Using Google To Crack MD5 Passwords 232
stern writes "A security researcher at Cambridge was trying to figure out the password used by somebody who had hacked his Web site. He tried running a dictionary through the encryption hash function; no dice. Then he pasted the hacker's encrypted password into Google, and voila — there was his answer. Conclusion? Use no password that any other human being has ever used, or is ever likely to use, for any purpose. I think."
In itself nothing new (Score:5, Insightful)
I am already doing this for telephone calls I cannot place. If it's an institution or a person that is calling because of profession, the chances that the telephone is listed somewhere on a (search engine) accessible web page is *very* large.
Re:Salt (Score:3, Insightful)
Re:In itself nothing new (Score:3, Insightful)
Re:Salt (Score:5, Insightful)
This is why my passwords are themselves salted hashes. The likelihood of someone else using my passwords is the same as a regular hash collision, I get to use a separate password for each place one is required, and the hashing mechanism and salt are simple enough for me to keep in my head. End result: infinite number of easily generatable and retrievable passwords that look just like a hashed password when decoded.
Re:Salt (Score:5, Insightful)
Precomupted dictionaries? Salting breaks it.
Brute force and compare against the whole pw list? Salting breaks it.
Salting is your friend. Long salts don't cost much, but make many attacks completely infeasible. Unix has been using salted passwords since forever. Yet nthash *still* doesn't include a salt.
Re:Salt (Score:3, Insightful)
Re:I wouldn't be too alarmed. (Score:3, Insightful)
When I moved to a CMS we went to hashed passwords.
Boy is it a pain. Nobody understands that even I can not look at their passwords. Yes a salted hash is the correct and secure way to do things... But it can be a pain in the rear.
How about "don't use your first name As your PW"? (Score:4, Insightful)
Keep in mind that this was a hash of a userid (not a password) that was captured in a google index, and it's highly unlikely that someone will choose a userid on a google-indexed site that just-so-happens to be your 10+ character password that has mixed-case and special characters. I think the same "good password advice" still applies, even in a google-world.
Re:MD5 Lookup Site & Names (Score:5, Insightful)
I doubt Bruce Schneier himself audited the entire Movable Type codebase, which he uses for his blog. Does that make Schneier "not much of a security researcher"?
Re:french bitch (Score:4, Insightful)
No worse than Subversion (Score:4, Insightful)
Do not *EVER* allow a Subversion system to use the same passwords as the user system, and if you have access to the user's accounts, run a check of their stored Subversion passwords to make sure they didn't use their same password somewhere else as for their local user account.
Re:Salt (Score:3, Insightful)
Re:Salt (Score:2, Insightful)
on salted hashes... (Score:1, Insightful)
On a related side not you'd be amazed at the number of developer that have no fscking clue about how public key cryptosystems works.