Hacker uses cloud computing to crack passwords

A German hacker claims to have used cloud computing to crack passwords stored in an algorithm that was developed by the NSA.Hacker Thomas Roth announced on Tuesday that he has used one of Amazon Web Service's Cluster GPU Instances to crack the passwords encrypted in a Secure Hashing Algorithm (SHA1) hash.

A German hacker claims to have used cloud computing to crack passwords stored in an algorithm that was developed by the NSA.

Hacker Thomas Roth announced on Tuesday that he has used one of Amazon Web Service's Cluster GPU Instances to crack the passwords encrypted in a Secure Hashing Algorithm (SHA1) hash.

"I think that cloud cracking can be useful in the future because of its massive parallel nature. You can start a 100 node cracking cluster with just a few clicks," Roth told ZDNet UK on Tuesday.

"GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA1 hashes? Using the [Cuda-Multiforcer], I was able to crack all hashes from [the 560 character SHA1 hash] with a password length from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way)," Roth wrote on his blog.

A SHA1 hash is an encryption algorithm. SHA1 is vulnerable to a brute-force attack, which is the same technique as the Multiforcer that Roth employed. This is a technique where computers are used to repeatedly attempt to crack a password by successively trying varying combinations of numbers and digits.

The Cluster GPU Instance is built around two Nvidia Tesla Fermi-architecture GPUs. Tesla uses Cuda, an Nvidia-developed software interfacing architecture that allows code to be written for the Tesla GPU that ekes out maximum performance from the underlying hardware. Roth used a Cuda-specific script to increase the effectiveness of his hack, he wrote.

Roth told ZDNet UK that to be suitable for computation on Cuda, tasks must be able to be broken down into many smaller tasks that do not need to share data with each other and can run in parallel.

Since 2005, SHA1 has also been vulnerable to an attack that is 2,000 times as effective as a brute-force attack.

In May Verisign reported that botnets were available for hire for as little as $8.94 an hour to carry out cybercrimes.

Update

SHA1 is a hashing algorithm, not an encryption algorithm, as was first reported in this article. SHA1 generates a 160-bit hash of a message. Roth's cloud cracking experiment worked by working through all inputs to create the same output as the original SHA1 hash.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All