Cheap cloud computing allows the SHA1 code to be cracked in bulk, courtesy of Amazon Web Services'  Cluster GPU Instances.

Our recent news that Amazon EC2 could now provide a supercomputer on the cheap was quickly proved by Thomas Roth. He cracked 14 SHA1 hashes to recover the password (1-6 characters) in just 49 minutes i.e 3.5 minutes per password. . He also points out that one hour of EC2 GPU costs just over $2. Notice that only a single instance was used and so this doesn't represent a huge advance on what you can do with a desktop machine, but the solution scales easily to cracking passwords in bulk using multiple instances. The author even plans to create a preconfigured instance that can be launched to crack passwords of your choice.  The code cracker used can also work with MD5/4 and NTLM as well as SHA1.

Of course this means that SHA1, which is still widely used, isn't secure (and hasn't been for some time). The availability of an easy and cheap cloud cracking configuration extends this vulnerability to mass password recovery. SHA2 is more secure but who knows for how long. The point is that if you have the know-how you don't need to be a government agency to get the necessary hardware to do the job - GPUs in the cloud are waiting for you.

Other relevant articles:

Amazon extends options for high performance cloud computing

GPGPU optimisation

Graphics Accelerators

Free Amazon AWS

<ASIN:0596515812>

<ASIN:0321228324>

<ASIN:0321335597>

<ASIN:0321515269>

<ASIN:6130268661>

<ASIN:0131387685>