As we reported earlier today, Amazon is now offering a Cluster GPU Instance. Security blogger Thomas Roth decided to find out how quickly the system could be used to crack SHA1 hashes. He was able to crack 14 hashes with passwords ranging in length from one to six characters in 49 minutes. “This just shows one more time that SHA1 is deprecated,” he writes. “You really don’t want to use it anymore!” Roth shares his process in this post. In the comments he notes the cost of cracking the passwords was only between four and five dollars.
Last summer, mainstream media outlets like the BBC began reporting what security company Elcomsoft had known for years: GPUs are highly efficient password cracking machines.
Roth used CUDA Multiforcer, an open source GPU-driven brute force password cracker, in conjunction with Amazon’s cloud service to crack his hash file. The passwords Roth cracked were very short, and I don’t have any clear information on how long longer passwords would take.
The real threat, as explained in Economist blog post, isn’t the possibility of hackers brute forcing individual computers or web services (limiting the number of times a user can enter an incorrect password before being locked out effectively protects against this), but in criminals acquiring databases of password hashes and using tools like this to decrypt them.
The National Institute on Standards and Technology Computer Security Resource Center recommended in 2006 that federal agencies cease using SHA1 and upgrade to SHA2, but it’s been argued that very short passwords encrypted in SHA2 would be just as vulnerable to brute force attacks as SHA1.
Photo by Anonymous