Q: Should pentesters use Amazon EC2 to crack passwords? A: Probably not.
Amazon’s “cloud computing” seems perfect for pentesters for cracking passwords for three reasons.
(1) Accounting. Pentesters can simply stick the Amazon EC2 costs onto the bill they charge customers. If they use their own hardware, they have to figure out how to amortize the cost a cross many customers.
(2) Usage pattern. Pentesters only need the compute power the day they are cracking passwords, at which point they need a lot of hardware. That’s only a few days a year, the hardware will remain unused the rest of the time. This fits Amazon’s usage model of paying only for the compute power that use.
(3) Sheer power. In theory, a pentester can apply all the idle power of Amazon’s computers to the problem, which could expand to 100,000 machines. That’s an impressive amount of compute power.
This is all very impressive, but there is the problem of cost. Amazon is really built for things like websites, not “integer computation”. Thus, while so much of the Amazon model fits the password cracking model, this one difference defeats it.
Consider employing Amazon instances equivalent to 1000 desktops. This costs $1/hour per instance, or $1000/hour. The same password cracking power can be had with 25 GPUs costing $430 each, or $12000 total.
That means after only 12 hours of password cracking, owning your own GPU becomes more cost efficient than using Amazon EC2 instances.
Amazon also provides GPU instances, but the situation doesn’t change much. Amazon uses older Tesla GPUs, whose hardware cost is 10 times that of the latest gaming GPU, but perform a tenth as fast for password cracking. (They are optimized for floating point, not integer calculations). That’s a 100 to 1 cost difference working against you.
So the upshot is this: for pentesters, buying a new GPU for the job and throwing it away at the end will crack more passwords than the equivalent money spent on Amazon EC2 instances.
Also, as I’ve mentioned elsewhere, the exponential nature of brute-force cracking defeats the idea of simply throwing more hardware at the problem. What cracks passwords is having a solid word list and good rules for mutating those words, not massive hardware. The marginal benefit of some hardware (like buying a GPU) is clearly worth it, but the marginal benefit of even more hardware is rarely worth the trouble.
Thus, as a pentester, you should have a desktop with one or two of the latest GPUs, but you shouldn’t worry much past that point.
Update: An alternative is something like http://www.cloudcracker.com, which is priced better to do what you want. This is especially true when calculating your own labor: managing your own cracking jobs will take an hour of your time, which you bill to customers. Using a cloud-cracking service means launching the cracking job, then playing Angry Birds for an hour.