[Pentesting] The cost of cracking WPA2 (Wi-Fi) passwords in 2025.

AMD Ryzen 5 3600 6-Core: Hashcat speed in 22000 mode (WPA2): 15000-20000 keys per second. Slow!

RTX4000 Ada on Linode (350 USD per month). (The videocard may cost ~2k USD in 2025.) Hashcat speed in 22000 mode (WPA2): 758.1 kH/s. And when taking passwords from stdin, slower: 507.5 kH/s.

The cost of second (given 350 USD per month): 1.350309e-04 USD.

Time: m - minutes, d - days. Cost in USD: k - 10**3, M - 10**6, B - 10**9.

Given Hashcat speed: 758 kH/s:

| total | chars         | total pws      | total pws | time on Ada (s) | time on Ada   | cost      |
|-------+---------------+----------------+-----------+-----------------+---------------+-----------|
|     8 | 0-9           | 10**8          | 1.000e+08 |       1.319e+02 | 2m            | ~2 cents  |
|     8 | a-z           | 26**8          | 2.088e+11 |       2.754e+05 | 3d            | 37        |
|     8 | a-z0-9        | (26+10)**8     | 2.821e+12 |       3.721e+06 | ~1.5 months   | 502       |
|     8 | a-zA-Z0-9     | (26+26+10)**8  | 2.183e+14 |       2.879e+08 | ~9 years      | ~38k      |
|     8 | all printable | 96**8          | 7.213e+15 |       9.515e+09 | ~305 years    | ~1.2M     |
|     9 | 0-9           | 10**9          | 1.000e+09 |       1.319e+03 | 21m           | ~17 cents |
|     9 | a-z           | 26**9          | 5.429e+12 |       7.162e+06 | ~3 months     | 967       |
|     9 | a-z0-9        | (26+10)**9     | 1.015e+14 |       1.339e+08 | ~4 years      | ~18k      |
|     9 | a-zA-Z0-9     | (26+26+10)**9  | 1.353e+16 |       1.784e+10 | ~573 years    | ~2.4M     |
|     9 | all printable | 96**9          | 6.925e+17 |       9.135e+11 | 29369 years   | ~123M     |
|    10 | 0-9           | 10**10         | 1.000e+10 |       1.319e+04 | ~3h           | ~2        |
|    10 | a-z           | 26**10         | 1.411e+14 |       1.861e+08 | 6 years       | ~25k      |
|    10 | a-z0-9        | (26+10)**10    | 3.656e+15 |       4.823e+09 | 155 years     | ~651k     |
|    10 | a-zA-Z0-9     | (26+26+10)**10 | 8.392e+17 |       1.107e+12 | 35590 years   | ~149M     |
|    10 | all printable | 96**10         | 6.648e+19 |       8.770e+13 | 2819573 years | ~11B      |

Sorted by cost:

| total | chars         | total pws      | total pws | time on Ada (s) | time on Ada   | cost      |
|-------+---------------+----------------+-----------+-----------------+---------------+-----------|
|     8 | 0-9           | 10**8          | 1.000e+08 |       1.319e+02 | 2m            | ~2 cents  |
|     9 | 0-9           | 10**9          | 1.000e+09 |       1.319e+03 | 21m           | ~17 cents |
|    10 | 0-9           | 10**10         | 1.000e+10 |       1.319e+04 | ~3h           | ~2        |
|     8 | a-z           | 26**8          | 2.088e+11 |       2.754e+05 | 3d            | 37        |
|     8 | a-z0-9        | (26+10)**8     | 2.821e+12 |       3.721e+06 | ~1.5 months   | 502       |
|     9 | a-z           | 26**9          | 5.429e+12 |       7.162e+06 | ~3 months     | 967       |
|     9 | a-z0-9        | (26+10)**9     | 1.015e+14 |       1.339e+08 | ~4 years      | ~18k      |
|    10 | a-z           | 26**10         | 1.411e+14 |       1.861e+08 | 6 years       | ~25k      |
|     8 | a-zA-Z0-9     | (26+26+10)**8  | 2.183e+14 |       2.879e+08 | ~9 years      | ~38k      |
|    10 | a-z0-9        | (26+10)**10    | 3.656e+15 |       4.823e+09 | 155 years     | ~651k     |
|     8 | all printable | 96**8          | 7.213e+15 |       9.515e+09 | ~305 years    | ~1.2M     |
|     9 | a-zA-Z0-9     | (26+26+10)**9  | 1.353e+16 |       1.784e+10 | ~573 years    | ~2.4M     |
|     9 | all printable | 96**9          | 6.925e+17 |       9.135e+11 | 29369 years   | ~123M     |
|    10 | a-zA-Z0-9     | (26+26+10)**10 | 8.392e+17 |       1.107e+12 | 35590 years   | ~149M     |
|    10 | all printable | 96**10         | 6.648e+19 |       8.770e+13 | 2819573 years | ~11B      |

Yes, you can buy/rent much more expensive videocard(s), and the speed would be (much) faster. But the cost would not be differ significantly.

Realistically, only short passwords consisting of 0-9 or a-z or A-Z can be cracked practically. Or passwords based on dicionary attack, of course: 1, 2.

(the post first published at 20251013, updated 20251215.)

List of my other blog posts. Subscribe to my news feed,

If you noticed a typo/bug/error or have any suggestions, do not hesitate to drop me a note: my emails. Or use my zulip for feedback. Thanks in advance!

Also, among my services is writing examples-rich manuals and references. If you like my work and want something similar for your (commercial) product: contact me.

If you enjoy my work, you can support it on patreon.

Some time ago (before 24-Mar-2025) there was Disqus JS script for comments. I dropped it --- it was so motley, distracting, animated, with too much ads. I never liked it. Also, comments din't appeared correctly (Disqus was buggy). Also, my blog is too chamberlike --- not many people write comments here. So I decided to switch to the model I once had at least in 2020 --- send me your comments by email (don't forget to include URL to this blog post) and I will copy&paste it here manually.

Let's party like it's ~1993-1996, in this ultimate, radical and uncompromisingly primitive pre-web1.0-style blog and website. This website is best viewed under lynx/links/elinks/w3m.