Thomas Roth, a German IT security researcher, says that he used one of Amazon Web Service's cluster GPU instances to crack the passwords encrypted in an SHA-1 hash.
Writing in his Stacksmashing.net blog, Roth said that an instance in the Amazon cloud that provides users with the power of two NVIDIA Tesla Fermi M2050 GPUs, with a specification that includes 22 gigabytes of RAM, 1.69 terabytes of storage and a 64-bit platform to execute the code.
"GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA-1 hashes", he said.
The fact that the crack took all of 49 minutes shows that SHA1 for password hashing is deprecated, he added: "you really don't want to use it anymore."
"Instead, use something like scrypt or PBKDF2! Just imagine a whole cluster of this machines (Which is now easy to do for anybody thanks to Amazon) cracking passwords for you, pretty comfortable", he said.
Commenting on Roth's discovery, Chris Burchett, CTO and co-founder of Credant Technologies, said that the fact that he tapped a pay-as-you-use cloud computing based parallel processing environment is very worrying.
This is, he said, one of the first times that an SHA-1 encrypted password has been cracked using rentable cloud-based computation.
"It's worrying because, as Thomas Roth says, it's easy to start up a 100-node cracking cluster with just a few clicks, but if you extend the parallel processing environment by just a few factors, it becomes possible to crack passwords of most types in a relatively short timeframe", he said.
"Although renting processing time on a cloud resource like Amazon Web Services could get relatively expensive at this level, there is the added dimension of cybercriminals using stolen payment card credentials to fund their cloud cracking escapades, which means they will not be bothered about the cost involved", he added.
Burchett went on to say that the incident has parallels with other online password and hash cracking websites including the revelation of almost 12 months ago when security researcher Moxie Marlinspike revealed he had created an online WiFi password cracking service called, appropriately enough, WPAcracker.com.
As reported by Infosecurity at the time, some experts were calling Marlinspike's service a cloud-based resource, but, says Burchett, whilst the $17.00-a-time service can reportedly crack a WiFi password in around 20 minutes - a process that would take a dual-core PC around 120 hours - it is a highly specific cracking application with relatively finite processing power.
Credant's CTO argues that using Amazon Web Services to crack a 160-bit SHA-1-hashed password extends the hacker ballgame into a whole new cloud computing dimension, since it allows hackers to run custom cracking code that would normally take several months on a multi-core supercomputer – a platform that cybercriminals would not normally have access to/
Roth's exploit, says Burchett, is significant, as up until to now, we've been in the realm of a more limited use crack sites, but the concern is that the practically limitless compute resources for relatively low cost available in the cloud can make attacks that previously were proof of concept an everyday reality.
"You can be sure that cybercriminals will be passing reports of Roth’s exploits on to their black hat hackers and asking them to repeat the methodology in other applications", he said.
"It has to be remembered that SHA-1, although it is being phased out, still forms part of several widely-deployed security applications, including Secure Sockets Layer, Transport Layer Security and S/MIME protocols to mention but a few", he added.
"At the moment, we are talking about a limited application, but it doesn't take a genius to work out the ramifications of Mr Roth's research project."