Israeli Security Researcher IDO Horvich (IDO Hoorvitch Tel-Aviva) published The results of the experiment to study the reliability of passwords used to organize access to wireless networks. During the study on the intercepted personnel with PMKID identifiers, it was possible to choose passwords for access to 3663 out of 5000 (73%) of the studied wireless networks in Tel-Aviv. As a result, it was concluded that most owners of wireless networks establish unreliable passwords subject to the selection of hash, and their wireless networks can be attacked using typical hashcat HCXTools and HCXDUMPTool .
IDO used a laptop computer with Ubuntu Linux to intercept the wireless network packages, placed it in a backpack and wandered around the city until it was possible to intercept frames with PMKID (PairWise Master Key Identifier) five thousand different wireless networks. After that, it took advantage of the computer with 8 GPU NVIDIA Quadro RTX 8000 48GB to select Passwords by Hasham selected from the PMKID identifier. The performance of the selection on this server was almost 7 million hashes per second. For comparison on the usual laptop, the performance is about 200 thousand hashes per second, which is sufficient to select one password consisting of 10 digits in about 9 minutes.
To accelerate the selection, the prosperity was limited by sequences including only 8 letters in the lower case, as well as 8, 9 or 10 digits. This restriction was enough to define passwords for 3663 of 5000 networks. The most popular were passwords out of 10 digits that were used in 2349 networks. 8-digit passwords were used in 596 networks, 9-and – in 368, and passwords of 8 letters in the lower register in
320. Repetition of the selection using the dictionary rockyou.txt , the size of 133 MB, allowed to immediately select 900 passwords .
It is assumed that the situation with the reliability of passwords in wireless networks in other cities and countries is approximately the same and most passwords can be chosen in a few hours and spending about $ 50 to the wireless card with support for the air monitoring mode (the Alfa Network AWUS036ACH card has been used in the experiment). The PMKID-based attack is applicable only to the access points that support roaming, but as the practice has shown, most of the manufacturers are not turned off.