GPU based hash cracking and distributed cracking

Anyone know much about it? How secure are our passwords, really? I mean people have huge farms of computers mining bitcoins that could easily be turned into massive password and hash cracking servers with ocl hashcat. Internet security wave coming soon?

i was pondering what bitcoin clients were calculating and in the back of my mind..... password hashes

As far as GPU based cracking goes, take a look at BarsWF. Been around for a while, and this is what those guys used originally to crack a WPA2 hash on their home computer with a C2Q and a few GTX 260s (previously thought impossible on a home system).

For distributed cracking I don't know of any clients like the bitcoin or F@H client that would allow you to donate time to a distributed cluster for hash cracking. My guess is that it hasn't been done because it wouldn't be efficient in terms of time to return passwords to clients. On the flip side there have been many distributed rainbow table projects (many of which I have been a part of) to generate massive rainbow tables for sites.

Before building our own little cracking server for work we used to subscribe to a few websites where we would submit a hash and they would then put it through their own cluster and spit out the password (usually same day, and this is different from say md5lookup.com because if you lookup a hash there for free if they don't have it, they just tell you they don't have it, the services we subscribed to would start cracking your hash if it weren't in their DB).

Your passwords are not secure unless >10chars with full alphanumeric and special characters.
finding a 6 character dictionary based word like:

apples

is the simplest thing in the world and HUGGGGE dictionaries exist.

Essentially - don't make your password an actual word - leet-speak it:

9pp!3Z is much more secure. Note the use of upper and lowercase and numbers, and a special character in there.

When it comes to WEP - don't use it and don't consider anything going over a WEP network secure. Always use your own tunnel or at least https. WEP is quite broken. Never use a free- unencrypted wifi. You don't know who is listening.

WPA and WPA2 are vulnerable to the same as above - it took me roughly 24 hours of monitoring and 5 hours of bruting/dictionary to get the average WPA2 key in my neighborhood. My moms took me 38 seconds. (It was the name of a kind of duck all lowercase)

I've heard of instances in the Amazon cluster that can be bought in slices for this purpose (password hashes).

The real problem in the coming months is that your mobile apps handle most data in a fairly insecure way. i.e. dropbox hash is good anywhere for like 4 hours - so if you send over an free airport wifi, someone can sniff it and get in for a little while. (Just an example, I am not sure if they've hemmed this up or not)