WPA3 vs WPA2: Is WPA3 Really Crackable?
WPA3 was marketed in 2018 as the end of offline WiFi cracking. Eight years later the picture is more nuanced: pure WPA3-only networks with a strong passphrase really are resistant to the classic capture-and-brute-force attack that destroys WPA2-PSK, but most home routers run transition mode, most client devices cache WPA2 fallbacks, and many access points still ship with firmware that never received the Dragonblood patches. This article walks through the cryptography of both protocols, shows exactly where WPA3 is stronger, and gives realistic 2026 attacker success rates you can use to decide what your own network actually needs.
WPA2-PSK: the 4-way handshake and why it is crackable
WPA2-Personal uses a Pre-Shared Key (PSK). The passphrase you type into your phone is stretched with PBKDF2-HMAC-SHA1, 4096 iterations, and the SSID as salt, to produce a 256-bit Pairwise Master Key (PMK). Every client and the access point derive the same PMK independently. The 4-way handshake that follows negotiates a per-session key and proves mutual knowledge of the PMK.
The critical weakness is that an attacker who captures the handshake frames gets everything needed to verify a password guess offline: the SSID, the two nonces (ANonce, SNonce), the two MAC addresses, and the Message Integrity Check (MIC) over message 2 or 3. For every candidate passphrase, a cracker re-derives the PMK, re-derives the Pairwise Transient Key (PTK), recomputes the MIC, and compares. No interaction with the network is required after the capture.
A modern GPU can test tens of thousands of WPA2 passphrases per second per card. A six-GPU rig on a real-world wordlist with rules gets through billions of candidates in a day. If the passphrase is in any dictionary or follows a common pattern, the network is effectively open. For an illustrated walk-through of the capture step see what a WPA handshake is.
WPA3-SAE: Dragonfly and the end of offline attacks
WPA3-Personal replaces the PSK handshake with Simultaneous Authentication of Equals (SAE), a variant of the Dragonfly key exchange. Instead of sending a derivative of the password across the air, SAE performs a commit-and-confirm dance over a cyclic group where both sides prove knowledge of the password without either revealing it, and without either side being able to replay the transcript offline.
Concretely: each side picks a secret scalar and masks it with a value derived from the password. They exchange commits, derive a shared secret element, then confirm. If the password is wrong on either side, the confirm messages fail and no usable key material is produced. Crucially, nothing in that transcript lets an offline attacker verify a guess. Every password attempt requires a fresh live interaction with the access point, which enforces a rate limit and can blacklist the source MAC after a few failures.
In theory this collapses the attack surface from "steal a handshake and grind offline" to "guess interactively at a few tries per minute." A passphrase that would crack in an hour under WPA2 would take decades under pure WPA3-SAE.
Dragonblood: the 2019 cracks in WPA3
In April 2019, Mathy Vanhoef and Eyal Ronen published a paper titled Dragonblood that identified four classes of vulnerabilities in WPA3-SAE:
- Cache-based side-channel (CVE-2019-9494). The implementation of the password-to-curve mapping in Hostap branched on secret bits, leaking enough information over repeated observations to recover the password via a partitioning attack.
- Timing-based side-channel (CVE-2019-9495). Variable-time modular operations in the multiplicative-group SAE mode leaked timing information correlated with the password.
- Downgrade and dictionary attack on transition mode (CVE-2019-13377). Transition-mode networks advertise both WPA2 and WPA3. An attacker forces a WPA2 association, captures the 4-way handshake, cracks it offline, done.
- Denial of service on SAE (CVE-2019-9496). Because SAE is computationally heavy on the AP, an attacker could flood commit messages and exhaust CPU on the router.
Patches landed within months in Hostap, iwd, iOS, macOS, and Windows. Consumer router firmware was much slower: a 2023 survey found that more than a third of retail WPA3 routers still shipped with pre-patch SAE, and a meaningful fraction of consumer devices were never updated at all. Dragonblood is not dead yet for those models.
Transition mode: the downgrade problem
Wi-Fi Alliance certification for WPA3 requires support for transition mode, which advertises WPA2 and WPA3 on the same SSID with the same PSK. The intent is to let older phones and IoT devices keep working while newer clients enjoy SAE. The reality is that transition mode reduces the security of the whole network to that of WPA2-PSK: any attacker can send deauth frames to force the victim to reconnect, then lie about client capabilities to force a WPA2 association, then capture a 4-way handshake as usual.
If your router has a "WPA2/WPA3 mixed" option, that is transition mode. From an offline-cracking perspective it is functionally identical to WPA2 alone. WPA3-only mode is what delivers the SAE benefits.
Many routers hide the WPA3-only option behind "WPA3 Personal (Advanced)" or similar labels. Some OEM firmwares do not expose it at all. If yours does not, any WPA3 claim on the box is effectively a marketing-only upgrade.
