[alexhjones]

No need to brute force - if users re-used their master password, it will potentially cross-reference with the correct email and password combo from any number of previous data breaches and pwnage across the net.

[yasp]

Good news for people who followed best practices. "I don't have to outrun the bear; I just have to outrun you."

[AlexCoventry]

This bear has the ability to spin up an AWS cluster of bears, unfortunately.

[yasp]

They're still subject to economic considerations (assuming a non-state actor). If the expected value on a cracked account is less than the expected cost to crack it, a rational actor won't bother. That they may use cracked AWS accounts, or botnets, to perform this cracking does not change these economic considerations.

[dijit]

AWS is probably the most expensive way to do this.

Either rent some machines from an ex-crypto miner, since AES can be decyphered on GPUs or get some old extremely cheap boxes from the hetzner auction.

[nikau]

People who are trying to crack these passwords are also likely to be using compromised AWS accounts.

[jacquesm]

There isn't just one bear.