reseize logo;

Who is what? What is where? Where am I? Are you there?

You have hit the other collection, a newslog designed for the curious.

Reseize Mobile Version
Reseize iPhone Version

Search Roland's sites:

This page is optimized for Firefox and Opera browsers and a display resolution of 1280x1024 pixels or higher.

Previous Posts

Discover, listen,
enjoy & download
music on Trax4u.
Free music for free people.

Participate at Reseize?!

Enter your Email

Link to Podcast (RSS feed) for this blog               Subscribe in a reader

Hot links

  • Trax4u - Free music for free people
    • HyperwordsNetvibesGDocs&Spreadsheets;
  • Bubbleshare
  • 30 Boxes
  • Lifehacker
  • PBXes (the ultimate VOIP-PBX)
  • YubNub

    • Interesting Links

  • Videolan
  • Open Office
  • Mozilla
  • Hazard Cards
  • kei-koo
  • Techcrunch Blog
  • The best Web 2.0 software
  • Clipmarks
  • MyLinkvault Bookmarking
  • The grand old dame of social tags ;-)
  • Google Blog

    • Music Links

  • Trax4u - Free music for free people
    • Radi8 at Garageband
  • Terminator Ted at Garageband
  • Coralie at Garageband
  • Radi8 at CD Baby

    • VOIP Links

  • OpenWengo
  • VOIP Now
  • VOIP News
  • VOIP Preview.org
  • VOIP User.org
  • Skype
  • Google Talk

    • about certificates & web of trust

  • Free CA - by Barmala
  • Web Of Trust auch auf Deutsch
  • The Minstrel web of trust
  • Thawte Web Of Trust
  • 10 Punkte Web Of Trust Notar

    • Fun & Lifestyle Links

  • Boing Boing
  • Engadget
  • Basenotes
  • Rolli Site

    • Enter a long URL to make tiny:

    Friday, November 23, 2007

    Crack Passwords with Google

    A clever bloke into security research at the University of Cambridge computer lab wrote in his bog last Friday that he's discovered Google works as a password MD5 hash cracker.
    Someone had hacked into his bogsite a few weeks ago and created a user account. After he quickly disabled the rogue account, Steven J. Murdoch did some forensics work -- he's doing academic security research, remember -- and thought to figure out the attacker's password. Since his bogsite uses Wordpress, which stores passwords as unsalted MD5 hashes in its user database, he tried a dictionary attack. That didn't find any match, even with numbers added to the ends of words. He then used a Russian dictionary, because shell code that had been installed by the attacker had Russian in the comments. No word matchup there, either. Murdoch writes that he could have found or written a better password cracker. He could have varied the case of letters, added symbols to the mix, or used common substitutions of numbers for letters, but he didn't want to spend more time. Instead, he turned to Google.
    He plugged the raw MD5 hash of the attacker's password into a Google search and, voila, Google found him some matches. One was a geneology page for people with the surname of "Anthony" and another was a real estate advertisement placed by a guy named "Anthony". Murdoch writes, "And indeed, the MD5 hash of 'Anthony' was the database entry for the attacker. I had discovered his password." In both cases, the target hash was embedded within a URL. It seems MD5 hashes are often used to index webpages, with the input to the MD5 algorithm being the webpage's name.
    He concludes, "Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before. Google is doing what it does best -- storing large databases and searching them. I doubt, however, that they envisaged this use though." So don't go typing your passwords into pages that get posted on the worldwide interwibble.
    This was seized 4 u at The Inquirer
    tags: ,,,,

    Labels:

    posted by Roland at 11/23/2007 05:40:00 PM | links to this post | 0 comments | Listen to this article Listen to this article

    Comments on "Crack Passwords with Google"

     

    post a comment

    Links to "Crack Passwords with Google"

    Create a Link