Certainly, this depends on the negotiated terms and goals of the engagement with the customer.  I have a few dictionaries I'll try and have pre-established mechanisms to accelerate the testing process (using nVidia GPU's, available hosts and FPGA's), and I'll run that to completion for a test.


Determining if the passphrase choice is acceptable requires more evaluation than just what you can determine from a penetration test.  I try to work out with the client what the resources would be of a potential adversary ($1,000? $10,000? $1,000,000?) and then use math to figure out how long it would take to figure out the selected passphrase (usually, this is by ignoring the entropy of the selected passphrase, and just using the character selection and length of the passphrase, factoring in probability).


For me, PSK's aren't acceptable in anything by the environments of least risk (perhaps a guest network, or a home network with little to no valuable resources).  It's less about being able to brute-force the PSK, and more about how the PSK (or derived PMK) is stored on each and every workstation.  I can use a combined pen-test approach to leverage physical security with wireless attacks and a tool like Aircrack-ng's WZCOOK to extract a PMK which is shared by all the other usrers on the network, all without having to resort to dictionary attacks.

Good post.

-Josh

This is a good question.

As the password approaches true randomness, the statistical possiblities become
overwhelming, even for an eight-character password.  For example, if one considers
that all of the keys on the keyboard can be used to construct the password, then
there are 95-raised-to-the-8th-power possibilities.  This is 6,634,204,312,890,625
possible passwords.  (I don't even know what the number is?  A quadrillion?)  Aircrack-ng,
which is the best cracker I've found so far, tests about 220 keys per second on a
1.9GHz cpu.  At that rate, it would take 956,223 years ,... or about the time for
another Ice Age to come and go ... to crack it.

Adding just one character increases that time exponentially. 

But, of course, most humans don't choose passwords randomly.  In fact, humans really
don't anything randomly.  They opt for patterns which loom in their memories.  Thus,
the development of brute force dictionaries. 

I have a dictionary of wpa 8-char passcodes which is 1.2 million entries and have yet
to crack an interesting WPA-TKIP-PSK access point with it.  So obviously people
with valuable data do not use crap passwords.

If anyone has any ideas on this, I'd be interested in hearing them.