Thoughts on cracking passwords using cloud computing?

dicenskr's picture
Submitted by dicenskr on Sat, Apr 3 2010 - 6:29 PM

http://bit.ly/bvfVy2

It's obvious that the internet provides the free distribution of information, both good and bad. A simple Google search for "how to crack passwords" leads to YouTube videos, articles, etc with both more and less information regarding the best known techniques, including but not limited to dictionary, hybrid, brute force. Some even name some programs like TCH Hydra.

There's an interesting (old) article ( http://bit.ly/1z6sP7 ) that has a grid for how difficult your password is to crack in respect to length and complexity. The article estimates that it would take 154 x 10^9 millennia to crack a 14 letter password that uses all characters available. I am assuming that the author is correct in his assertion as well as there being only 1 computer working on this crack.

So what if we use cloud computing to crack passwords? (ie. Amazon's very expensive EC2.) Time to think of new security standards? Thoughts? (Or just estimate how much the info is worth and create a password with 2 more letters and hope you're good?)

Comments

JohnFx's picture

Interesting topic. My take

Submitted by JohnFx on Mon, Apr 5 2010 - 9:54 AM.

Interesting topic. My take is that cloud computing isn't going to be that much of a threat to security simply as a means to throw more iron at a brute force password attack, because it doesn't change the game in terms of costs to execute such an attack.

For certain, cloud computing reduces costs associated with the excess capacity you traditionally needed to maintain for a system because you had to plan for peak capacity and not average capacity. However, for computationally heavy and constant usage like this, you wouldn't gain much advantage over just buying the equipment other than reducing the setup time.

In any event, it is important to understand that the aim of security is not to create hack-proof systems, but to make the cost/time commitment to break into the system exceed the value of anything that might be gained by hacking into it.

softwarejanitor's picture

Criminal gangs are already

Submitted by softwarejanitor on Mon, Apr 5 2010 - 10:29 PM.

Criminal gangs are already using huge networks of zombified Windows boxes (botnets) to brute force attack passwords. They are pretty sophisticated, even in being able to coordinate timing/pacing of attempts distributed across a broad range of IP addresses to try to thwart attempts by the systems being attacked to identify/ban the members of the botnet.

There are still some ways to combat such things but some of them I'm not currently at liberty to discuss publicly.