Realistic attacker success rates in 2026
The table below summarizes the probability that a typical home WiFi network can be recovered by a motivated attacker within a week, given a 12-character human-chosen passphrase. Numbers are informed by our own authorized recovery case volume and public benchmarks.
| Protocol mode | Attack path | Offline? | Success chance (12-char human pwd) |
|---|---|---|---|
| WPA2-PSK | 4-way handshake capture + GPU dictionary / rules | Yes | ~45-65% |
| WPA2 + PMKID | PMKID from a single associate frame + GPU crack | Yes | ~45-65% (same math, easier capture) |
| WPA3 transition mode | Force WPA2 association, then WPA2 attack | Yes | ~45-65% |
| WPA3-only, unpatched AP | Dragonblood side-channel | Partially | ~15-25% (needs local RF access) |
| WPA3-only, patched AP | Online SAE guessing, rate-limited | No | <1% per week |
The gap between the first three rows and the last one is the real WPA3 benefit. For it to apply to your network, the router must be in WPA3-only mode, the firmware must include the Dragonblood patches, and all your devices must support SAE.
Hardware and software support in 2026
Client support for WPA3-SAE is excellent among flagship phones and laptops sold after 2020. Cheap IoT devices lag badly: smart plugs, cameras, and older thermostats frequently support only WPA2, which forces transition mode or a separate 2.4 GHz IoT SSID. The practical answer for most homes is a dual-SSID setup where the main network is WPA3-only and the IoT network is WPA2 on a throwaway PSK, segmented from your LAN by router VLANs.
Access point support is more uneven. OpenWrt, pfSense with hostapd 2.10+, and UniFi devices running recent firmware all handle WPA3-only correctly. Consumer retail routers from the 2020-2022 generation often claim WPA3 support but only expose transition mode in the UI. If in doubt, check the RSN IE advertised in beacons with sudo iw dev wlan0 scan on Linux or Wireshark on any platform: look for AKM suite 00-0F-AC:8 (SAE) as the only listed option.
Operational guidance
The order below is the single most useful security upgrade for a home network, with decreasing return on effort:
- 1
Use a passphrase longer than 14 characters and not found in any wordlist. This alone defeats almost all real-world WPA2 attacks even on an AP running no WPA3 at all.
- 2
Switch to WPA3-only mode if every client you care about supports it. For IoT holdouts, put them on a separate SSID.
- 3
Update router firmware at least yearly. Dragonblood patches are in every mainstream release since 2020, but many units are still on 2018 firmware.
- 4
Disable WPS and WPS-PIN. WPS has unrelated vulnerabilities that are easier to exploit than either WPA2 or WPA3.
- 5
Change the default SSID. The SSID is the PBKDF2 salt on WPA2; a unique SSID defeats precomputed rainbow tables like the old WPA-PSK 1M table.
Why hashcat lists WPA modes 22000 and 22001 but not a WPA3 mode
Hashcat modes 22000 (WPA-PBKDF2-PMKID+EAPOL) and 22001 (pre-computed PMK) cover the WPA2 case because the handshake yields a verifiable offline check: you feed the tool a PBKDF2 derivative and it rips through candidates on the GPU. WPA3-SAE has no analogous mode because by design the transcript cannot verify a guess offline.
You will sometimes see references to "WPA3 cracking with hashcat." In almost every case the target is a transition-mode network where the attacker downgraded to WPA2 first, captured a 4-way handshake, and used mode 22000 as usual. Pure WPA3-only cracking with hashcat is not a feature that exists.
If you have a capture file and you are not sure what is inside, the handshake analyzer tells you which EAPOL messages and PMKIDs are present and whether the capture is attackable. For format conversion between old .hccapx and modern 22000 see the hccapx to 22000 guide.
Frequently asked questions
Can my router be downgraded even if I set it to WPA3-only?
Not by the protocol itself, no. WPA3-only mode does not advertise WPA2 capability in the beacon, so a client cannot request WPA2 association. The risk is firmware misconfiguration, not the protocol design.
Does WPA3 protect against the 2017 KRACK attack?
Yes. KRACK exploited key-reinstallation in the WPA2 4-way handshake. SAE in WPA3 does not have that code path. KRACK patches also landed in WPA2 in 2017, so a patched WPA2 network is not vulnerable either.
Is WPA3-Enterprise different from WPA3-Personal?
Yes. Enterprise uses 802.1X with per-user credentials or certificates, not a shared PSK. Both Personal and Enterprise use SAE at layer 2 on WPA3, but Enterprise adds identity management that is beyond the scope of this article.
Does WPA3 stop someone sniffing my traffic in a coffee shop?
WPA3 adds OWE (Opportunistic Wireless Encryption) for open networks, which encrypts individual sessions without a password. In a WPA3 coffee shop your traffic is encrypted per-client. On a WPA2 or plain-open network it is not.
If I pick a 30-character passphrase is WPA2 safe forever?
Effectively yes. A 30-character random passphrase has 150+ bits of entropy, which is beyond any credible GPU-farm budget. The attacker still captures your handshake, but they cannot guess through enough candidates to hit it.
Can I find out whether my router advertises WPA3?
Yes. On Android the network list shows the security type next to the SSID. On iPhone open Settings, Wi-Fi, tap the connected network, look for Security. On Linux run sudo iw dev wlan0 scan and look for RSN. On Windows netsh wlan show interface shows the Authentication field.
Recovering your own network?
For WPA2 or WPA3-transition networks with a captured handshake, see the authorized handshake recovery form or the full WPA cracking explainer.
Legal reminder
Both protocols are covered by unauthorized-access statutes in nearly every jurisdiction. This article describes cryptographic design; practice only against networks you own or have written authorization to audit.
Related reading
Primer on the WPA2 handshake: what a WPA handshake is. Decision tree for your own network: router admin vs handshake recovery. Full workflow: recovery guide.