Security experts recommend long, complex passwords because they require a super computer’s power to hack into a system. So what happens now that a super computer is available to anyone with a credit card?
Security experts have started to connect the dotted lines between password-seeking cyber crimnals and low-cost services like Amazon’s EC2.
At the July 2009 Black Hat Conference, security expert Haroon Moor of SensePoint talked about the potential for hackers to use Amazon’s EC2 to build password-cracking programs. This inspired security consultant David Campbell to run the numbers at his blog. He calculates the cost of cracking a password, based on Amazon’s $.30/hour rate.
The conclusion: a simple eight-character password would cost only $45 to break. That’s for a password that required only numbers and lower-case letters.
Being a white hat, Campbell used his work to demonstrate the value of requiring longer and more complex passwords. When you add the requirement that both upper and lower case letters plus special characters are used, the cracking cost jumps to $106,317. And if you add just one more character and require 9 characters, the cost skyrockets to $10,100,151.
Of course, Campbell’s assumption is that a hacker was able to use brute force, testing each password without being locked out.
Still, Campbell is illustrating a valid point. He told The Register….
“As it becomes possible now for the black hat community to get their hands on large amounts of computing power, we as security professionals are going to need to reassess threat models that we thought previously were not a factor,” said Campbell. “Using stolen credit cards, they could create a super computer that would be faster potentially than what the three-letter agencies have and they wouldn’t be paying for the CPU cycles.”