A German researcher's claim that he has found a way to leverage Amazon's EC2 service to crack wireless passwords raises an important question: Have passwords outlived their usefulness?
InfoWorld analyst Ted Samson reported this week that the researcher was able to use customized software running on multicomputer cloud system to crack wireless WPA preshared keys
in as little as six minutes for a few dollars or less. [ Revisit your company's stance on passwords -- start by testing the strength of your password policy. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
This threat isn't entirely surprising. To slightly paraphrase computer security expert Bruce Schneier, password attacks only become more effective over time. Yesterday's long and secure passwords become tomorrow's easily hackable passwords. A decade ago, a 6-character password provided most people a lot of protection. Today, it's likely that 10-character passwords are susceptible to assault, even when they're strong and employ authentication protocols. Precloud password cracking
Cloud computing and its ability to bring in cheap, elastic computing and storage resources are certainly putting pressure on passwords, but there are other factors to consider. Five years ago I was using the John the Ripper password hash cracking program
to make tens of millions of password guesses per second. I thought that was extraordinary. Then password crackers started using GPU (graphical processing unit) chips from standard PC video cards and gaming systems to increase password cracking speeds by as much as 100 times. In fact, it's cloud computing with GPUs that led to the recent superquick wireless WPA-PSK exploit.