I’ve long been a fan of password derivation and reading articles on the topic brings back the days of defeating the USMA GoldCoats year after year. Anyway, today I came across an article by Electric Alchemy whereupon they utilize the power of Amazon’s Elastic Cloud to harness the power of distributed computing for customized password cracking. The details of how they configured the cloud are a handy “How To” in its own right, where Electric Alchemy sets up their environment to derive the passphrase for PGP encrypted ZIP files. To me, the more interesting part of their study was the modern day cost analysis for breaking passwords and using those numbers to establish safe password policies. Essentially, they used Cloud resource costs to estimate the amount of money an entity must be willing to spend to break passwords of various complexity. Ignoring a dictionary attack, they found that an entity only willing to spend $1 million on Cloud resources cannot break the following thresholds:
- 12 character simple (a-z) passwords
- 11 character extended (a-z 0-9) passwords
- 9 character complex (a-z A-Z 0-9 & special character) passwords
Anything beneath those thresholds are broken easily by the Cloud resources in a short threshold of time. It’s amazing how far computing power and resource pooling have come in the past decade,
jbnjbq7 used to take just under a week on a Pentium II 233Mhz machine using l0phtcrack … now, brute forcing such a password is arbitrarily trivial and people have turned their sights against better targets like PGP (again, ignoring dictionaries and rainbow tables).
Similarly tagged OmniNerd content: