Creative WebWelcome to Creative Web. Discover professional articles, resources, and expert updates on our official portal.

Cracking Passwords In The Cloud: Getting The Facts Straight

My last article about the benchmark on the new GPU Cluster instances in the Amazon cloud had a large impact: Some magazines claimed that:
"A German hacker claims to have used cloud computing to crack passwords stored in an algorithm that was developed by the NSA."

Well, at this point, I have to get some facts straight: What I did was benchmarking the speed of the new instance type for cracking SHA1 hashes. My first result was that it takes 49 minutes to do a 95 characters, 6 digit long brute force attack on a list of 14 hashes. The thing that was new is that, due to the new Amazon offering, everyone is able to spawn a 100 or mode node cluster in the cloud and distribute the task of cracking passwords onto these nodes. Especially cracking hashes is perfectly suitable for massive parallelization! An attacker would be able to spawn a gigantic cluster of nodes using some stolen credit card informations and it would be no problem for him to crack 8 character long passwords in a nice time frame.

The reason I said that SHA1 is deprecated for storing passwords is easy to explain: SHA1 was never made to store passwords. SHA1 is a hash algorithm, it was made for verifying data. It was made to be as fast and as collision free as possible, and that's the problem when using it for storing passwords: It's too fast! The speed of computers is increasing incredibly fast, and so brute forcing will get faster and faster, and the new cloud offerings make parallelization of such use tasks easy and affordable. Instead of hash algorithms, one should use Key Derivation Functions like PBKDF2 or scrypt. Some of these functions hash passwords some thousand times and make brute forcing it a lot harder.

I hope that this article helps some people understanding the real impact of using the cloud for cracking passwords.