GPUs crack passwords in the cloud
With the help of Amazon's Elastic Compute Cloud (EC2) service and the recently introduced "Cluster GPU Instances" (Tesla M2050 GPU modules by NVIDIA), Cologne-based blogger Thomas Roth managed to crack a text file with 14 SHA1 hashes in 49 minutes by brute force. The passwords were 1 to 6 characters long. Roth describes the details in a post on his blog.
Amazon's EC2 allows anyone to hire computing capacity at short notice and small cost as an alternative to having to invest in hardware. In the blogger's configuration, an hour of computing time reportedly only cost just $2.10 (£1.31). Even before the GPU option was introduced, EC2 was already known as an efficient tool for password crackers.
While Roth's demonstration is impressive, his conclusion that SHA1 should no longer be used is debatable. For instance, the hacker only calculated relatively short passwords that aren't advisable for practical use. Every additional character exponentially increases the effort required to crack the hash. Experts generally advise that passwords should have a minimum length of 12 characters.