This article is very entertaining but the title is misleading. Firstly, the "hacker" did not crack SHA1; they just brute-forced short passwords that happened to be encrypted with SHA1. Allegedly the chap is a security researcher, but he still manages to say that "SHA1 for password hashing is deprecated" - regardless of the algorithm used, breaking passwords of length 1-6 is not even remotely impressive. The security aspect being discussed is really iterating the algorithm to make it more computationally expensive, and hence harder to brute force. But this will always be a race against faster resources. What is more interesting is the question not being discussed - how do you discover whether someone is cracking passwords on your cluster. I mean, if he goes and buys commercial clouds, that's his business, but if I provide IaaS for someone to do, say, protein folding, how do I know that they don't go and crack passwords on the machines. Answers on a postcard, please. Regards --jens On 22 November 2010 02:14, Alan Sill <Alan.Sill@ttu.edu> wrote:
Thought you would be interested in the following link.
Topic: Using EC2's cluster GPU power, security researcher spent only $2.10 to decrypt 14 SHA1 passwords in under an hour; other experts aren't concerned.
Link: http://www.informationweek.com/news/security/NAC/showArticle.jhtml?articleID...
Alan
-- caops-wg mailing list caops-wg@ogf.org http://www.ogf.org/mailman/listinfo/caops-wg