Slashdot Mirror
WPA-PSK Cracking As a Service
An anonymous reader writes "Moxie Marlinspike, a security researcher well known for his SSL/TLS attacks, today launched a cloud-based WPA cracking service, where for $34 you can test the security of your WPA password. The WPA Cracker Web site states: 'WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes.'"
Only an idiot would pay $34 to see if their password was '12345'.
You can get a nice entropic password for free.
...$34 is the super-fast price.
Pfft, that's only pseudo random data, why settle when you can get true random data.
https://www.fourmilab.ch/hotbits/secure_generate.html
https://www.random.org/passwords/
Actually, in this case, it's very straightforward. He's using Amazon EC2. EC2 charges by the hour, and all you have to do is spin up the number of servers you want. In fact, I happened to run the numbers on what the costs are for running 50 "8-core" servers, and it happens to be...$34/hour. So, what he did was say, "If I run two jobs an hour, I make a small amount of money. If I run 4-5 jobs per hour, I make more money"
This is, of course, a textbook use case for EC2, and I'm surprised no one has done it sooner.
me@mzi.to
That's great if you have a compliant device. I spent two hours trying to figure out why my mom's Nokia wasn't working with such a passphrase. I finally got tired of typing in such a long phrase and truncated it to 15 or so characters only to find it instantly working. Turns out while it lets you type in long phrases, it will silently fail to use them in a completely undocumented deficiency.