Loading 3 Votes - +

Password Cracking with the Cloud

I’ve long been a fan of password derivation and reading articles on the topic brings back the days of defeating the USMA GoldCoats year after year. Anyway, today I came across an article by Electric Alchemy whereupon they utilize the power of Amazon’s Elastic Cloud to harness the power of distributed computing for customized password cracking. The details of how they configured the cloud are a handy “How To” in its own right, where Electric Alchemy sets up their environment to derive the passphrase for PGP encrypted ZIP files. To me, the more interesting part of their study was the modern day cost analysis for breaking passwords and using those numbers to establish safe password policies. Essentially, they used Cloud resource costs to estimate the amount of money an entity must be willing to spend to break passwords of various complexity. Ignoring a dictionary attack, they found that an entity only willing to spend $1 million on Cloud resources cannot break the following thresholds:

  • 12 character simple (a-z) passwords
  • 11 character extended (a-z 0-9) passwords
  • 9 character complex (a-z A-Z 0-9 & special character) passwords

Anything beneath those thresholds are broken easily by the Cloud resources in a short threshold of time. It’s amazing how far computing power and resource pooling have come in the past decade, jbnjbq7 used to take just under a week on a Pentium II 233Mhz machine using l0phtcrack … now, brute forcing such a password is arbitrarily trivial and people have turned their sights against better targets like PGP (again, ignoring dictionaries and rainbow tables).

Similarly tagged OmniNerd content:

Thread parent sort order:
Thread verbosity:
1 Vote  - +
Known Plaintext by gnifyus

About 5 years ago I used to play with a program called pkcrack which was a command-line zip password cracker. (I’ve pretty much forgotten how to use it now.) Unless the zip file password was only 4 characters long, the brute force function was fairly useless, but it had a “known plaintext” option which could pretty much break through any pass word, depending on how much plain-text you had available. The length and character complexity of the password didn’t seem to add much time to the calculation, which on the old Pentium II 400 Mhz might take a few hours. Many zipped software installation packages had text files include which were common to many installation packages, so having the plaintext available was a piece of cake (sometimes).
The calculation time seemed to reside mostly in how much plaintext you had.

Share & Socialize

What is OmniNerd?

Omninerd_icon Welcome! OmniNerd's content is generated by nerds like you. Learn more.

Voting Booth

The "everybody can code" movement is?

6 votes, 3 comments