Feeds

Amazon's EC2 brings new might to password cracking

Cloudonomics and the art of black-hat hacking

Secure remote control for conventional and virtual desktops

Forget what you've learned about password security. A simple pass code with nothing more than lower-case letters may be all you need - provided you use 12 characters.

That's the conclusion of security consultant David Campbell, who calculated the cost of waging a brute-force attack on various types of passwords using cloud computing services offered by Amazon.

Based on hourly fees Amazon charges for its EC2 web service, it would cost more than $1.5m to brute force a 12-character password containing nothing more than lower-case letters a through z. But user beware, an 11-character code costs less than $60,000 to crack, and a 10-letter phrase costs less than $2,300.

Adding upper-case letters and numbers to a password offers some additional security, but not as much as you might think. Such a phrase using 10 characters would cost less than $60,000 to attack, while an 11-character code would cost roughly $2.1m. Even passwords that contain an additional 32 characters such as !@#$% are relatively cheap to crack if they are short enough. An eight-character password would cost a little more than $106,000.

The analysis, which Campbell posted here, builds off of research fellow security consultant Haroon Meer of SensePost presented earlier this year at the Black Hat conference. In it, he showed how EC2 could provide criminals using stolen credit cards with the equivalent of a super computer to crack encryption keys and passwords.

And that, in turn, will require new ways of thinking on the part of white hats.

"As it becomes possible now for the black hat community to get their hands on large amounts of computing power, we as security professionals are going to need to reassess threat models that we thought previously were not a factor," said Campbell. "Using stolen credit cards, they could create a super computer that would be faster potentially than what the three-letter agencies have and they wouldn't be paying for the CPU cycles."

Although Amazon takes pains to ration resources it makes available to single customers, Meer showed it was possible to get around such limitations using a single credit card. Presumably, it would be even easier to bypass those controls using hundreds or thousands of stolen credit cards, something that is trivial for criminals to get a hold of.

Campbell's assumptions are based on simple arithmetic.

To calculate the cost of brute forcing an eight-character password consisting only of lower-case letters, he raised 26 to the power of 8 to get the total number of possible passwords. Because his cracking application can handle 9.36 billion keys per hour, he then divided by that amount and multiplied that by EC2's standard rate of 30 cents per hour. An eight-character password that contains numbers and upper- and lower-case letters would be ((26+26+10)8/ 9,360,000,000) * .30.

A twelve character password that contains numbers and upper- and lower-case letters would be((26+26+10)12 / 9,360,000,000) * .30.

The promise of cloud computing to eliminate the costs of deploying and maintaining large numbers of servers is no doubt a boon to businesses looking for inexpensive ways to tackle special computing chores. But as the folks from SensePost make clear, some who stand to benefit the most may not be the most savory of enterprises.

It wasn't that long ago that even the most security conscious felt comfortable using an RSA key length of 1024 bits. But as Moore's Law has progressed, lengths of 2048 bits are increasingly advised. Now, as cloud computing spreads to the masses, don't be surprised if other common security assumptions are similarly rethought. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.