As we reach the end of this series, we’ve come a long way — from theory to hands-on practice.
We began with the:
Along the way, we peeled back the layers of how the 4-way handshake works, uncovered the risks hidden in weak password choices and learned how to weaponize those flaws with tools like Hashcat and Aircrack-ng — all while running a lightweight Linux environment from the palm of our hand.
Now, let’s shift our focus from offence to defense.
So far, we’ve seen how attackers actively exploit common weaknesses in WPA networks, but understanding the attack is only half the story.
It’s time to focus on defending against these threats while building stronger and truly resilient wireless networks.
Mitigation
There are two primary mitigation strategies I recommend:
1. Upgrade to WPA3
The third generation of Wi-Fi security introduces key protections against offline brute-force attacks, dictionary attacks and handshake capture.
It achieves this through three key features:
-
Simultaneous Authentication of Equals (SAE): Also known as the Dragonfly handshake, replaces the traditional WPA2 4-way handshake. In WPA2, the pre-shared key (PSK) is combined with other known parameters to derive a long-term Pairwise Master Key (PMK), which attackers can attempt to brute-force offline once they capture a handshake. SAE replaces this with an interactive protocol in which both the client and access point must demonstrate knowledge of the password in real time. As a result, an attacker cannot simply capture a handshake and brute-force it offline.
-
Perfect Forward Secrecy (PFS): PFS ensures that even if a session key is somehow compromised, past and future sessions remain secure, since each session uses fresh, ephemeral keys.
-
Zero-Knowledge Proof: SAE allows both parties to verify they share the same password without revealing any information about the password itself, significantly reducing the risk of password exposure.
However, WPA3 is not immune to attacks.
One known issue is downgrade attacks. The transition mode, which exists for backward compatibility with WPA2, can allow an attacker to force a client to connect to a rogue WPA2 network and capture a vulnerable handshake.
In some cases, attackers may also attempt to weaken the initial commit phase’s cryptographic strength, though these are far more complex than the attacks possible against WPA2.
2. Use a Strong Password
Even with WPA3 in place, password strength remains your frontline defence…
But before we dive deeper into the details, here are a few additional mitigation steps that further harden your Wi-Fi security:
-
Disable WPS (Wi-Fi Protected Setup): WPS is a convenience feature designed to simplify device connections, but it introduces serious vulnerabilities, including the well-known Pixie Dust attack or Reaver, which attackers can exploit to recover the network password in minutes. Disabling it removes the major attack surface.
-
Change the Default Admin Password: Routers often ship with weak, predictable default credentials. Changing the default password prevents attackers from easily gaining control over the device configuration and the network.
-
Change the Default SSID: Default SSIDs can reveal the router model or firmware version, which attackers can use to craft targeted exploits. Setting a unique SSID reduces the information available to potential attackers during reconnaissance.
-
Keep Firmware Updated: Regular firmware updates patches known vulnerabilities and strengthen your router’s defence against newly discovered exploits.
-
Disable auto-connect to known networks: Enabling this feature leaves devices vulnerable to evil twin attacks. Therefore, it is best to turn it off.
-
Hide the SSID (Optional): Disabling the broadcast conceals the network name from casual scans, deterring opportunistic attackers but providing minimal to no defence against skilled adversaries. If you disable SSID broadcasting, your network will not appear in basic Wi-Fi lists shown by phones, laptops, or simple consumer scanners.
Now, let’s get back to the…
Front Line Defence
Imagine equipping your home with motion detectors, CCTV, and intrusion alarms — yet leaving the front door wide open. Almost every burglary could be prevented by simply locking the door. The same principle applies to Wi-Fi security.
Authentication acts as the frontline defence in network and system security. No matter how many layers of encryption or monitoring you have, everything collapses if the attacker can walk right through the “door.”
The primary purpose of authentication as the first line of defence is twofold:
-
to prevent unauthorised users from gaining access.
-
to prevent authorised users from performing actions they’re not permitted to do.
Authentication usually falls into one of these categories:
-
Something you know: Knowledge-based authentication, such as passwords, PINs or security questions.
-
Something you have: Object-based authentication, such as access cards, USB tokens or RFID tags.
-
Something you are: Characteristic-based authentication or Biometric authentication, such as fingerprint scans, facial recognition or iris scans.
