Cracking Passwords in Clouds

I just read a HowTo on cracking passwords in Amazon EC2 with GPUs.  I’m astonished.

For those not in the know, cracking passwords has been going on for decades.  Common rationale is that if the “good guys” can figure out your password before the “bad guys” do, then the “good guys” can inform you so that you can change your password before the “bad guys” do something horrible in your name.  That’s the thinking, anyway, though many systems administrators and security professionals don’t regularly attempt to crack passwords of their users.  Why?  Too much effort for little reward.  They figure “if I have to go through all this trouble to get a password, then there aren’t many people out there that will do the same”.

That is when the level of effort involved outweighs the risk involved.

Good guys’ view:  If the amount of effort to protect something outweighs the risk, it slowly becomes an acceptable risk.  In other words, if you have to put up barriers, maintain the barriers, and remind people to not tear down the barriers, all to protect one person’s Social Security Number, you are less apt to do so because that SSN is probably discoverable by other means.  If the level of risk is greater than the amount of effort to protect it, then new security measures are put into place.  The trick, here, is determining the level of effort.

Bad guy’s view:  If the target is greater than the level of effort to obtain the target, attempt to obtain the target as long as this holds true.  As time passes, the level of effort increases, or the value of the target decreases.  Specifically, if the target is a password of an account at a bank, the amount of effort to obtain the password is about the same as obtaining a password from just about anywhere else.  The value of the bank password is great, however, as time passes the value goes down because the owner of the password might change the password, and the game begins again from the beginning.

Game changer:  GPU.  Graphics Processing Units.  The difference between a CPU and a GPU is enormous.  We’ve talked about this before.  If you missed it, a very good visual conception of the difference between CPU and GPU is here: [flash http://www.youtube.com/v/fKK933KK6Gg]

Enter password cracking.  Historically, it was done on CPUs.

Password guessing applications attempt guess after guess.  1AAAAA, 2AAAAA, 3AAAAA  in what we call “brute force” attempts.  Another approach is to attempt guesses with the use of a dictionary.  Apple, Aardvark, AppleArdvark, ArdvarkApple, and so on until all the words in the dictionary were spent.  Keep in mind, here, that each change in letter represents a completely new attempt at the password.  A group of fast CPUs can crack a “weak” password in just under a few hours.  One CPU can obtain an obvious password in just a few minutes — but then, if it were obvious, you wouldn’t need a CPU to obtain it.  A good, or strong, password can take weeks or even months — if it is able at all.  The historical thinking was that the more CPUs you dedicated to the task, the faster you could crack the password, depending on how strong of a password and the type of algorithm was used to protect it.

It has recently become much easier.  For both the good guys and the bad guys.  Amazon EC2 is able to leverage GPUs very cheaply.  The level of effort to obtain passwords has hit rock bottom.  Your passwords need to be much stronger now.

Follow the link to learn how it was possible to crack multiple (weak) SHA1 passwords in under an hour using Amazon EC2 with CUDA. (For the cost of a few bucks and a few hours preparation.)  As a comparison, it would typically take an average desktop at least a day to accomplish similar results.