VnutZ Domain
Copyright © 1996 - 2020 [Matthew Vea] - All Rights Reserved

2009-11-03
Featured Article

Password Cracking with the Cloud

[index] [1,358 page views]
Tagged As: Hacking and Security

I've long been a fan of password derivation and reading articles on the topic brings back the days of defeating the West Point GoldCoats year after year. Anyway, today I came across an article by Electric Alchemy whereupon they utilize the power of Amazon's Elastic Cloud to harness the power of distributed computing for customized password cracking. The details of how they configured the cloud are a handy "How To" in its own right, where Electric Alchemy sets up their environment to derive the passphrase for PGP encrypted ZIP files. To me, the more interesting part of their study was the modern day cost analysis for breaking passwords and using those numbers to establish safe password policies. Essentially, they used Cloud resource costs to estimate the amount of money an entity must be willing to spend to break passwords of various complexity. Ignoring a dictionary attack, they found that an entity only willing to spend $1 million on Cloud resources cannot break the following thresholds:

  • 12 character simple (a-z) passwords
  • 11 character extended (a-z 0-9) passwords
  • 9 character complex (a-z A-Z 0-9 & special character) passwords

Anything beneath those thresholds are broken easily by the Cloud resources in a short threshold of time. It's amazing how far computing power and resource pooling have come in the past decade, jbnjbq7 used to take just under a week on a Pentium II 233Mhz machine using l0phtcrack ... now, brute forcing such a password is arbitrarily trivial and people have turned their sights against better targets like PGP (again, ignoring dictionaries and rainbow tables).



More site content that might interest you:

Two trains leave Chicago and New York City heading towards each other ...


Try your hand at fate and use the site's continuously updating statistical analysis of the MegaMillions and PowerBall lotteries to choose "smarter" number. Remember, you don't have to win the jackpot to win money from the lottery!


Tired of social media sites mining all your data? Try a private, auto-deleting message bulletin board.