Throughout this blog, our focus is on knowledge-based authentication (KBA) or authentication based on something you know.
Knowledge-Based Authentication
Knowledge-based authentication is one of the earliest authentication mechanisms ever implemented and even today, it continues to dominate modern systems.
The concept behind Knowledge-based authentication is simple: the user and the system share a piece of secret information known only to them. This shared knowledge is what verifies the user’s identity.
A popular subtype of knowledge-based authentication is password-based authentication, which remains the most widely used authentication method.
Passwords are sequences of characters,letters, numbers, and symbols used to authenticate a user’s identity.
Invented in 1961 by Fernando Corbató at MIT, passwords were first introduced in the Compatible Time-Sharing System (CTSS) to protect individual user files on a shared mainframe.
In 1966, the system suffered the first documented computer password compromise, when an bug allowed a user to print the master password file. This early incident demonstrated that the password mechanism, which stored credentials in a simple, unencrypted format, was fundamentally unsafe almost from its inception..
Fast forward to today and not much has changed:
81% of modern compromises and data breaches still involve a weak or stolen password.
Hence, the single biggest threat to any password system is the compromise of the passwords themselves.
This weakness naturally raises an important question:
If passwords are so vulnerable, why do we still use them?
Despite the existence of stronger authentication methods like Object-based (OBA) and Characteristic-based authentication (CBA), passwords remain dominant because of several key advantages:
-
They are easy to implement and use
-
They are flexible and can be deployed virtually across any system
-
They are inexpensive compared to hardware-based authentication methods
In short, passwords remain an effective and affordable first line of defence but only when they are strong, unique and properly managed.
And this is where most users fail.
To truly strengthen your frontline defence, we need to understand how to create, store, and maintain strong passwords that stand resilient against modern attack methods.
Securing Passwords
Securing passwords begins with propper digital hygiene. Passwords are an integral part of digital hygiene — but what exactly does digital hygiene mean?
Just like hygiene refers to self-care in daily life, digital hygiene refers to self-care in the digital world. It includes the habits and routines that keep you safe online. A few examples are:
-
being careful about what you post online (eg: similar to setting personal boundaries)
-
protecting your accounts (eg: secure configurations)
-
being aware of your digital footprint (eg: google your name)
-
staying alert to scams (eg: being aware of modern scams)
To put it simply, here’s a real-world hygiene analogy:
Treat your passwords like your underwear:
-
You change them occasionally
-
You don’t share them
-
You don’t leave them lying around
-
You don’t use the same one everywhere
-
You keep them… private
Excellent digital hygiene is key to safeguarding your passwords.
But the bigger question is: How do we actually protect our passwords ?
To understand defence, we first need to understand what can compromise a password. In other words, we must look at the attack vectors (the ways attackers try to break or steal passwords).
Types of Password Vulnerabilities
Password vulnerabilities fall into two major categories:
1. Attacks where the strength of the password matters
These attacks target weak or predictable passwords.
Here, the core factor is crackability.
-
Brute-Force Attacks: attacker tries every possible combination.
-
Dictionary Attacks: attacker tries words and patterns from a wordlist (eg: attacker uses a oxford dictionary).
-
Rainbow Table Attacks: attacker pre-computes hashes to reverse weak hashing.
2. Attacks where strength does not matter
Here, even a strong password can be exposed, leaked or stolen due to poor Operational Security (OPSEC).
-
Credential Stuffing: using leaked passwords from known breaches.
-
Social Engineering: phishing or psychological manipulation.
-
Shoulder Surfing: observing you typing the password (even keystroke sounds can reveal length of the password).
-
Keyloggers: malware that records keystrokes.
When Do These Attacks Occur?
A password can be compromised at several critical stages during its lifecycle:
-
Formation (e.g: someone watching you create the password)
-
Memory / Recall (e.g: choosing weak passwords because they’re easier to remember)
-
Maintenance (e.g: reusing passwords across accounts)
-
Entry (e.g: shoulder surfing, keyloggers, etc)
-
Server-Side Handling (e.g: poor hashing, storing passwords in plaintext)
There are two primary ways to defend against these threats:
-
Create stronger passwords
-
Have better Operational Security (OpSec)
Creating Strong Passwords
Creating strong passwords remains one of the biggest challenges for most users and the problem still persists today.
