It's remarkable how a little information can span the globe so quickly: The Reuters story on 7 January about a new WPA crack overstated the case, as I remarked in "WPA Cracked? Unlikely, Despite Headlines." I tried to get some clarification from Thomas Roth, the researcher cited in the story, who will present details at an upcoming Black Hat conference. He responded to my first request confirming that it was just an enhanced brute-force attack, but not to my second, asking how many characters in a random WPA/WPA2 passphrase could his method crack in the time he cited. (Subsequent attempts to get a response haven't been answered.)
Roth did give more detail to New Scientists, however: his 20-minute Amazon.com cloud computing hosted crack broke a six-character password, which he hasn't revealed. (A short passphrase is unlikely to be random.) Roth says that he has sped up the operation since by a factor of 2.5x.
This is impressive, but shouldn't cause anyone to quiver in their boots about a "WPA crack." It's been known for some time that short WPA/WPA2 passphrases, which are converted through an algorithm into a long TKIP or AES-CCMP key, are weak, but the algorithm isn't vulnerable to a way to speed up brute forcing. Each additional character you add to a WPA passphrase dramatically increases computational difficulty.
At present, I wouldn't risk a passphrase shorter than nine characters randomly derived with a mixed of numbers, punctuation, and upper and lower case. That might hold against cracking (unless quantum computation becomes practical) for decades to come.
I partly agree with you, however I have a GPU accelerated server in my lab just for cracking WPA passwords. Although this will start with an enhanced, 'dirivative' dictionary attack it will then drop to brute force. The box will attain 80,000 passwords per second, around 7 billion per day. An 8 character password will have a max break time of 2 months. I haven't done the maths on 9, it will be considerable longer but no need for quantum computing. So I agree that 20 minutes looks suspect but also 9 or even 10 characters is doable.
Cheers
Nick
@nick so if your server can do 7billion per day as a gpu accelerated server add sli to the mix so with just 3 gpus would make it 21 billion per day spice things up by using a 10 server cluster thats 210billion perday
so that would mean running a 8 char pass on an sli server would take 18 days max
using a 10 server cluster it would take less than 2days max (well more like 1.8 days)
and there are alot bigger clusters out there that could do it alot more faster