back to article Amazon's EC2 brings new might to password cracking

Forget what you've learned about password security. A simple pass code with nothing more than lower-case letters may be all you need - provided you use 12 characters. That's the conclusion of security consultant David Campbell, who calculated the cost of waging a brute-force attack on various types of passwords using cloud …


This topic is closed for new posts.
  1. Crazy Operations Guy

    Pass phrases...

    I have typically recommended that people use actual phrases rather than passwords for things exactly like this. First phrases are easy to memorize; second the are very long and can easily contain upper, lower, numbers and symbols; and third, it would be very difficult for an attacker to use a key logger to find the password.

    One of my old passwords was "Send form 36-b to accounting.". Such a password would cost about $2.43*10^43 to crack and would take so long that the password would have been changed several times already.

  2. Anonymous Coward

    Moore's Law

    Remember in 2 years the cost will half.

    Also if someone has intercepted a communication or a file they have all the time in the world to crack it even if you change your password from then on.

  3. Anonymous Coward
    Thumb Down

    @Moore's Law

    Pah. If you're going to quote a law, you should at least try to get it right. Idiot.

  4. John Doe 1

    Surprised the botnets aren't doing it already

    ...considering there's millions of compromised PCs under botnet control, and where access is hired rather inexpensively in units of 10,000 compromised computers.

  5. Neal 5


    Nah, more likely used for building rainbow tables.

  6. Anonymous Coward
    Anonymous Coward


    Why would the criminals bother brute forcing passwords when many people are still stupid enough to submit their credentials to phishing sites?

    This would need to be done in conjunction for another hack, for example if they get hold of all the hashed passwords for a particular site, they could attempt to brute force them all wholesale, assuming that there will be a certain percentage of week ones.

    So use multiple email addresses and passwords and you're laughing.

  7. Keith Oldham


    Certainly a mega-bruteforce effort can theoretically generate the correct password eventually - however it still needs to be applied. Might take rather a long time, even if the username is known - alright root is root but it would average ~~10^35 attempts to break into my fileserver even if root was exposed to the outside ( which it's not) and also supposing fail2ban didn't notice (all this assuming that the universe hasn't ended by then as I'm assuming at a generous 100000 login attempts a second a time of ~10^23 years!) - although I guess hardware and broadband speeds will have improved a tad in maybe 10^10 years.

    File security might be a different matter - but you still need to recognize that the decryption has succeeded

    (Memorising very long random passwords is the answer - I'm afraid I can't remember what the question is.)

  8. paul brain

    @ AC re: Moore's law

    Dude , calm down. The guy was just saying it would cost half as much in 2 years. Which according to moores law would be accurate if the ISP took an additional 6 months to upgrade.

  9. Chris Miller

    Time and tide

    Choice of key length is dependant not only on the intrinsic value of the data it protects, but also the length of time for which protection is needed. For example, the message "We attack at dawn" may be of incalculable value to the enemy, but only if it can be decrypted within 24 hours. The CIA (are alleged to) have documents that must be protected not just for the lifetime of the agents they refer to, but for the lifetimes of all their children.

  10. Anonymous Coward
    Anonymous Coward

    $1.5m to brute force a 12-character password

    Of course, you may get it right the first time but I suppose that doesn't meet the definition of brute force in this case...

  11. Anonymous Coward
    Anonymous Coward

    Re: Pass phrases...

    That passphrase has very low entropy:

    Given 1.1 bits per character plus some extras for the dot, dash and digits, I think 52 bits would be generous. That's about the same as 11 characters chosen randomly from lowercase a-z, which according to this article costs $60,000 to crack. Having said that, the search through the keyspace would be slower than just trying sequential keys.

  12. Matware
    Big Brother

    If you really need a password cheap and quickk

    A cordless drill and ear plugs.

    Does anybody actually crack passwords? I always thought it was a line used to keep the masses in the dark.