Numerous password policies exist, yet most fail in practice because users perceive them as overly complex or burdensome.
To understand how to create a strong password, we first need to define what that actually means.
But, before defining a strong password, let’s break down the different elements that influence the strength of a password directly or indirectly:
-
Alphabet-Classes: The different types of characters available in the choice set. Traditionally, systems demand at least three classes: symbols, alphabets and numbers.
-
Alphabet-Size: The total number of characters available in the set. For example: A**–Z = 26**, 0–9 = 10, etc.
-
Password Length: The total number of characters in the password. For example, the string “password” has 8 characters.
-
Authentication Period: How long the user remains authenticated (multiple sessions, intra-session duration, etc).
-
Input Visualisation: The feedback shown when entering the password (plaintext, masked characters, dots/asterisks, etc).
-
Lifetime: How long the password remains valid before requiring a reset.
-
Password Guidance: System-provided rules that guide users while creating a password (minimum length, required character sets, etc).
-
Generator of Password: Whether the password is created by the user or generated by a system.
-
Storage: How the password is stored and maintained on the system side.
Now, let’s define what a secure password actually is:
A secure password is long, random, memorable and unguessable.
Typically, the recommended minimum length is at least 8 characters but considering the modern threats and according to the latest NIST guidelines the minimum benchmark for user-generate passwords are 15 characters and 8 characters for passwords used in multi-factor authentications.
But here’s the problem: the more random a password becomes, the harder it is to remember.
This lack of memorability is one of the main reasons people end up choosing weak passwords ( eg: something simple they can recall easily ).
However, a password doesn’t always need to be extremely complex. A longer password can be just as effective, since length significantly increases the time required to crack it and this is where ***passphrases ***comes in.
Passphrases
The latest NIST guidelines prioritize length over complexity
As the name suggests, a passphrase is a phrase instead of a single word. For example:
"ilovecrackingpasswords"
It’s long, easy to remember, and clearly more than 8 characters in length.
But there’s a catch: since passphrases use meaningful words, they are more vulnerable to dictionary attacks, especially if the phrase is common or predictable.
The strength of a password also depends on the system you’re securing. Highly sensitive systems require passwords that are longer and more complex than what you would use for a normal account. In many cases, they need passwords that are effectively twice as strong.
So, the real question becomes: How do we create a password that is long, random and still easy to remember?
Password Entropy
A strong password is usually judged based on three main criteria and two of the most important ones are:
-
Length: How long your password is
-
Complexity: How random or unpredictable it is
These two factors decide how difficult it is for an attacker to guess your password.
The key to preventing these attacks lies in maximising length and complexity.
Here, “preventing” an attack basically means making it mathematically impossible to guess the password within a realistic amount of time.
This is why increasing both length and randomness works, simply put: make it longer and make it random.
The strength of a password, based on length and complexity, can be measured using entropy.
Entropy basically tells you “how random” a password is, but expressed in bits.
Entropy is calculated by raising the character-set size to the power of the password length and then taking the base-2 logarithm of the result, yielding the number of bits of randomness (which makes it easier to understand complexity).
To understand this, let’s look at a basic example:
L = length of password
R = size of character-set
E = L * log2(R) or log2(R^L)
# Let's use the string "password" as the password:
L = 8 characters
R = 26 (a–z)
E = log2(26^8) = 37.6 bits
# The resulting entropy bit value can also be represented as
2^37.6 = 208,827,064,576
# The above is same as
26^8 = 208,827,064,576
In simpler terms, entropy represents the total number of possible password combinations expressed as bits.
Each additional bit doubles the difficulty of guessing the password, providing a measure of the password’s resistance to cracking.
However, in the real world it’s usually more practical to think in terms of how long it would take a computer to brute-force it and entropy becomes useless if the attacker already knows the password.
Still, entropy remains one of the strongest indicators of password strength.
A password with 80 bits or more is considered strong against brute-force attacks. With modern GPUs, 80 bits of entropy is widely considered as the minimum benchmark for password strength.
To increase entropy, you can either:
1. Increase the length of the password
For example, a passphrase like “passwordsareamazing”:
L = 19
R = 26
E = 19 * log2(26) = 89.30 bits
2. Increase the complexity (increase the size of your character set)
Example “pA55w0Rdr0W55aP”
L = 15
R = 26 (a–z) + 26 (A–Z) + 10 (0–9) = 62
E = 15 * log2(62) = 89.31 bits
You might notice that in the earlier examples, both entropy values ended up close to each other.
