Cracking Passwords With Amazon EC2 GPU Instances 217
suraj.sun writes "As of Nov. 15, 2010, Amazon EC2 is providing what they call 'Cluster GPU Instances': An instance in the Amazon cloud that provides you with the power of two NVIDIA Tesla 'Fermi' M2050 GPUs... Using the CUDA-Multiforce, I was able to crack all hashes from this file with a password length from 1-6 in only 49 Minutes (1 hour costs $2.10 by the way.). This is just another demonstration of the weakness of SHA1 — you really don't want to use it anymore."
Re:Dictionnary attack doesn't show any weakness (Score:5, Funny)
No it doesn't show anything. Your "attack" would only have been marginally slower with SHA-2, because SHA-2 is a bit slower of SHA-1. You didn't exploit any weakness of SHA-1 in this brute-force attack.
He exploited the "is fast to calculate" weakness.
Clearly, we need hash functions which take long amounts of time to compute.
Re:Password length of 1-6 (Score:4, Funny)
Clarification from the story summary:
It's not one password, it's a file full of password hashes.
If it takes 49 minutes to crack a single password of six characters length, you need to upgrade from the ZX81 you must be using.
Re:proper use of hashing algorithms (Score:1, Funny)
Where do you store the salt? In a column next to the hashed password?
I normally keep it in a shaker.
Re:Yes, SHA1 security is questionable.. (Score:5, Funny)
3 :(
I'm not a good hashing function!