Most Popular
| Top Stories | Commented | Featured |
TechSpot Blog: Disable Windows automatic check for solutions after a program crashes featured
Weekend Open Forum: Google Chrome OS and the future of cloud computing featured
Tech Tip of the Week: Unearth Region-Specific Windows 7 Themes featured
Google previews its upcoming Chrome OS
Sony: PlayStation 3 to be 3D-capable via firmware update
Radeon HD 5970 supplies dry up quick, not a big surprise
Xbox Live bans prompt class action lawsuit
Mozilla reveals 2008 revenue, rumors say Firefox coming to PS3
TS Community
| User Gallery | Recent Discussion |
 Dragon wall by Condor |  TechSpot at CES 2007 by Julio |
 Desktop by Marg564 |  How to control the mouse with a laser pointer by Technochicken |
TechSpot RSSInformation Technology
Google serves as MD5 password cracker
Cambridge University researcher Steven Murdoch successfully used Google to help crack a password used by an attacker who had hacked into his blog a few weeks ago and created a user account.
After he quickly disabled the account, Murdoch became curious to know what the hacker’s password might be. Since his website uses WordPress, which stores passwords as unsalted MD5 hashes in its user database, he wrote a script which hashed all words in both the English and Russian dictionary to find a match. He had no luck, however, so he turned to Google.
He took the MD5 password hash from the database and stuck it into Google, which revealed multiple sites featuring the word “Anthony”, the attacker's password. While this certainly is an interesting trick, Google’s usefulness as an MD5 cracker is fairly limited as it only finds hashes of things that people have hashed before, thus the importance of using hard to guess passwords.
After he quickly disabled the account, Murdoch became curious to know what the hacker’s password might be. Since his website uses WordPress, which stores passwords as unsalted MD5 hashes in its user database, he wrote a script which hashed all words in both the English and Russian dictionary to find a match. He had no luck, however, so he turned to Google.
He took the MD5 password hash from the database and stuck it into Google, which revealed multiple sites featuring the word “Anthony”, the attacker's password. While this certainly is an interesting trick, Google’s usefulness as an MD5 cracker is fairly limited as it only finds hashes of things that people have hashed before, thus the importance of using hard to guess passwords.
Related Stories
User Comments (2)
Post a comment| phantasm66 on November 23, 2007 1:01 PM | While this certainly is an interesting trick, Google’s usefulness as an MD5 cracker is fairly limited as it only finds hashes of things that people have hashed before, thus the importance of using hard to guess passwords. But people DON'T use hard to guess passwords - they use crappy ones! I think this is a great hack. I love it.
|
| phantasm66 on November 26, 2007 3:20 AM | Hahahah it works! Go to http://pajhome.org.uk/crypt/md5/ Grab an MD5 of a common name, like Paul, David, Mike, etc. Put the result into Google and watch it find it!!
|
