A recent article from David Campbell also published on The Register reminded us that there’s a lot of computing power available for rent at the moment. Using a pretty standard brute force password cracker as a benchmark, and Amazon’s EC2 computing platform cost of $.30 per hour, he came up with some surprising, but perhaps unexpectedly low figures for how much money it takes to crack various strength passwords.
Brute forcing of passwords has often been dismissed due to the high amount of processing power it takes to make a dent in good password choices, but perhaps we sometimes forget that computing power is a lot less expensive than it once was, and is readily available. As you can pay for this kind of service via fraudulent means, and have it set up and available almost real time, the threat is very realistic.
David makes the comment:
As it becomes possible now for the black hat community to get their hands on large amounts of computing power, we as security professionals are going to need to reassess threat models that we thought previously were not a factor, using stolen credit cards, they could create a super computer that would be faster potentially than what the three-letter agencies have and they wouldn’t be paying for the CPU cycles.