Or: the story of how a lazy router manufacturer handed me a master key for the next eight years.
The Setup
Somewhat years back I went down a rabbit hole that every curious tinkerer eventually falls into: how much effort does it actually take to break into a Wi-Fi network? The target was a small startup’s office network — a setup I had explicit permission to test, the kind of low-key engagement where someone says “see if you can get in, we want to know how bad we are.”
The standard playbook for grabbing a Wi-Fi password goes like this:
- Sniff the air until you spot a target network.
- De-authenticate a connected device — basically slap the user off the network with a forged “goodbye” packet.
- When their device reconnects, capture the 4-way handshake (the cryptographic “hello” between the router and the client).
- Take that handshake home and crack it offline, with no further interaction needed.
Step 4 is where the fun begins. The handshake is mathematically locked — you have to guess the password and check whether it produces the same handshake. Guess fast enough, and eventually you win.
The whole appeal of offline cracking is that the router has no idea you’re trying. No rate limiting. No lockouts. No alerts. Just you, a laptop, and a very patient for loop.
The Wall I Hit
I started with the obvious moves, the ones every script kiddie tries:
- Default password lists (the rockyou.txt classics). Nothing.
- Brute force small character spaces. Nothing.
- Online hash crackers that throw the handshake at massive cloud rigs, all the way up to 14 characters. Still nothing.
The password was clearly long. Way too long for blind brute force, and too weird to live in any standard wordlist.
I needed a different approach — and then I remembered something. The router was a specific brand - a while ago, this employee was bragging about the quality of these routers. I went into investigation mode and found they all seemed to have a certain flavor to their default SSIDs.
Hmm.
The Lightbulb
I started digging into the router brand. Forum posts, manuals, photos people had posted of the little sticker on the back of their unit. And I noticed a pattern in those default passwords:
bravetiger905sunnyvalley189quietriver472
It clicked instantly. Every default password followed the same recipe:
adjective + noun + 3 digits
That’s it. That was the secret sauce the manufacturer was using. Probably some script on a factory line picking from two word lists and slapping a random number on the end. It looks secure — sunnyvalley472 is 14 characters of mixed letters and digits, and a naive estimate would say it’s basically uncrackable.
But it isn’t. Not even close.
Building the Master List
Time to weaponize this. I needed every English adjective and every English noun in existence — or at least every common one. So I wrote a little scraper, pointed it at a few dictionary sites, and pulled down:
- A clean list of English adjectives
- A clean list of English nouns
Then I fired up John the Ripper, the legendary password-cracking Swiss army knife. John has a feature where you can combine two wordlists into every possible pairing — adjective × noun. So brave + tiger becomes bravetiger, quiet + river becomes quietriver, and so on for every combination.
That gave me a list of roughly hundreds of thousands of plausible “base” passwords.
Then I layered on the final piece: a mask attack. John’s mask mode let me append ?d?d?d (three digits, 000–999) to every entry in the list. So sunnyvalley automatically expanded into sunnyvalley000, sunnyvalley001, …, sunnyvalley999.
Final candidate count: a few million passwords.
Sounds huge. Isn’t.
The Crack
I pointed John at the captured handshake on my Intel i5 MacBook — not exactly a cracking rig, just a regular laptop — and let it rip.
43 minutes later, at 76% through the list, the password popped out.
It worked. It actually worked. Some adjective, some noun, three digits, exactly as predicted.
For the next eight years, I kept that wordlist on hand. Every time I came across a router from this brand still on its default password — friends’ places, family, the occasional curious test — that list had the answer. I crossed paths with about ten to twenty of them over the years. Every. Single. One. Cracked.
And remember: that was on an old i5. On a modern GPU, the same attack finishes in minutes. Maybe seconds.
“But My Password Is 18 Characters!”
Here’s where it gets really fun.
You’d think a long password = safe password. And against pure brute force, you’d be right. Let’s do the math.
A truly random 18-character password using the full keyboard (lowercase + uppercase + digits + symbols ≈ 94 possible characters per slot) has:
94¹⁸ ≈ 2.65 × 10³⁵ possible combinations
Even if you had a monster GPU farm doing 1 trillion guesses per second against the handshake (which is wildly optimistic — real-world WPA2 cracking on a high-end GPU is closer to a few hundred thousand to a few million guesses per second, because the hashing algorithm is intentionally slow):
2.65 × 10³⁵ ÷ 10¹² = 2.65 × 10²³ seconds
≈ 8.4 quadrillion years
≈ 600,000 times the current age of the universe
So yes — a random 18-character password is, for all practical purposes, unbreakable.
But sunnyvalley472 is also “14 characters of mixed letters and digits.” On paper it looks strong. In reality? It lives in a search space of:
~10,000 adjectives × ~100,000 nouns × 1,000 digit combos ≈ 1 billion candidates
Compared to 10³⁵, that’s a rounding error. It’s the difference between searching every grain of sand on Earth and searching one beach. A modern GPU chews through 1 billion WPA2 candidates in minutes.
The lesson: password strength isn’t about length, it’s about entropy — how much genuine randomness is baked in. A predictable pattern, no matter how long, collapses the search space to something tiny. The manufacturer thought they were generating secure defaults. What they were actually doing was handing every attacker a recipe.
The Takeaway
The reason this story still matters in 2026 is that default passwords are still the soft underbelly of consumer networking. Manufacturers love patterns because patterns are easy to print on a sticker and easy to support over the phone. But every pattern is a gift to an attacker willing to spend a weekend reverse-engineering the recipe.
So: a little homework for you, dear reader.
🔐 Go change your router password. Right now.
And here’s the part most blogs get wrong: you do not need a 20-character cryptographic nightmare full of !@#$%. A passphrase made of 5 or 6 truly random words is excellent. Something like cabinet-orbit-pencil-whale-thunder-mango is:
- Easy to remember (your brain loves words, hates
7$kQ!9pLm@2zX) - Easy to type on your phone, your TV, your smart fridge
- Mathematically very strong — if you pick from a dictionary of ~7,500 words, six random words give you ~78 bits of entropy. That’s around 180 quintillion combinations. Centuries of cracking, even on a GPU farm.
The catch is in the word random. You can’t pick them. You are not random — you’ll grab “summer,” “beach,” “love,” and your dog’s name, and an attacker’s hybrid wordlist will eat that for breakfast. Use a password manager, or roll actual dice with something like the EFF’s Diceware list. Let entropy come from the selection process, not from how weird the characters look.
The thing that killed sunnyvalley472 wasn’t its length. It was the fact that an algorithm — not a random process — generated it from a tiny, predictable space. Avoid that, and you’re fine.
Because somewhere out there, some curious tinkerer is wondering if your manufacturer got lazy too — and the answer, depressingly often, is yes.
This post is for educational and defensive purposes. Capturing handshakes from networks you don’t own, or don’t have explicit written permission to test, is illegal in most jurisdictions. Get authorization. Stay curious. Stay legal.