WPA3 vs WPA2 — Technical Security Deep Dive

The architectural shift — SAE vs 4-way handshake

WPA2 uses the 4-way EAPOL handshake, which exchanges a Pairwise Master Key (PMK) derived from the Pre-Shared Key (PSK) and the SSID. The PSK is used directly in the handshake: the Access Point sends a random Anonce to the client, the client responds with a Snonce plus a MIC (Message Integrity Code), and both derive the Pairwise Transient Key (PTK). The 4-way handshake is efficient but inherently vulnerable to offline dictionary attacks — an attacker capturing the 4 frames can crack the PSK offline with hashcat.

WPA3 replaces this with the Simultaneous Authentication of Equals (SAE) handshake, based on the Dragonfly key exchange (RFC 7664). SAE uses the PSK (called the Password Element, or PEMK in WPA3) to perform a zero-knowledge proof: both parties derive a shared secret without ever transmitting the PSK itself over the air. The handshake uses Finite Field Cryptography (FFC) with modular exponentiation or Elliptic Curve Cryptography (ECC) to produce the Pairwise Master Key.

The fundamental difference: WPA2's PSK is transmitted (indirectly) in the handshake and can be verified offline. WPA3's PSK is never transmitted — the SAE handshake proves knowledge of the password without revealing it. This eliminates the entire class of offline dictionary attacks against captured handshakes.

WPA3 Transition Mode — the critical weakness

WPA3 Transition Mode (enabled by default on most WPA3-capable routers) allows both WPA3 and WPA2 clients to connect to the same network. The router broadcasts both WPA3 and WPA2 capability in beacon frames. When a WPA2-only client (or an attacker impersonating one) connects, the access point falls back to the full WPA2 4-way handshake using the same PSK.

This means: even if all legitimate clients use WPA3, an attacker with a capture device can de-authenticate a WPA3 client, spoof a WPA2 association request, and force the AP to complete a WPA2 handshake with the captured frames. The PSK is the same — cracking the WPA2 handshake reveals the password, which also works for WPA3.

The Wi-Fi Alliance has acknowledged this limitation. WPA3-only mode (no transition) prevents this attack but requires all clients to support WPA3. In 2026, most home and small-office networks still use transition mode for compatibility with IoT devices (cameras, smart plugs, printers) that only support WPA2.

Dragonblood vulnerabilities — what still applies in 2026

The Dragonblood research (Vanhoef & Ronen, 2019) identified several vulnerabilities in the WPA3 SAE handshake: downgrade attacks (forcing WPA3 clients to use weaker groups), timing attacks (side-channel leakage from password derivation), and cache-based attacks on SAE's anti-clogging tokens.

Most Dragonblood vulnerabilities have been mitigated by 2026 firmware updates. The SAE group negotiation was tightened — WPA3 now mandates group 19 (256-bit ECC) as the minimum, rejecting the weaker groups 1 and 2 (1024/2048-bit MODP) that enabled downgrade attacks. Timing side-channels have been patched in hostapd and wpa_supplicant.

The remaining unpatched Dragonblood issue: SAE's anti-clogging token mechanism uses a hashcash-like proof-of-work that can be exploited for resource exhaustion on the AP. This is a denial-of-service vector, not a password disclosure or cracking attack. It does not affect password recovery feasibility.

WPA2 4-way handshake — the cracking target

Hashcat mode 22000 (PMKID/EAPOL) extracts the 4-way handshake as a hash file that can be attacked offline. The hash format: 22000$ssid$AP_MAC$STA_MAC$PMKID$EAPOL with the PMK derived from PBKDF2-HMAC-SHA1(PSK, SSID, 4096 iterations).

WPA2 cracking speed on RTX 5090: approximately 860,000 H/s for PBKDF2-SHA1 (mode 22000). This throughput drops with longer SSIDs (the KDF input includes the SSID). A dictionary+rule attack with 10M words and 50 rules: 500M candidates / 860K H/s = 581 seconds = ~10 minutes per rule-set pass. Full 50-rule attack: ~8.3 hours.

