Turning clouds into crackers: $45 a password

Security experts recommend long, complex passwords because they require a super computer’s power to hack into a system. So what happens now that a super computer is available to anyone with a credit card?

Security experts have started to connect the dotted lines between password-seeking cyber crimnals and low-cost services like Amazon’s EC2.

At the July 2009 Black Hat Conference, security expert Haroon Moor of SensePoint talked about the potential for hackers to use Amazon’s EC2 to build password-cracking programs. This inspired security consultant David Campbell to run the numbers at his blog. He calculates the cost of cracking a password, based on Amazon’s $.30/hour rate.

The conclusion: a simple eight-character password would cost only $45 to break. That’s for a password that required only numbers and lower-case letters.

Being a white hat, Campbell used his work to demonstrate the value of requiring longer and more complex passwords. When you add the requirement that both upper and lower case letters plus special characters are used, the cracking cost jumps to $106,317. And if you add just one more character and require 9 characters, the cost skyrockets to $10,100,151.

Of course, Campbell’s assumption is that a hacker was able to use brute force, testing each password without being locked out.

Still, Campbell is illustrating a valid point. He told The Register….

“As it becomes possible now for the black hat community to get their hands on large amounts of computing power, we as security professionals are going to need to reassess threat models that we thought previously were not a factor,” said Campbell. “Using stolen credit cards, they could create a super computer that would be faster potentially than what the three-letter agencies have and they wouldn’t be paying for the CPU cycles.”

2 Comments

  1. dave says:

    Or they just rent a botnet from their fellow hats and do it for a tenth the price. Considering a 10k botnet rents for 24hrs between the range of 1k to 5k.

  2. Seth says:

    “Security experts recommend long, complex passwords …”

    That is just stupid as that approach is needlessly inconvenient to users.

    Any computer or service that includes sensitive data should include a mechanism to lock access for some period of time after some number of failed login attempts no matter where from (similar to the functionality offered by fail2ban). This type of protection renders dictionary style attacks impotent.

2 Trackbacks

Leave a comment