  13. DZ-Jay

    Bad assumptions

    The study is based on some misguided assumptions. Firstly, that the criminals will depend on a pay-for-service supercomputer to crack a single password.

    If they were intent on using supercomputers to crack passwords en masse, I will posit that it is more probable that the criminals will employ any of the myriad mechanisms available (trojan horses, botnets, social engineering, the black-market, etc.) to steal the password of an Amazon EC2 account, and then roll with it.

    Crime is only that expensive if the criminals play by your normal rules, which nothing says they have to.


  14. Tim Brown 1

    A glaring flaw in his assumption

    His cracking application might be able to handle 9.36 billion keys per hour but what real-world server will process even a fraction of that many login attempts per hour? Even assuming no anti-hacking measures swing into action, I would suggest that even 100 attempts per second would tax most server applications.

    So his actual EC2 bill is going to be several orders of magnitude bigger than his theoretical calculations.

  15. PatAdam


    The cost given would be the cost if every single one of the possible combinations was tried. Assuming a brute force attack consists of first trying "aaaaaaaaaa" then "aaaaaaaaab" then this would only be true if the password was "zzzzzzzzzz" - which is unlikely.

    Then again, are crackers clever enough to use random attacks? Sounds like 'zzzzzzzzzz' is going to become my password of choice from now on.

  16. Anomalous Cowherd Silver badge

    Not quite wrong

    Typically the measurement you want is the time taken to search half the keyspace, which gives you the average time to find a password. So divide his results by two and you've got a useful answer.

    As for the "no server would let you log in 9.36m times a second", that's not the idea here. Say someone has broken in to a server, got hold of /etc/shadow, and now wants to crack the passwords (to attack another computer with the same user accounts). It's strictly a CPU-bound problem, although once you've got /etc/shadow you've got root anyay, so it's much easier to install a compromised sshd or logind daemon to capture passwords as they're entered.

    A shame he didn't answer the more interesting question, which is the cost taken to brute force an RSA private key from a public one. Given public keys are, well, public, it's an attack you can perform without the target even realising they're under attack.

  17. Anonymous Coward
    Anonymous Coward


    > Then again, are crackers clever enough to use random attacks? Sounds like 'zzzzzzzzzz' is

    > going to become my password of choice from now on.

    Attackers will try simple passwords and common combinations from a dictionary first. That will get 80% of all passwords, including yours, with almost no effort. Only the remaining 20% needs any sort of force.

  18. Giles Jones Gold badge

    Problem is..

    Who can really remember a 12 character password?

    Maybe once, but LAN policies often require a new password each month.

  19. Anonymous Coward
    Thumb Down


    I read somewhere a long time ago (a quiet afternoon reading some whitepaper on good and bad passwords) that repetition within passphrases is bad as once a character is cracked it's then decryptable for all occurrences in the phrase.

    Hence 'zzzzzzzzzz' would be buggered as soon as the brute force gets the first z.

  20. Keith Oldham

    Re: Repetition

    As far as I'm aware that's only true for a simple transposition.

    Take an example zzzz where the first char is transposed by say -1, second by -10, third by -22, fourth by -3 and you end up with ypdw

  21. rfrovarp

    Why use the slow EC2?

    I mean really. The high end nVidia cards using CUDA can do 2 billion md5's per second. That comes out to over 7 trillion per hour. For a grand in graphics cards (SLI) you can do 14 trillion md5s in an hour. SHA's and better will slow it down some, but it is far quicker than the measly 9.3 billion per hour that his software is calculated to use. In under 16 hours you can brute force an 8 character alpha-numeric md5 with SLI.

  22. Tim Croydon

    Long passwords

    I hate websites that limit the length of passwords. e.g 'You password must be 6-8 characters'. Far too many of them about still. And far too many that store them unhashed and send you a plain text reminder.

    @Moore's Law idiots: Just remember what Moore's law *really* says: "The number of people misquoting Moore's Law will double every 18 months". Go Google it, morons.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022