One password is longer but less complex; the other is shorter but more complex.
Now imagine both passwords had the same entropy value.
Which one would you pick?
Most would choose the lengthy passphrase.
Why?
Because it’s easier to remember.
When your password uses words or patterns related to you, it becomes much easier to recall.
People who choose complex passwords usually do so because they know it is mathematically safer.
Both options have trade-offs:
- A long yet simple password is easier to remember but far easier to guess, especially if it contains common words or personal details. Any password that follows a recognisable pattern can be guessed.
- A complex password increases security but becomes harder to remember, and eventually you’ll forget it unless you use it often , which weakens security over time.
Both passwords might survive a typical brute-force attack, but they may still fail against:
- credential stuffing
- dictionary attacks
- rules-based cracking (eg: variations of common words)
Entropy remains a critical indicator of password strength; however, it must not be the only factor considered.
If you increase the length too much or make the complexity too extreme, both can reduce real-world security because the password becomes unusable.
There needs to be a balance between:
- security: how random it is
- usability: how easy it is to remember
…While still maintaining good entropy.
Balance between strength and usability
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand technology.” ~ Bruce Schneier.
Password-based authentication has long focused almost exclusively on technical strength.
But this overlooks a critical component: every strong password must still be created, remembered and used by a human being.
When usability is ignored, we end up with security mechanisms that look strong on paper but fail in practice.
Here, usability refers to how easily users can generate, store, maintain and correctly type a password.
Poor usability often pushes people toward predictable patterns, reused passwords and shortcuts that significantly weaken security — not because users are careless, but because the system itself isn’t human-friendly.
To understand why usability directly influences password quality, we first need to recall the core characteristics of a strong password. A strong password:
- is reasonably long
- uses a sufficiently large character set
- is unique
- avoids predictable associations
- can be memorised precisely
In simple terms, a strong password must be long and random but still memorable to the user.
To illustrate this, recall the entropy examples we discussed earlier:
Without scrolling up, try to recall both passwords. You’ll probably remember the passphrase quite easily, but the complex password may already be gone or only partially remembered.
This gap between theoretical strength and practical memorability is exactly the problem usability tries to solve — leading us to the third critical criterion of a strong password…
Memorability
The human brain remembers information through patterns, meaning and association; hence, a password like m#P52s@ap$V is so difficult to recall as it carries no meaning, no structure and no cues the mind can anchor to.
Because users must manage many unique passwords, this becomes a cognitive burden that traditional password schemes never accounted for.
As a result, people gravitate toward familiar words, personal details and predictable associations. Others rely on external memory aids, such as writing passwords down, which shifts the password from something you know to something you possess, weakening the security model.
This makes memorability a critical requirement in password construction.
Ben F. Barton and Marthalee S. Barton, in their research “User-Friendly Password Methods for Computer-Mediated Information Systems” proposed cognitive approaches that leverage human memory — specifically recall, mental cues and lightweight
transformations. Their methods draw from three types of memory:
- Semantic memory: general knowledge, language, concepts and meaning.
- Episodic memory: personal experiences and events.
- Environmental cues: recognition triggered by surroundings or context.
These approaches help generate an initial memorable string, which is then transformed to create a password that is familiar to the user yet appears random to everyone else.
The goal is simple: a password that is visible to you but invisible to others.
This process can be understood in two phases:
-
Password Selection: Choose the cognitive approach that fits you best and derive a base phrase or string from it.
-
Transform Procedure: Apply simple transformations to distance the final password from the original phrase, making it resistant to guesswork while remaining easy for you to recall.
Now, let’s break down each of these cognitive approaches and understand how they actually work.
Semantic Memory
Semantic memory holds information closely tied to language, facts and general knowledge. Passwords derived from semantic memory are based on familiar character strings such as nursery rhymes (e.g., “Humpty Dumpty sat on a wall”) or popular movie quotes (e.g., “Expecto Patronum”).
When choosing a password using semantic memory, users should follow two key criteria:
- Avoid reflecting public life: Do not use information tied to your age, gender, ethnicity, or geographical background.
