[Pentesting] The cost of cracking WPA2 (Wi-Fi) passwords in 2025.

AMD Ryzen 5 3600 6-Core: Hashcat speed in 22000 mode (WPA2): 15000-20000 keys per second. Slow!

RTX4000 Ada on Linode (350 USD per month). (The videocard may cost ~2k USD in 2025.) Hashcat speed in 22000 mode (WPA2): 758.1 kH/s. And when taking passwords from stdin, slower: 507.5 kH/s.

The cost of second (given 350 USD per month): 1.350309e-04 USD.

Time: m - minutes, d - days. Cost in USD: k - 10**3, M - 10**6, B - 10**9.

Given Hashcat speed: 758 kH/s:

| total | chars         | total pws      | total pws | time on Ada (s) | time on Ada   | cost      |
|-------+---------------+----------------+-----------+-----------------+---------------+-----------|
|     8 | 0-9           | 10**8          | 1.000e+08 |       1.319e+02 | 2m            | ~2 cents  |
|     8 | a-z           | 26**8          | 2.088e+11 |       2.754e+05 | 3d            | 37        |
|     8 | a-z0-9        | (26+10)**8     | 2.821e+12 |       3.721e+06 | ~1.5 months   | 502       |
|     8 | a-zA-Z0-9     | (26+26+10)**8  | 2.183e+14 |       2.879e+08 | ~9 years      | ~38k      |
|     8 | all printable | 96**8          | 7.213e+15 |       9.515e+09 | ~305 years    | ~1.2M     |
|     9 | 0-9           | 10**9          | 1.000e+09 |       1.319e+03 | 21m           | ~17 cents |
|     9 | a-z           | 26**9          | 5.429e+12 |       7.162e+06 | ~3 months     | 967       |
|     9 | a-z0-9        | (26+10)**9     | 1.015e+14 |       1.339e+08 | ~4 years      | ~18k      |
|     9 | a-zA-Z0-9     | (26+26+10)**9  | 1.353e+16 |       1.784e+10 | ~573 years    | ~2.4M     |
|     9 | all printable | 96**9          | 6.925e+17 |       9.135e+11 | 29369 years   | ~123M     |
|    10 | 0-9           | 10**10         | 1.000e+10 |       1.319e+04 | ~3h           | ~2        |
|    10 | a-z           | 26**10         | 1.411e+14 |       1.861e+08 | 6 years       | ~25k      |
|    10 | a-z0-9        | (26+10)**10    | 3.656e+15 |       4.823e+09 | 155 years     | ~651k     |
|    10 | a-zA-Z0-9     | (26+26+10)**10 | 8.392e+17 |       1.107e+12 | 35590 years   | ~149M     |
|    10 | all printable | 96**10         | 6.648e+19 |       8.770e+13 | 2819573 years | ~11B      |

Sorted by cost:

| total | chars         | total pws      | total pws | time on Ada (s) | time on Ada   | cost      |
|-------+---------------+----------------+-----------+-----------------+---------------+-----------|
|     8 | 0-9           | 10**8          | 1.000e+08 |       1.319e+02 | 2m            | ~2 cents  |
|     9 | 0-9           | 10**9          | 1.000e+09 |       1.319e+03 | 21m           | ~17 cents |
|    10 | 0-9           | 10**10         | 1.000e+10 |       1.319e+04 | ~3h           | ~2        |
|     8 | a-z           | 26**8          | 2.088e+11 |       2.754e+05 | 3d            | 37        |
|     8 | a-z0-9        | (26+10)**8     | 2.821e+12 |       3.721e+06 | ~1.5 months   | 502       |
|     9 | a-z           | 26**9          | 5.429e+12 |       7.162e+06 | ~3 months     | 967       |
|     9 | a-z0-9        | (26+10)**9     | 1.015e+14 |       1.339e+08 | ~4 years      | ~18k      |
|    10 | a-z           | 26**10         | 1.411e+14 |       1.861e+08 | 6 years       | ~25k      |
|     8 | a-zA-Z0-9     | (26+26+10)**8  | 2.183e+14 |       2.879e+08 | ~9 years      | ~38k      |
|    10 | a-z0-9        | (26+10)**10    | 3.656e+15 |       4.823e+09 | 155 years     | ~651k     |
|     8 | all printable | 96**8          | 7.213e+15 |       9.515e+09 | ~305 years    | ~1.2M     |
|     9 | a-zA-Z0-9     | (26+26+10)**9  | 1.353e+16 |       1.784e+10 | ~573 years    | ~2.4M     |
|     9 | all printable | 96**9          | 6.925e+17 |       9.135e+11 | 29369 years   | ~123M     |
|    10 | a-zA-Z0-9     | (26+26+10)**10 | 8.392e+17 |       1.107e+12 | 35590 years   | ~149M     |
|    10 | all printable | 96**10         | 6.648e+19 |       8.770e+13 | 2819573 years | ~11B      |

Yes, you can buy/rent much more expensive videocard(s), and the speed would be (much) faster. But the cost would not be differ significantly.

Realistically, only short passwords consisting of 0-9 or a-z or A-Z can be cracked practically. Or passwords based on dicionary attack, of course: 1, 2.

(the post first published at 20251013, updated 20251215.)

List of my other blog posts. Subscribe to my news feed,

If you enjoy my work, you can support it on patreon.

Some time ago (before 24-Mar-2025) there was Disqus JS script for comments. I dropped it --- it was so motley, distracting, animated, with too much ads. I never liked it. Also, comments din't appeared correctly (Disqus was buggy). Also, my blog is too chamberlike --- not many people write comments here. So I decided to switch to the model I once had at least in 2020 --- send me your comments by email (don't forget to include URL to this blog post) and I will copy&paste it here manually.

Let's party like it's ~1993-1996, in this ultimate, radical and uncompromisingly primitive pre-web1.0-style blog and website. This website is best viewed under lynx/links/elinks/w3m.