A German hacker claims to have used cloud computing to crack passwords stored in an algorithm that was developed by the NSA.
Hacker Thomas Roth announced on Tuesday that he has used one of Amazon Web Service's Cluster GPU Instances to crack the passwords encrypted in a Secure Hashing Algorithm (SHA1) hash.
"I think that cloud cracking can be useful in the future because of its massive parallel nature. You can start a 100 node cracking cluster with just a few clicks," Roth told ZDNet UK on Tuesday.
"GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA1 hashes? Using the [Cuda-Multiforcer], I was able to crack all hashes from [the 560 character SHA1 hash] with a password length from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way)," Roth wrote on his blog.
A SHA1 hash is an encryption algorithm. SHA1 is vulnerable to a brute-force attack, which is the same technique as the Multiforcer that Roth employed. This is a technique where computers are used to repeatedly attempt to crack a password by successively trying varying combinations of numbers and digits.
The Cluster GPU Instance is built around two Nvidia Tesla Fermi-architecture GPUs. Tesla uses Cuda, an Nvidia-developed software interfacing architecture that allows code to be written for the Tesla GPU that ekes out maximum performance from the underlying hardware. Roth used a Cuda-specific script to increase the effectiveness of his hack, he wrote.
Roth told ZDNet UK that to be suitable for computation on Cuda, tasks must be able to be broken down into many smaller tasks that do not need to share data with each other and can run in parallel.
Since 2005, SHA1 has also been vulnerable to an attack that is 2,000 times as effective as a brute-force attack.
In May Verisign reported that botnets were available for hire for as little as $8.94 an hour to carry out cybercrimes.
Update
SHA1 is a hashing algorithm, not an encryption algorithm, as was first reported in this article. SHA1 generates a 160-bit hash of a message. Roth's cloud cracking experiment worked by working through all inputs to create the same output as the original SHA1 hash.
Twitter 
Linkedin 
ZDNet UK App 
Facebook 
RSS Feeds 
Newsletters 
Talkback
This post has been removed by a moderator.
This post has been removed by a moderator.
Is this really a story? It might be if the speeds were closer to all 6 character combinations in less than a minute.
We have an automated service that does this with a single GPU in less than 70 minutes and when using 4 Nvidia 295GTX's we can crack every possible combination up to 6 characters in less than ten minutes using a single server. The service is QD Tools at http://tools.question-defense.com.
Our most used automated service is WPA cracking where we run an automated dictionary attack with a wordlist of close to a billion words in less than 4 hours. The success rate of returning password is 35%.
This post has been removed by a moderator.
@dakykilla thanks for your comment. We decided to highlight the story because we felt the use of a rentable AWS instance was novel, though we were aware that the methods of hack, target and speed were not revolutionary.
Breaking hashes by brute force or using rainbow tables isn't news, we've been doing it for years. Sure with a large enough network of machines with or without hardware accelerators you can reduce the time needed to break a hash but the time required increases exponentially with length and complexity. One misnomer in the article is that in fact SHA1 is a HASHing algorithm not an encryption algorithm. The former (hash) is a one-way conversion function, the latter is a reversible function. You cannot decrypt a hash, only find an equivalent input that generates the same hash output (a collision).
If people adopt best practice in regard to password length and complexity and rotate passwords on a regular basis then even if they crack a hash it will probably be invalid when tried. Unfortunately many implementations use weak passwords and so maybe brute forced in realistic time frames. The issues here are not technology or algorithms but the application of these by people. If you use weak passwords, irrespective of what algorithm is used to protect it, it can be brute forced with relative ease.
If you are using WPA/WPA2 in an enterprise situation then I would consider switching to another algorithm where the authentication is verified against a backend system such as radius.
Anyone using SHA-1 for passwords deserves to be cracked.
Who uses SHA-1 nowadays anyway apart from your typical muppet and clown society such as UK.
Oh, and by the way this german guy is not a hacker hes a scriptkiddie worthless cracker.