- Leverage natural recall tendencies: Choose strings that you can easily remember, so that transformations applied later remain retrievable.
Good examples include titles, lines or names from movies, songs or poems. These are easy to memorise while remaining difficult for attackers to guess, as long as the string isn’t closely associated with your personal life.
Because semantic memory does not require contextual cues, it enables rapid access to familiar information and as a result, promotes faster and easier recall.
However, it also has a limitation: it is shared knowledge.
For instance, if you, as a Harry Potter fan, choose “Expecto Patronum” as your password, an attacker who knows your fandom could have a higher chance of guessing it, even after you apply transformations.
Episodic Memory
Episodic memory stores information related to an individual’s personal experiences. These memories are usually private and unshared, except for obvious events such as birthdays, pet names, or a child’s name.
Because episodic memory reflects unique, personal experiences, it can provide excellent material for strong passwords. Examples include personal fantasies, unspoken opinions or intimate habits.
Compared to semantic memory, episodic memory differs in two key ways:
- Privacy: Semantic memory holds broadly accepted knowledge, in contrast to episodic memory, which is deeply tied to individual personal events.
- Accessibility: The descriptive and detailed nature of episodic memories can make recall slower, so retrieving these passwords may not be as fast or effortless as those based on semantic memory.
Environmental Cues
Environmental cues are stimuli in the user’s environment (eg: sounds or sights that help prompt a password ). In other words, this approach uses contextual selection of strings based on the user’s environment.
Unlike semantic or episodic memory, environmental cues rely on recognition rather than recall.
Humans are generally better at recognising things than recalling them from memory.
For example, a painting of an autumn forest in your office might inspire the password “red forest”.
Adjectives, adverbs or other descriptive expressions based on environmental context are often effective starting points.
The main challenge with this approach is that the environmental cue itself must remain private. If the cue is obvious such as your child’s name from a desk photo or your home street name — the password becomes easy to guess.
As with the other methods, transformations should be applied to the base string to create passwords that appear random to anyone else while remaining memorable to you.
Transformation Procedures
A transformation procedure (or transformation technique) manipulates a string at some level — character, phoneme, syllable, word or phrase to produce a password that is both recognisable and memorable to the user.
There are three main objectives behind any transformation:
- It should be easy to memorise and execute
- It should generate passwords with simple, memorable structural patterns that help you recreate them
- It should produce passwords resistant to brute‑force and informed guessing
These three objectives form the basis for selecting the most appropriate transformation technique.
Even though there are many transformation techniques, only a few satisfy all three objectives, since the right method depends heavily on a user’s individual cognitive ability — what seems easy for one person may not be for another.
To understand this better, let’s look at some common transformation techniques:
- Acronyms: Jack and Jill Went Up The Hill (semantic memory) = JAJWUTH
- Substitution of abbreviations: Relative Humidity (environmental cue) = RELHUM
- Interweaving characters from successive words: Black Forest (episodic memory) = BFLOARCEKST
Another idea is a character‑by‑character shift, where you imagine a ring of alphanumeric characters in their natural order (0–9, A–Z) and replace each character with its adjacent one.
For example:
“tomatoes” = “UPNBUPFT”
To strengthen the password further, transformations can be applied in sequence:
# 1. Base string
"Jack and Jill went up the hill" # semantic memory
# 2. First transformation
"JAJWUTH" # acronym
# 3. Second transformation (replace letters with visually similar symbols)
"J@JWU7" # (@ = A, 7 = T, # = H)
Let’s test this using entropy:
J@JWU7# = 43 bits
This isn’t ideal, since 80 bits is often considered the lower benchmark for a strong password.
Let’s try another sequence:
Black Forest = BFLOARCEKST = bBf10@Rc3K577 = 83 bits
This shows that even the best transformation techniques won’t matter unless the final password also has good length and complexity. This is where entropy again proves its importance as a measurement.
By now, you should have a clear picture of how transformation procedures work. It’s important to experiment and find the method that fits your own memory and comfort best.
At this point, we now have the “recipe” for a strong password — reasonably lengthy, random, memorable and hard to guess. But…
A strong password only protects you from attacks where password robustness is critical, such as cracking.
It does not protect against attacks in which strength is irrelevant — such as credential stuffing, shoulder surfing or keyloggers.
And that brings us to..
