Authorized use only. This tool is for recovering YOUR OWN forgotten passwords only. Unauthorized network access is illegal.
WiFi Password Recoverywifipassword.org
Security Basics

PMKID vs Handshake: WiFi Security Explained Simply

If you've read about WiFi password recovery, you've probably encountered two cryptic terms: PMKID and handshake. What are they, how are they different, and why does it matter for your home network? This article explains both concepts in plain language — no cryptographic background required. Whether you're a curious homeowner, a student learning cybersecurity, or someone who just wants to understand what these terms mean, this guide breaks down the technical concepts into simple analogies and practical explanations.

The elevator pitch

A WPA handshake is like a conversation between your phone and your router when it connects to WiFi. An eavesdropper can record that conversation and later try to guess the password from it.

PMKID is like a digital signature your router sometimes adds to its broadcast signal. An eavesdropper can grab this signature without even waiting for a device to connect.

Both can be used to recover a WiFi password — but they work differently. Think of it as two different locks on the same door: either one can be used to get in, but one (PMKID) is sometimes easier to access.

What is a WPA handshake?

When your phone, laptop, or any WiFi device connects to a WiFi network, it goes through a 4-step authentication process called the '4-way handshake'. Both devices agree on encryption keys without ever sending the actual password over the air.

Step 1: The router sends your phone a random number (called an 'Anonce'). Step 2: Your phone sends back its own random number (called a 'Snonce') plus a calculated tag (called a MIC) that proves it knows the password. Step 3: The router sends its own MIC to prove it knows the password too. Step 4: Both devices now have everything they need to encrypt traffic.

Why it matters for password recovery: a bystander who captures these 4 messages can use the MIC to test password guesses offline. This is the basis of WPA2 password cracking with tools like hashcat.

The limitation: to capture a handshake, you need a client device to connect (or reconnect) while you're listening. If no one connects during your capture window, you get nothing.

Simple analogy — the secret handshake

Imagine two people agreeing on a secret handshake. The handshake itself doesn't reveal the secret — but an observer who records the moves could go home and try different secrets to see which one produces the same moves. That's the WPA handshake in a nutshell.

What is PMKID?

PMKID stands for Pairwise Master Key Identifier. It's a small piece of information (about 16 bytes) that your router can optionally include in its beacon signal — a constant broadcast that says 'I'm here, this is my network name.'

The PMKID is computed from the password and the MAC addresses of both the router and the connecting device. The key insight: the router broadcasts the PMKID even when no device is connected — it's part of the router's regular announcement signal.

Why it's useful: to capture a PMKID, you just need to be within WiFi range and ask the router for it. You don't need to wait for any device to connect. This makes PMKID capture much simpler than handshake capture in many scenarios.

Limitation: not all routers support PMKID. It requires Protected Management Frames (802.11w) to be enabled on the router. Most modern routers (2018+) support this, but older routers may not.

PMKID vs Handshake — key differences

What's needed to capture: Handshake = a connecting device (you need to deauthenticate a client and wait for it to reconnect). PMKID = no client needed — just the router's beacon signal.

Time to capture: Handshake = seconds to minutes (waiting for client reconnection). PMKID = milliseconds (one request-response cycle).

Success rate: Handshake = depends on having a client to deauth. If no clients are connected, you cannot capture a handshake. PMKID = available as long as the router has PMF enabled.

Applicable networks: Handshake = all WPA/WPA2 networks. PMKID = WPA2 networks with 802.11w (PMF) enabled. Does NOT work on WPA3.

Cracking difficulty: Identical — both derive the same PMK from PBKDF2(password, SSID). Hashcat mode 22000 handles both formats at the same speed.

Tools required: Handshake = airodump-ng + aireplay-ng (or hcxdumptool). PMKID = hcxdumptool (simpler command, fewer dependencies).

Does PMKID work on WPA3?

No. PMKID capture does NOT work on WPA3 networks. The WPA3 SAE handshake encrypts the Robust Security Network IE (RSN IE) that contains the PMKID. The PMKID is simply not available in an unencrypted form on WPA3 networks.

This is by design: WPA3 encrypts management frames (including the RSN IE) to prevent exactly this kind of passive information gathering. The PMKID attack is specific to WPA2 with 802.11w.

