Free Newsletter

Amazon EC2 changes the rules of password cracking

November 3, 2009 — 7:08am ET | By Paul Mah

Tools

Tags
Hacking
amazon
criminals
credit cards
Cybercrime

How many characters should a reasonable secure password consist of? Well, it would be 12 characters at least, according to security consultant David Campbell. Campbell came to this conclusion after calculating the cost of a brute-force attack by harnessing computational resources from cloud computing services such as Amazon's EC2.

Using his own cracking application--that can handle 9.36 billion keys per hour, Campbell calculated that it would cost a cool $1.5M to brute force a password that is 12 characters long. Campbell is working based on the assumption that the password will consist of just lower-case letters. A similar password with just 11 characters though, will cost just $60,000 worth of computer cycles to crack.

Throwing numbers and other symbols in the mix will obviously increase the cost, though Campbell told The Register that a short (eight character) password containing an additional 32 different characters will cost just $106,000 to crack. So the longer the length, the better it is.

What is more chilling perhaps, is the idea that criminals could already have access to a super computer-level of computing resources by harnessing the power of cloud computing. But won't it be too costly for them? Well, not if they throw some good old fashioned crime into the technological mix.

Campbell summed up the situation. "Using stolen credit cards, they [hackers] could create a super computer that would be faster potentially than what the three-letter agencies have and they wouldn't be paying for the CPU cycles."

For more on this story:
- check out this article at The Register