With the advent of GPU-based computing, and now commoditized/dedicated SHA256 processors, what risk does this hardware pose to cryptography?
What security algorithms should be closely watched or upgraded?
With the advent of GPU-based computing, and now commoditized/dedicated SHA256 processors, what risk does this hardware pose to cryptography?
What security algorithms should be closely watched or upgraded?
Such hardware may make life more difficult for people who rely on PBKDF2 for password hashing. Password hashing functions are intentionally slow -- slow for the honest server and for the attacker alike. We want it to be as slow as is tolerable for the server which uses it, so that it becomes (hopefully) intolerably slow for the attacker.
The defendant's advantage in the password hashing game is the password complexity. The defendant wants a function which can be used to verify one password at a time, whereas the attacker must try millions or billions of them.
The attacker's advantages are:
Specialized hardware which is good at SHA-256 is thus an advantage for the attacker, if the password hashing function uses SHA-256, of course. Some other password hashing functions (e.g. bcrypt and, even more so, scrypt) are more GPU-resilient and will offer a somewhat better protection, as long as nobody begins to mass-produce specialized bcrypt-cracking hardware, of course (e.g. the Virtex family of FPGA from Xilinx, which have embedded RAM blocks and can thus compute bcrypt quite efficiently). See this answer for a more detailed discussion.
Note that while SHA-256 specialized hardware makes it theoretically easier to attack SHA-256 upfront (building collisions, computing preimages...), the work factor for these attacks is still far away in the unfeasible zone. See this answer for some analysis.
This lowers the time-cost tradeoff for brute forcing short passwords. I think this means you need to recalculate the cost to brute-force your settings. If the assets you are protecting are worth more than the cost to brute-force your current settings, you need to add more iterations, password complexity, or minimum length requirements.
How much does it cost to brute all 6-8 digit passwords in under 2 weeks? This definitely changes the economics and should affect how you protect your assets unless you already have a lot of margin.