Roth's post quickly garnered press, as reporters prematurely leapt from SHA1 hash cracking to WPA Pre-Shared Key (PSK) cracking:
While there is some relationship - WPA PTKs are derived from PMKs thru repeated SHA1 hashing - there's a huge leap between what Roth benchmarked and brute-forcing a WPA PSK. Applying cloud computing to WPA PSK dictionary attacks isn't new - see this forum's post Strengthening WPA2-PSK Defenses for several commercial examples:
Those who enjoy cryptanalysis may also want to read this thesis entitled "WPA password cracking: Parallel Processing on the Cell BE" -
In response to over-stated news, Roth quickly posted this clarification:
What I did was benchmarking the speed of the new instance type for cracking SHA1 hashes. My first result was that it takes 49 minutes to do a 95 characters, 6 digit long brute force attack on a list of 14 hashes. The thing that was new is that, due to the new Amazon offering, everyone is able to spawn a 100 or mode node cluster in the cloud and distribute the task of cracking passwords onto these nodes. Especially cracking hashes is perfectly suitable for massive parallelization!
Roth said that he intended this benchmark to illustrate why Key Derivation Functions like PBKDF2 should be used instead of hash algorithms like SHA1. Doing so would make brute force cracking far more difficult and thus more resistant to the benefits of cloud computing.
Wi-Fi bottom line:
WPA PSK weaknesses are already well-known and existing cloud-based WPA PSK crackers can be readily deterred by using long complex passphrases. Roth's research is a good demonstration that such crackers will continue to grow faster and more commercially-viable. Even so, it's not clear that we're close to being able to crack long complex WPA PSKs yet. See this Wi-Fi Net News post for a brief explanation: