The concern of having your wifi password hacked vs being tracked may be of different concerns for different people.

(Besides, it can be useful to treat your LAN as hostile, anyway, with rampant IOT and friends etc.)

Also I should have pointed out that GPUs crunch WPA2 pretty quick these days too, it is best to use a really long passphrase. There are too many ISP supplied systems with a default password like "9K141U".

It definitely seems like a good idea to put IOT things on a different subnet. I've not met a home router yet that allows me to put proper filters on devices. DD-WRT I guess. But there are so many patches which should be applied, I'm sceptical of old firmware for routers.

At the moment I have an embedded linux device with a wifi dongle and giant antennas. The modem box can probably still be hacked remotely (from the ISP), but at least I'm able to prevent any device on the network from talking to it and using some simple rebinding or XSS attack. (E.g.: https://www.gironsec.com/blog/2015/01/owning_modems_and_rout... http://www.routerpwn.com/ )

> Also I should have pointed out that GPUs crunch WPA2 pretty quick these days too

How quickly, really? I remember a while ago I had a discussion on here where someone told me a hash method was insecure, as you could crack it with a GPU. I downloaded hashcat, put in the hash of a 6 character string, and left it running overnight on a GTX1070 and it was still going.

The hash method (SHA1 iterated 4096 times) is quite secure for this purpose. Even md4 would be fine. Of course, lots of Bitcoin ASICs are designed to compute SHA256 fast, but they are very fixed function and lacking the bandwidth to a CPU to stream in passwords. Also, they are just a constant factor better than what a GPU can do. I'm sure the NSA and other peers have rooms full of ASICs devoted to WPA2 though.

A good GPU cracker rig will get 500k hashes/second per GPU. That is still very slow compared to the search space of a 12 character [a-z][A-Z][0-9][@#$_&-+*"':;!?~|{}%] password.

For a 6 character string, it still depends on what mask you are providing, or what the search space is, i.e are there requirements like one or more upper, 1 or more digits, or is it purely random from a RNG?

Still, if it isn't breaking it within a day I'd say you are in CPU mode, where a multicore box is still only 5k hashes/second.