WPA-PSK password cracked with Amazon Cloud for $5.60

Discussion in 'other security issues & news' started by Baserk, Jan 11, 2011.

Thread Status:
Not open for further replies.
  1. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    '(Reuters) - A security researcher says he has figured out a quick and inexpensive way to break a commonly used form of password protection for wireless networks using powerful computers that anybody can lease from Amazon.com Inc over the Web.

    Thomas Roth, a computer security consultant based in Cologne, Germany, says he can hack into protected networks using specialized software that he has written that runs on Amazon's cloud-based computers. It tests 400,000 potential passwords per second using Amazon's high-speed computers.
    '

    Reuters article link

    Thomas Roth website stacksmashing.net link
     
    Last edited: Jan 11, 2011
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Unfortunately the article doesn't say whether its WPA-TKIP or WPA-AES.
     
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    It would be interesting to know the length of the passwords broken. Not sure if it can brute force a 63 char password
     
  4. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    I may be missing something, but it seems the title is very misleading. This method did not "break" or "crack" WPA-PSK. Rather it appears the "researcher" employed an old-hat brute-force attack using a new tool, being the Amazon cloud.

    A brute-force is a brute-force is a brute-force. The revelation here is not that brute force attacks have become hugely more successful, but rather there's a new computational option for executing a brute-force attack.

    "400,000 potential passwords per second" doesn't sound very impressive to me. According to this website, a mere 8-character password using mixed upper and lower case alphabet plus numbers and common symbols has roughly 7.2 Quadrillion possible combinations. That'll take many, many years of automated guessing.

    http://www.lockdown.co.uk/?pg=combi

    My home network uses a "random" 63-character password "only" using upper and lower-case alphabetic characters plus numbers. Plugging this into Google tells me 400,000 guesses at my password per second will take until the end of time.
    (((((62^63) / 400 000) / 60) / 60) / 24) / 365.25 = 6.59952199 × 10^99 years
    I Am Not An Encrytion Expert, so I wonder if I am missing something.
     
    Last edited: Jan 11, 2011
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    So the guy can use a cluster of machines to speed up a brute force attack. It would still take it 5.58 x 10^22 years to crack a 20 character long password consisting of upper/lower letters and numbers.

    In other news the sky is blue....
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    And when Amazon catches on to a bunch of would be hackers abusing their network...?

    Me thinks it will not take too many attempted uses to have this resource eliminated.

    JMHO
    Mike
     
Loading...
Thread Status:
Not open for further replies.