Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Google The Internet

Using Google To Crack MD5 Passwords 232

Posted by kdawson from the secrets-shared-with-the-world dept.
stern writes "A security researcher at Cambridge was trying to figure out the password used by somebody who had hacked his Web site. He tried running a dictionary through the encryption hash function; no dice. Then he pasted the hacker's encrypted password into Google, and voila — there was his answer. Conclusion? Use no password that any other human being has ever used, or is ever likely to use, for any purpose. I think."
This discussion has been archived. No new comments can be posted.

Using Google To Crack MD5 Passwords More

Using Google To Crack MD5 Passwords

Comments Filter:

  • Re:Salt (Score:4, Interesting)

    by Anonymous Coward on Tuesday November 20, 2007 @05:31PM (#21426917)

    No, the conclusion is you should always use salted hashes.
    I agree, but this isn't something the user can do. I can't register for a site and say, "I need to remember to use salt!" The site has to implement it and implement it correctly.

    The guy posting was posting from the perspective of the user, not the author of the system. The conclusion from the summary is still accurate since you can't make the assumption that salt is always used. The next best defense is a crazy fucking password.

  • Re:I wouldn't be too alarmed. (Score:5, Interesting)

    by cstdenis ( 1118589 ) on Tuesday November 20, 2007 @05:48PM (#21427209)
    You do realize that most businesses (and therefore most websites you have accounts on) just store passwords plain text because it's easier to do tech support that way. Salted hashes are better than unsalted hashes, but most don't bother hashing at all.

  • Re:I wouldn't be too alarmed. (Score:5, Interesting)

    by nuzak ( 959558 ) on Tuesday November 20, 2007 @05:48PM (#21427211) Journal
    That Wordpress uses unsalted MD5 sums to store passwords boggles my mind. It shows that the developers know even less about cryptography than I do. That's scary.

    Oh it's even better than that. It stores your md5 password in a plain text cookie, and if it receives such a cookie, sets an $already_md5 flag to true that's then passed to wp_login() which then just compares it literally against the unsalted md5 entry.

    <guinness>Brilliant!</guinness>

  • on a related note... (Score:5, Interesting)

    by sootman ( 158191 ) on Tuesday November 20, 2007 @06:07PM (#21427473) Homepage Journal
    ... I wish Google would collect/show/use checksums of files in search results. It would be a great way to find identical files.* Thousands of uses:
    • I found this file on my computer and I forgot where it came from.
    • I downloaded this file but I forget where I got it. It's too big to email so I would like to send a friend a link to the original file.
    • I want to see if anyone has taken this pic from my site and posted it elsewhere.
    • This download is taking FOREVER. Is anyone else hosting this exact file?
    and many, many more. I had this idea years ago and sent it in to them but haven't heard anything since. I don't want any credit**, just implement it and let me know when it's up and running! And the funny thing is, I'm sure Google is already checksumming every file as part of how they do all their magic. All they have to do is post the data!

    * and, since collisions are possible, it would provide a nice corpus to study collisions, etc. in the real world.

    ** this isn't an entirely original idea. Linux distros have been posting checksums for years as a way to let users verify that their downloads were not corrupted; as a bonus, I (and I'm sure some others) have done searches of those values to find sites hosting that particular release.

  • Re:Salt (Score:3, Interesting)

    by nighty5 ( 615965 ) on Tuesday November 20, 2007 @07:37PM (#21428645)
    You're implying that salting on UNIX makes attacking the hash infeasible, this is simply not true.

    There are only 4096 different combinations in the salting algorithm in crypt() will use which a brute forcer can easily iterate. [regardless of encryption technique md5 or des]

    Salting a known algorithm is almost pointless because as I just described salted passwords can be just as easily defeated if you know the mechanism, this is why NT doesn't include salt. Also salt was used on UNIX only because when shadow passwords didn't exist the system had to be protected against users that had the same password and could easily read the password file to compare.

  • new worm spreading (Score:2, Interesting)

    by ThinkOfaNumber ( 836424 ) on Tuesday November 20, 2007 @08:26PM (#21429227)
    Google is now shutting down servers and re-routing as they try and halt the spread of the newly-detected worm that tries to do a DOS on google, by making affected machines do a google search with random strings that look like 0cfa9f600839f57e90e5559b8ee54864

    But seriously, as fun as it is to look up all your hashed responses on google, I'm going back to por... work :)

    You might also want to check out http://utilitymill.com/utility/Goog_Your_Hash [utilitymill.com] to see if your password is 'safe'.

  • Re:I wouldn't be too alarmed. (Score:1, Interesting)

    by Anonymous Coward on Wednesday November 21, 2007 @03:14AM (#21432209)
    Yeah, but I'd expect a "security" blog to know better [slashdot.org]. WordPress's list of vulnerabilities [secunia.com] is way too long and is often held up as an example of insecure PHP code [blogsecurity.net]. The whole thing is deeply flawed.

Slashdot Top Deals

Stellar rays prove fibbing never pays. Embezzlement is another matter.

Close