When viewing WiFi AccessPoints that use WPA/WPA2 you may see a small raised hand icon in the Encryption / Authentication column:

This icon shows the number of WPA/WPA2 authentication handshakes that have been collected by AirShield and can be downloaded in HCCAPX format for offline recovery of the shared passphrase.

What Are 4-way Handshakes?

The term "handshake" has been used as the first four messages of the 802.11 authentication and encryption process. When using pre-shared keys (PSK) the client and access point must establish communication using this key. By capturing the first four messages it is possible to recover the PSK by reversing the process using offline recovery tools and techniques.

The Wikipedia article on 802.11i-2004 describes the complete steps used to establish authentication.

Collecting Handshakes

Searching Google for "wifi password recovery" will return many blogs, videos and tool breakdowns on the techniques to capture and recover. Most techniques recommend active and targeted termination of and existing connection to force re-authentication.

AirShield's continuous monitoring works on the assumption that authentication is likely to happen and be captured at some point in our deep packet inspection process. Denial of service is not required when using AirShield. In the near future deauthentication attacks may be rendered less effective as 802.11w Protected Management Frame support is adopted.

Automatic Weak/Default Recovery Attempt

When AirShield sends handshakes to the cloud they are checked against a list of commonly weak or default passphrases. 

Manually Test Passphrases

Downloading Handshakes for Offline Recovery

Clicking on a raised hand will bring up a dialog of the last 20 collected handshakes.