Using Google To Crack MD5 Passwords 232
stern writes "A security researcher at Cambridge was trying to figure out the password used by somebody who had hacked his Web site. He tried running a dictionary through the encryption hash function; no dice. Then he pasted the hacker's encrypted password into Google, and voila — there was his answer. Conclusion? Use no password that any other human being has ever used, or is ever likely to use, for any purpose. I think."
Re:Salt (Score:4, Interesting)
The guy posting was posting from the perspective of the user, not the author of the system. The conclusion from the summary is still accurate since you can't make the assumption that salt is always used. The next best defense is a crazy fucking password.
Re:I wouldn't be too alarmed. (Score:5, Interesting)
Re:I wouldn't be too alarmed. (Score:5, Interesting)
Oh it's even better than that. It stores your md5 password in a plain text cookie, and if it receives such a cookie, sets an $already_md5 flag to true that's then passed to wp_login() which then just compares it literally against the unsalted md5 entry.
<guinness>Brilliant!</guinness>
on a related note... (Score:5, Interesting)
* and, since collisions are possible, it would provide a nice corpus to study collisions, etc. in the real world.
** this isn't an entirely original idea. Linux distros have been posting checksums for years as a way to let users verify that their downloads were not corrupted; as a bonus, I (and I'm sure some others) have done searches of those values to find sites hosting that particular release.
Re:Salt (Score:3, Interesting)
There are only 4096 different combinations in the salting algorithm in crypt() will use which a brute forcer can easily iterate. [regardless of encryption technique md5 or des]
Salting a known algorithm is almost pointless because as I just described salted passwords can be just as easily defeated if you know the mechanism, this is why NT doesn't include salt. Also salt was used on UNIX only because when shadow passwords didn't exist the system had to be protected against users that had the same password and could easily read the password file to compare.
new worm spreading (Score:2, Interesting)
But seriously, as fun as it is to look up all your hashed responses on google, I'm going back to por... work
You might also want to check out http://utilitymill.com/utility/Goog_Your_Hash [utilitymill.com] to see if your password is 'safe'.
Re:I wouldn't be too alarmed. (Score:1, Interesting)