For WPA2 PSK cracking: the primary constraint is the password itself, not the hash speed. Human-chosen WiFi passwords (typically 8-15 characters, dictionary-based, often the street name + house number, pet name, or a common phrase) are highly crackable with dictionary+rule attacks.

PMKID attack — cracking without a full handshake

The PMKID attack (hashcat mode 22001 or 22000 with PMKID flag) was discovered in 2018. It targets a field in the 802.11w Protected Management Frame (PMF) — the RSN IE contains a PMKID that is computed as HMAC-SHA1(PMK, (AP_MAC || STA_MAC)). An attacker can request the PMKID without completing a full handshake by sending an association request and processing the 802.11w beacon.

The advantage: no client de-authentication needed, no 4-way handshake frames to capture. The attacker can obtain the PMKID from a single beacon-response exchange. This works even on networks with no connected clients, as long as PMF is enabled.

The PMKID attack does NOT work on WPA3 networks (even in transition mode) because WPA3's SAE handshake does not expose the PMKID in the RSN IE. For WPA2 networks, it is the fastest capture-and-crack path — no client interaction required.

Enterprise modes — WPA2-Enterprise vs WPA3-Enterprise

WPA2-Enterprise uses 802.1X/RADIUS for per-user authentication. The PSK is replaced by EAP (Extensible Authentication Protocol) credentials (username/password, certificate, or token). The handshake still uses the 4-way EAPOL exchange, but the PMK derives from the RADIUS server's MSK, not a shared password.

WPA3-Enterprise adds 192-bit security suite (GCMP-256, HMAC-SHA384) and PMF mandatory. It uses SAE for the handshake but substitutes the PSK with EAP-derived keys. The 192-bit mode is mandatory for WPA3-Enterprise certification.

Enterprise recovery differs fundamentally from PSK recovery: the password is typically per-user, stored on a RADIUS server, and often require EAP-MSCHAPv2 cracking (hashcat mode 5500) rather than 4-way handshake cracking. The RADIUS authentication exchange must be captured, not just the EAPOL handshake.

Practical implications for WiFi recovery in 2026

If the network uses WPA2 or WPA3 Transition Mode: standard handshake capture + hashcat is viable. Capture a handshake (aircrack-ng, hcxdumptool), convert to .hc22000 format, run hashcat mode 22000 with dictionary+rule attack.

If the network uses WPA3-only mode (no transition): handshake capture does NOT help. The SAE handshake cannot be cracked offline. The only recovery paths are: (1) router admin panel login (default password or physical access), (2) find saved password on a connected device (Windows netsh, macOS Keychain, Android QR, iOS iCloud Keychain), (3) factory reset router and reconfigure.

The migration from WPA2 to WPA3 reduces the effectiveness of handshake-based password recovery. Recovery services are adapting by emphasizing router-admin and device-extraction recovery paths over handshake cracking for WPA3-only networks.

WPA3 vs WPA2 recovery decision flow

1. 1

   Determine the protocol

   Use Wireshark or a WiFi analyzer to check beacon frames — the RSN IE reports group cipher and AKM. AKM 00-0F-AC:8 or 12 = WPA3.

2. 2

   Check for Transition Mode

   If both WPA3 and WPA2 AKMs are advertised, handshake capture is viable (network accepts WPA2 connections).

3. 3

   Capture handshake (WPA2/Transition)

   Use aircrack-ng or hcxdumptool to capture the 4-way EAPOL exchange or PMKID. Convert to .hc22000.

4. 4

   Crack with hashcat mode 22000

   Dictionary + rule attack on the handshake hash. ~860K H/s on RTX 5090.

5. 5

   For WPA3-only networks

   Handshake capture is useless. Recover via router admin panel or connected-device extraction.

Frequently Asked Questions

Related Reading