[caops-wg] Hacker Cracks Secure Hashing Algorithm Using Amazon Cloud -- Security -- InformationWeek

[Jens Jensen]

This article is very entertaining but the title is misleading.
Firstly, the "hacker" did not crack SHA1; they just brute-forced short
passwords that happened to be encrypted with SHA1. Allegedly the chap
is a security researcher, but he still manages to say that "SHA1 for
password hashing is deprecated" - regardless of the algorithm used,
breaking passwords of length 1-6 is not even remotely impressive.

The security aspect being discussed is really iterating the algorithm
to make it more computationally expensive, and hence harder to brute
force. But this will always be a race against faster resources.

What is more interesting is the question not being discussed - how do
you discover whether someone is cracking passwords on your cluster. I
mean, if he goes and buys commercial clouds, that's his business, but
if I provide IaaS for someone to do, say, protein folding, how do I
know that they don't go and crack passwords on the machines. Answers
on a postcard, please.

Regards
--jens


On 22 November 2010 02:14, Alan Sill <Alan.Sill at ttu.edu> wrote:
> Thought you would be interested in the following link.
>
> Topic:
> Using EC2's cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1 passwords in under an hour; other experts aren't concerned.
>
> Link:
> http://www.informationweek.com/news/security/NAC/showArticle.jhtml?articleID=228300239
>
> Alan
>
> --
>  caops-wg mailing list
>  caops-wg at ogf.org
>  http://www.ogf.org/mailman/listinfo/caops-wg
>