Blog: WPA

I recently needed to recover a long forgotten WPA encryption key from a friends Windows XP laptop.  Unfortunately the wireless router password and the ISP credentials were MIA also, so changing the key or resetting the router were not options.  After some searching I found WirelessKeyView from Nirsoft (  This is a simple EXE download that displays the WEP or WPA key for all networks on the laptop.  For Windows XP it can only get the 64 digit hex key because XP doesn't save it in clear text.  However this will work fine when joining the network.  On Windows Vista and Windows 7 it will retrieve the key in ASCII.


Technical press has recently printed headlines such as:

"No longer safe: WPA encryption cracked in 12 to 15 minutes" - ZDNet
"Once Thought Safe, WPA Wi-Fi Encryption Is Cracked" - PCWorld
"Researchers Crack WPA Wi-Fi Encryption" - Slashdot
"WPA cracked in 15 minutes or less, or your next router's free" - engadget

However, the details seem to indicate a much more limited vulnerability.

The "crack" is limited as follows:

  1. Access points running QoS (or WMM - Wireless MultiMedia)
  2. Small control packets such as ARP packets
  3. Only traffic using TKIP
  4. Only packets from the access point
  5. Requires 12 minutes & fails if the group key is renewed during that 12 min period

[more]No data decryption is actually involved.  However, if TKIP is being used, a DoS attack is possible by generating packets with correct checksums but erroneous packet authentication info (Message Integrity Code values).

  1. Disable TKIP if possible (use AES)
  2. Disable QoS (and/or WMM) to prevent replay attacks if possible
  3. Configure to reduce the group key renewal period to less than 12 minutes

Also, since WPA is susceptible to brute force attacks, you can use Steve Gibson's key generation site - I am paranoid enough to generate the password/key on a network other than the one that uses the external router I'm getting the key for.