Google can crack passwords

A clever bloke into security research at the University of Cambridge computer lab wrote in his bog last Friday that he's discovered Google works as a password MD5 hash cracker. Someone had hacked into his bogsite a few weeks ago and created a user account. After he quickly disabled the rogue account, Steven J. Murdoch did some forensics work -- he's doing academic security research, remember -- and thought to figure out the attacker's password.

Since his blogsite uses Wordpress, which stores passwords as unsalted MD5 hashes in its user database, he tried a dictionary attack. That didn't find any match, even with numbers added to the ends of words. He then used a Russian dictionary, because shell code that had been installed by the attacker had Russian in the comments. No word matchup there, either.

Murdoch writes that he could have found or written a better password cracker. He could have varied the case of letters, added symbols to the mix, or used common substitutions of numbers for letters, but he didn't want to spend more time. Instead, he turned to Google. He plugged the raw MD5 hash of the attacker's password into a Google search and, voila, Google found him some matches.

News source: The Inquirer

Report a problem with article
Previous Story

Top 10 worst IT disasters of all time

Next Story

Review: Firefox 3 Beta Answers Some Questions, Raises Others

12 Comments

Commenting is disabled on this article.

the bottom line is... his password was 'anthony' , and that was enough to throw off a dictionary attack? both in english AND russian?

It does not matter what encryption scheme you use... if you create an online database with a whole lot of words and the corresponding hash, then anybody can search the database for the original password.

What you need is some SALT to create UNIQUE hashes for each website !!!

This has been a very useful feature when trying to find the identity of an unknown Linux .iso image. Get the md5sum of the image, then plug it into Google, and it will tell you what distro/version/architecture it is.

Interesting, but some years ago I found a site that had a big dictionary with thousands of words and their corresponding MD5 hash, you could search for a hash there to see the corresponding word too.

Also, it's already been said that MD5 is no longer 100% secure, people should probably use SHA-1 instead.

seems like we have learned few things today... A new word bog. And how to find md5 hashes with google. Once again Google and The Inquirer saving the day

A clever bloke into security research at the University of Cambridge computer lab wrote in his bog last Friday

It's been regarded for what, 3-4 years now?longer?, that an unsalted MD5 encrypted password is no security at all, all the google search found was a rainbow tables host.

The article doesn't prove anything about google, it just proves how insecure and badly written WordPress is.

I just thought it was where he did his thinking:

A clever bloke into security research at the University of Cambridge computer lab wrote in his bog last Friday

Wow... it doesn't take much to be called a clever 'security researcher' these days. Surely most people already knew this?