Operational Security (OpSec)
Weak passwords or weak operational security (OpSec) usually arise from three key limitations:
-
Lack of learnability: users don’t understand how passwords work, how cracking works or how to build strong passwords.
-
Lack of memorability: users cannot remember multiple strong passwords.
-
Lack of motivation: users don’t feel driven to create and maintain strong passwords.
We have already discussed learnability and memorability but motivation deserves attention.
Why do users lack the desire to create strong passwords? Several reasons contribute:
-
Lack of awareness: many people don’t realise how easy password cracking has become, so they underestimate the risk.
-
Password overload: the average internet user now manages more than 250 passwords (compared to around 100 in 2010).
-
Strict, unrealistic policies: requirements like “random, 8 characters, uppercase,lowercase,digits, symbols” can feel overwhelming without proper guidance.
-
Human nature: people naturally seek convenience and avoid cognitive burden, leading to weaker passwords.
To overcome this lack of motivation, we can reduce the burden on the user through practical solutions:
System-Generated Passwords
Instead of creating passwords manually, users can rely on tools that generate random strings. These are far stronger but much harder to remember, making them ideal when paired with a password manager.
Single Sign-On (SSO)
Instead of maintaining dozens of passwords, SSO allows a single authentication to unlock multiple services (e.g., “Continue with Google”). This reduces password fatigue while maintaining security.
Out-of-Band Authentication
Here, authentication happens on a separate device (usually your phone). This protects against keyloggers and infected systems. It’s often considered a form of Multi Factor Authentication (MFA) because verification occurs through an independent communication channel.
Password Managers
The all-in-one solution: generation, storage, maintenance, and autofill — all encrypted and secured. Password managers significantly reduce the cognitive load of managing passwords and enhance overall operational security.
However, password managers also face a common criticism:
“If all my passwords are stored in one vault, isn’t that dangerous?”
This concern makes choosing the right password manager extremely important.
A secure password manager should have:
- encryption at rest
- encryption in transit
- end-to-end encryption (so even the vendor can’t read your vault)
- a built-in password generator
- multi-factor authentication (not SMS-based)
- support for self-hosting (optional)
- open-source codebase (preferable)
- “trust-no-one” architecture
- cross-platform availability
- client-managed encryption keys
Popular examples include 1Password, NordPass, Proton Pass and open-source alternatives such as Bitwarden, Vaultwarden, KeePassXC, Buttercup and AuthPass.
Post-Compromise Measures
Sometimes even a strong password isn’t enough. Attackers can be stealthy, so preparation is essential.
Traditional password policies enforced frequent password changes, presuming long‑standing passwords were more prone to compromise. This, however, triggered fatigue and caused users to rely on reused, weaker passwords.
The latest NIST guidelines advise the opposite:
Do NOT change passwords periodically.
Change them only when there is evidence of compromise.
But how do you know if a password is compromised ?
1. Check for Breach Exposure
Use services like HaveIBeenPwned to check whether your password has appeared in a known data breach. If it has — change it immediately.
2. Watch for Suspicious Activity
Unexpected account logins, notifications or unknown devices are strong indicators. Changing the password immediately locks out anyone using stolen credentials.
3. Additional Recovery Steps
If compromise is detected:
- enable multi-factor authentication
- Sign out of all devices and regenerate session tokens
- change the password
- Use “forgot password” if locked out
- Make sure you are using secure and encrypted services like HTTPs to protect yourself against Man-In-The-Middle (MITM) attacks.
The Biggest OpSec Mistake
If you reuse a password across accounts and one gets compromised, the attacker can compromise many more with almost no effort.
Never reuse passwords: this is the core rule of password Operational Security (OpSec).
Finally…
To sum up
- Use a password manager to simplify password creation and management.
- Check regularly if your credentials have been exposed.
- If you spot any signs of compromise, immediately change passwords, terminate sessions and enable MFA.
- Use encrypted and secure services
- You no longer need to change passwords frequently unless there is evidence of compromise.
With this, the series comes to an end. You now understand not just how attackers capture and crack Wi-Fi passwords, but also how to defend your own network with stronger passwords, better Operational Security (OpSec), and informed security choices.
Finally, think of this blog not as a strict rulebook but as a framework — a starting point you can adapt and build upon to shape your own security practices.
Until next time…Stay safe