When I want to log onto a password-protected wifi with my iPhone and type the password into my phone’s settings, the “Join” button remains inactive as long as I’m typing; but as soon as I finish the last character of the password, the button will turn active (blue). Apparently, my phone knows that I’ve finished typing before I even tell it to connect. Does this mean that the router tells my phone the length of the expected password in advance? That would sound like a security vulnerability to me. Wouldn’t it greatly facilitate brute force attacks?
It may be that your WiFi access point is still using WEP. That uses a fixed length password of either five or 13 ASCII characters - which get mapped to the binary equivalents of the 64 or 128 bit keys. (Fewer characters may also work, but probably just get blank padded.) An iPhone joining a WEP protected network will see that it uses WEP and what the size of key is required, and thus know a-priori the maximum number of characters needed.
Hint - don’t use WEP. It is way obsolete and totally insecure.
There is a minimum length.
Is your password 8 characters?
I was going to say - does anyone use WEP any more?
Is it possible that if you pause typing for very long the phone assumes you’re done? Also, as mentioned, does the JOIN button probably require a minimum 8-charcter or more password for newer WiFi network security and only appears after the 8th character? What happens if you stop typing at 8 characters for a network with a 9-character password?
ETA: Ninja’d again!
Another possibility is they programmed the join button to be “smart”. This is a guess, but maybe, just maybe …
For as long as you’re entering characters at a regular rate the button stays dim/disabled. But as soon as your next character is later than its timing expects, the button turns live. See, it’s the little helpful things that make the Apple UI so rewarding to use.
A way to test this theory is to enter just a few characters in your usual cadence then stop. If a moment later the button goes live you’ve got your answer. Or equally if it doesn’t.
It’s not my own wifi, it’s a corporate wifi for personal use and guests at the place I work. But yes, the length is eight characters.
My experience (with WPA) is that the Join button stays inactive until you pass the minimum number of characters. So, if your password is that minimum, it will look like it’s letting you join as soon as you hit the right length, but if your password is longer, you’ll see that you have to keep typing even after you can try to join.
Then the appearance of the “join” button is an indication that the password is long enough.
That goes to the original question, though: What defines “enough”? Is it the length of the actual password (implying there is some leakage of security information between access point and unauthenticated client)?
It’s been answered that “enough” is based on the minimum password length according to specification, and not the actual length for that particular instance.
Let’s not complicate this.
Typing 8 characters trigger the activation of the join button even if the actual password is much longer.
(Try for yourself)
I just tried it with a few random wifis of neightbours in my apartment building, and indeed it seems as if the “Join” button turns blue after eight characters. I don’t know the passwords themselves or how long they are.
I suspect as mentioned, it’s the minimum length. IIRC for WPA the minimum length is 8 characters, and I do believe the WiFi will tell the client what sort of security it is - because, of course, the client has to encode the password to match the demanded security setting (none, WEP, WPA, WPA2, etc.) You don’t broadcast the password to the router, you take the key it gives you and crumble the password with it to make an unreadable password to send, that only the wifi can decode. (And IIRC use your phone/PC’s personal key, so that someone cannot just copy the key as encrypted).
I assume these are one-way encryptions. I have a public key I share with you, you use that to encode the password, and you cannot decode/reverse that process, and only the matching private second key can decode it. Math nerd stuff… giant prime numbers and all that.