A security enthusiast has leveraged the power of the recently released Amazon EC2 Cluster GPU Instances to crack fourteen SHA1 password hashes of various length in under 50 minutes.
It's a well known fact that modern Graphic Processing Units (GPUs) are better suited for brute force password cracking attacks than Central Processing Units (CPUs).
Commercial password recovery solutions that tap the power of GPUs have been available for a couple of years now.
The method itself became possible after manufacturers started releasing development kits which allowed for low-level GPUs access.
New cloud computing services like Amazon EC2, promise to make the use of state-of-the-art graphic processing units affordable for users.
The password cracking test was performed by a German security blogger named Thomas Roth on an Amazon EC2 instance powered by two Intel Xeon X5570 quad-core CPUs and two NVIDIA Tesla "Fermi" M2050 GPUs.
Roth fed a file of 14 SHA1 hashes corresponding to passwords of between 1 and 6 characters in length to an open source program called CUDA-Multiforcer running on an image of CentOS 5.5 provided by Amazon.
Most applications don't store passwords in plain test, but unique strings known as hashes, which are calculated using special cryptographic algorithms. Designed by the NSA in 1995, SHA1 is currently the most widely used secure hash function.
Brute force attacks can theoretically be used to recover passwords from hashes, but the time required to do so widely varies depending on the used algorithm and their complexity.
Unfortunately, according to a recent study
from BitDefender, one in four people use passwords that are only six-character long. Furthermore, 60 percent of them only use single-case letters.
Giving that one hour of Amazon EC2 Cluster GPU Instance use costs only 2.10$, the technology is a viable solution for hackers looking to crack stolen password hashes.