B9xZbA six randomly generated alphanumeric characters, despite being longer. The difference is the informational entropy content of the password. Basically, when the sample space of a similarly created passwords is smaller, the password is easier to crack. These sorts of calculations are a bit difficult to do in practice, but a few general points can be learned. Expanding the space of the randomly chosen items is less effective than increasing the length of the password. For example, a 10-char lowercase password (26-letters) of random characters has 2610 ~ 1014 possible passwords, while an 8-digit password that randomly mixes case (52-letters upper-lower case) has 528 ~ 5 x 1013 password can be cracked in about half the time.

As a better example for a wifi-password, you generally want a high-entropy passphrase. Passphrases may be easier to remember than an equivalent password. Diceware is a good way to generate a passphrase. I just generated glory pew golf iambic clip fee in a few seconds with a random number generator. Each word was generated by 5 rolls of a dice (65 ~ 7776 choices), so a six word (630 ~ 1023) passphrase would take about a billion times longer to brute force than a ten character lowercase. An equivalent lower case password would be ~17 lowercase characters vjdipotnbwpnzjvzr or ~14 mixed case (tkydzwULzRzSFs) or ~12 mixed case and special characters (Unsv9[}[g2Pk).

Now when you have a password that falls into an easy pattern like 1234567890 the entropy is very low; e.g., you could say you have a choice for start character (80 choices), and way you ascend or descend characters (say 4 possibilities), and length of password (say 1-30 characters). This has 80x4x30=9600 ~ 103 is 10 billion times easier to crack than ten random digits. You may say, well this only would be cracked if the algorithm for cracking searches for this sort of special type of passwords, and that is true. But its not hard to initially check for a few of these types of passwords (and its much more likely that these types of passwords appear in leaked password lists).

Similarly, if I chose a meaningful phrase like the entropy is much lower, as there are small lists of meaningful phrases that an attacker in principle could use in their attacks.

You also have to make sure there are not other attacks against the system, e.g., you are using WEP or WPS or another broken system so the complexity of your password is irrelevant.