Using Cloud Computing To Crack Passwords – Amazon’s EC2

Use Netsparker


Now this is interesting a proper mathematical calculation for using cloud computing to crack passwords, now Amazon has opened up their EC2 (Elastic Compute Cloud) the cost of massive parallel processing power has come right down.

And guess what, someone thought of using it to crack passwords. It seems the cut-off would be a 12 character password as even with all lower case characters it would cost USD1.5 million to crack.

It gets exponentially cheaper as you remove each character (due to the calculation using the power of the number of characters) so a 10 character password would only cost you just over USD2000!

Forget what you’ve learned about password security. A simple pass code with nothing more than lower-case letters may be all you need – provided you use 12 characters.

That’s the conclusion of security consultant David Campbell, who calculated the cost of waging a brute-force attack on various types of passwords using cloud computing services offered by Amazon.

Based on hourly fees Amazon charges for its EC2 web service, it would cost more than $1.5m to brute force a 12-character password containing nothing more than lower-case letters a through z. But user beware, an 11-character code costs less than $60,000 to crack, and a 10-letter phrase costs less than $2,300.

Adding upper-case letters and numbers to a password offers some additional security, but not as much as you might think. Such a phrase using 10 characters would cost less than $60,000 to attack, while an 11-character code would cost roughly $2.1m. Even passwords that contain an additional 32 characters such as !@#$% are relatively cheap to crack if they are short enough. An eight-character password would cost a little more than $106,000.

I’d say adding upper case letters and numbers makes quite a difference, a 10 character passwords jumps from just over USD2000 to crack all the way up to USD60,000. That’s a factor of 30!

I’d say a 10 character password containing uppercase, lowercase, numbers and specials characters should be well into the millions and keep you fairly safe.

I did write some guidelines and tips on creating a secure password a while back, you can check it out here – Good Password Guidelines – How to Make a Strong/Secure Password.

The analysis, which Campbell posted here, builds off of research fellow security consultant Haroon Meer of SensePost presented earlier this year at the Black Hat conference. In it, he showed how EC2 could provide criminals using stolen credit cards with the equivalent of a super computer to crack encryption keys and passwords.

And that, in turn, will require new ways of thinking on the part of white hats.

“As it becomes possible now for the black hat community to get their hands on large amounts of computing power, we as security professionals are going to need to reassess threat models that we thought previously were not a factor,” said Campbell. “Using stolen credit cards, they could create a super computer that would be faster potentially than what the three-letter agencies have and they wouldn’t be paying for the CPU cycles.”

Although Amazon takes pains to ration resources it makes available to single customers, Meer showed it was possible to get around such limitations using a single credit card. Presumably, it would be even easier to bypass those controls using hundreds or thousands of stolen credit cards, something that is trivial for criminals to get a hold of. Campbell’s assumptions are based on simple arithmetic.

It’s interesting research nevertheless, I’d say Cloud Computing is only going to get more powerful and cheaper to rent so character based passwords may become completely defunct at some point in the future.

The computing power is not at the point where you have to worry about your 1024 bit RSA encryption quite yet, but it may well be in the near future as it’s already advised to use a 2048 bit key length!

Combining this platform with the abundance of stolen credit card details the blackhats have could be quite devastating.

Source: The Register

Posted in: Hacking News, Password Cracking

, , , , , ,


Latest Posts:


testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.


2 Responses to Using Cloud Computing To Crack Passwords – Amazon’s EC2

  1. Michael Argast November 3, 2009 at 6:21 pm #

    In many ways, the criminals were the first to innovate in the area of Cloud Computing. While services like Amazon/EC2 have been getting a lot of press lately, for several years you’ve been able to rent large botnets to send spam, launch denial of service attacks and crack passwords.

    The prices these botnets go for are orders of magnitude cheaper than EC2, and if they don’t want to pay-to-play, the criminals can always build a new one themselves.

    Don’t use the ‘costs’ above as any indicator as to the real world effort that criminals have to spend in order to break your passwords. Secure your password files, ensure remote access to your systems require tokens or 2-factor authentication, and use strong passwords.

    Michael Argast, Security Analyst, Sophos

  2. emerging November 10, 2009 at 4:00 pm #

    days ago i read an article about a super computer of a speed of 1.1 Tera for $14,519 is now available for public when i looked at the price i was just amazed. the price of that super computer is of a fraction compared to the prices above, so wont it be easier for who ever has the cash to buy such machines ?.i would buy one my self ;). so i guess the threat is real close and real as to the traditional ways of authentication. so at the price of cracking a 10 char upper/lower/symp password -60k us$- i can buy almost 4 of those nice machines and with parallel programing u have your own cloud at home. did u consider this ?