A German security enthusiast has gone ahead and done what many have been warning about for a while now. He used a cloud-based computing resource to crack a security hashing algorithm (SHA-1) password. Rather than splurging on and then setting up a bank of powerful servers, Thomas Roth decided to rely on Amazon's Elastic Compute Cloud (EC2) service instead, specifically the new Cluster GPU Instance server that we reported on last week.

Brute force was applied to crack a 160-bit SHA-1 hash with a password length of six letters, completing the job in just 49 minutes--or about $2 payable to Amazon. Of course, SHA-1 is already in the process of being phased out, though it is still widely used in protocols such as S/MIME and SSL. Roth says he used the computing time to generate a rainbow table that can be used to quickly match against the hashes for short passwords.

While the situation appears alarming at first glance, an increase of a single character in the password would have jacked up the cost of cracking it exponentially, to the tune of about $160. Then again, it would probably not be below the cybercriminal to fund that amount (or more) via a stolen credit card number, and spin up 10 machines simultaneously for the express purpose of cracking passwords.

For more on this story:
- check out this article at ITnews
- check out this article at The Register
- check out this article at Computerworld

Related Articles:
Amazon now offers GPU computing on EC2 
Amazon S3 launches cheaper version of online storage
Google: Change your password twice a year
Not-so-conventional wisdom on password management