Using Amazon’s EC2 Service to Crack Passwords

Ask NVIDIA if its graphics cards can do more than just handle the latest games at the best detail settings, and I’m sure it could go on for days about all of the advantages GPGPU technology offers anyone that has one of its graphics cards. Up to this point, though, consumers still don’t seem to have been bitten by the GPGPU bug, but there are many other industries where it’s been a life-saver.

For those in the fields of medicine, oil, energy and so forth, the hugely parallel nature of GPUs can sometimes make them more important than CPUs to a lot of companies. In fact, three of the top five supercomputers in the world harness the power of GPGPUs. Another interesting field is security, and thanks to GPGPU technologies, we’re in a time where algorithms need to be made even stronger thanks to the fact that anyone can literally equip themselves with a “home supercomputer” nowadays.

Even if not, it’s been proven by Thomas Roth, an enthusiast hacker, that for a little bit of money, there exists a good way to crack passwords. You don’t even need to have a great PC to do it. Why? We have Amazon to thank, because with its EC2 service offering access to a powerful Tesla machine for a mere $2.10 an hour, anyone who needs a password cracked in good time can do so for not much money.

In Mr. Roth’s tests, he cracked fourteen SHA-encrypted 6 character passwords in less than an hour, which in all intents and purposes is quite good. The Author states the characterset used and provides the hashes and makefiles for you to test it yourself should you wish.

In truth, cracking 6 character passwords isn’t a huge deal, but the fact that a large group of them could be cracked so quickly reaffirms the fact that you need to keep secure passwords. The longer and more complex they are, the harder they are to crack. Even adding a single special character to the beginning and end makes a major difference. If GPU password cracking is this fast now, just imagine it in the years ahead!

This just shows one more time that SHA1 for password hashing is deprecated – You really don’t want to use it anymore! Instead, use something like scrypt or PBKDF2! Just imagine a whole cluster of this machines (Which is now easy to do for anybody thanks to Amazon) cracking passwords for you, pretty comfortable :) Large scaling password cracking for everybody!