Cracking Passwords With Amazon EC2 GPU Instances 217
suraj.sun writes "As of Nov. 15, 2010, Amazon EC2 is providing what they call 'Cluster GPU Instances': An instance in the Amazon cloud that provides you with the power of two NVIDIA Tesla 'Fermi' M2050 GPUs... Using the CUDA-Multiforce, I was able to crack all hashes from this file with a password length from 1-6 in only 49 Minutes (1 hour costs $2.10 by the way.). This is just another demonstration of the weakness of SHA1 — you really don't want to use it anymore."
SHA1 deprecated? (Score:2, Interesting)
This just shows one more time that SHA1 is deprecated — You really don't want to use it anymore
Or you could, you know, use a salt (like any competent password system). And require eight-character passwords (like any competent password system). That will stave off obsolescence for maybe another decade.
Re:Yes, SHA1 security is questionable.. (Score:3, Interesting)
While this article really has nothing to do with the security of SHA-1, SHA-1 does have weaknesses that should make anybody think twice before using it.
And I really hate it when people say "Oh, well, it isn't good for this, but how about this?! I mean, we can't toss out a perfectly good algorithm!". What possesses people to hang onto algorithms that are broken for which there are essentially drop in replacements for that aren't.
Hash algorithms are really tricky to use correctly, and know when you can and can't use them when they have a specific weakness is not a trivial determination to make. And replacing the stupid thing is pretty simple. So just get over it already and drop the bad algorithm. How hard can it be?
Re:Yes, SHA1 security is questionable.. (Score:3, Interesting)
Are you so sure of that?
(it is actually replaced by a unicode character – ☺ to be exact.)
No, it shows that WEAK PASSWORDS are bad (Score:5, Interesting)
"Using the CUDA-Multiforce, I was able to crack all hashes from this file with a password length from 1-6 in only 49 Minutes..." [emphasis mine]
Sounds like someone missed the day they taught exponents in school.
Pretend he only tested 72 characters: a-z, A-Z, 0-9. Going from 6 to 8 characters would make this take 5,184x longer. (72x72). 49 minutes x 5184 = about SIX MONTHS.
Why not a LAM/MPI - CUDA cloud cluster?? (Score:3, Interesting)
As part of my graduate studies, in Computer Science at Texas A&M University, I built out a LAM/MPI - CUDA cluster. With this configuration we had access to all the CPU/GPU on all the systems in the lab. Although it requires knowledge of both API it can be extremely powerful. I'd love to see a cloud based system based upon this configuration. Now that would be worth paying by the hour to use!!!
896 CUDA Cores (2 x NVIDIA Tesla C2050 (Fermi) cGPU) is nice but imagine the power of a data center filled with these!!!
Re:proper use of hashing algorithms (Score:4, Interesting)
While I concurred with your point somewhere else in this discussion (regarding the usage of salt), I wonder if there is any possibility that an attacker, having a sufficiently large corpus of your stored hashes, would be able to extrapolate what salt your application is using.
Re:Yes, SHA1 security is questionable.. (Score:1, Interesting)
...If a hash function produces and n bit digest (output) for any given input then any input that is greater than n bits in length MUST produce a digest that collides with an input of n bits or less even though the inputs are dissimilar....
No, indeed. Unless there is a sufficiently narrow definition of "hash function", there is nothing preventing an input of <= n bits from having a collision with another input of <= n bits; which leaves open room for larger inputs.
Example: f(x) = (x^2) only responds with positive numbers in the output space and every output will have two possible inputs (collisions predictable), negative numbers could be used for larger inputs (obviously the overall algorithm cannot be defined by that one function alone...)
Re:Yes, SHA1 security is questionable.. (Score:2, Interesting)
As far as I can tell, salting only helps against rainbow table attacks. OP wasn't using those, he was computing the hashes (and thus finding collisions) using only the EC2 GPU instance. He was generating the tables themselves. Salt won't help you in that case. It just requires more compute power which has now become available thanks to the EC2 GPU instances that Amazon is offering.