For WPA3 networks in Transition Mode: the WPA2 fallback may expose a PMKID if PMF is enabled on the WPA2 side. Some routers enable PMF for the WPA2 path in transition mode; some don't. It varies by manufacturer.

Which is better for password recovery?

For the average home user trying to recover their own forgotten password: neither. You should check a connected device first (Windows, Mac, iPhone, Android) or access your router admin panel. Handshake and PMKID recovery are last-resort methods.

For authorized recovery when no device is connected and admin access is lost: PMKID is preferred if the router supports it — no client deauthentication required. If PMKID fails, handshake capture is the next option.

For security testing of your own network: the PMKID attack is a good test of whether your router has PMF properly enabled and whether your password is strong enough. If you can capture a PMKID from your own network, an attacker within range could do the same.

From a security perspective: enabling WPA3 (or WPA3-only mode) eliminates both PMKID and handshake attacks. If you must use WPA2, enabling PMF (802.11w) and using a strong password (16+ random characters) provides the best protection.

How to check if your router exposes PMKID

If you're curious whether your home router exposes the PMKID, here's a safe way to check on your own network: download and install hcxdumptool on a Linux machine with a compatible WiFi adapter (Alfa AWUS036ACHM recommended). Run: sudo hcxdumptool -i wlan0 -o capture.pcapng --enable_status=1. Let it run for 30 seconds. Check the output with: hcxpcapngtool -o hash.hc22000 capture.pcapng. If the hash file contains any lines starting with '22000

#x27;, your router exposed a PMKID.

If your router exposes PMKID: consider upgrading to a router that supports WPA3, or at minimum ensure you have a strong, random password (generated by a password manager, not based on dictionary words).

If your router does NOT expose PMKID: either PMF is disabled on your router, or you're running WPA3. Either way, check your router security settings to ensure PMF is enabled for the best protection.

Only test your own network

Attempting to capture PMKID or handshakes from networks you do not own is illegal. Only perform these tests on your own router or one you have written permission to test.

PMKID vs Handshake decision guide

  1. 1

    Try connected device first

    Check Windows, Mac, iPhone, or Android for saved WiFi passwords. Fastest and simplest method.

  2. 2

    Try router admin panel

    Go to 192.168.1.1 and log in. Default password on router sticker.

  3. 3

    Check if PMKID is available

    Use hcxdumptool on your own network. If PMKID is captured, cracking can proceed without client interaction.

  4. 4

    If no PMKID, capture handshake

    Use aircrack-ng or hcxdumptool with deauth to trigger a client reconnection.

  5. 5

    Crack with hashcat mode 22000

    Both PMKID and handshake use the same format. Convert to .hc22000 and crack with dictionary + rules.

Frequently Asked Questions

What does PMKID stand for?
Pairwise Master Key Identifier. It's a 16-byte value computed from the WiFi password and the MAC addresses of both the router and client. It's included in management frames when Protected Management Frames (802.11w) are enabled.
Is PMKID easier to capture than a handshake?
Yes — PMKID capture requires no client interaction. You simply request it from the router's beacon. Handshake capture requires a device to connect (or reconnect) while you're monitoring.
Does PMKID work on WPA3?
No. WPA3 encrypts management frames, so the PMKID is not exposed in an unencrypted form. The PMKID attack is specific to WPA2 with 802.11w PMF.
Is PMKID faster to crack than a handshake?
No — both produce the same hashcat format (mode 22000) and crack at the same speed. The advantage of PMKID is in the capture phase, not the cracking phase.
Does every router support PMKID?
No. PMKID requires Protected Management Frames (802.11w) to be enabled. Most routers manufactured after 2018 support this, but it may be disabled by default on some models.
Should I disable PMF on my router to prevent PMKID exposure?
No. PMF provides important protections against deauthentication attacks and eavesdropping. Instead of disabling PMF, use a strong password (16+ random characters) and upgrade to WPA3 if possible.

Can't find the WiFi password another way?

If every other method failed, capture a WPA handshake on your own network and let our GPU cluster handle the rest. Dictionary + rules attack, 2B+ candidates, pay only on success.

Open Recovery Tool

Related Reading

PMKID Attack GuideWhat Is a WPA Handshake?What is WPA3?Capture with aircrack-ng