A clever bloke into security research at the University of Cambridge computer lab wrote in his bog last Friday that he's discovered Google works as a password MD5 hash cracker. Someone had hacked into his bogsite a few weeks ago and created a user account. After he quickly disabled the rogue account, Steven J. Murdoch did some forensics work -- he's doing academic security research, remember -- and thought to figure out the attacker's password.
Since his blogsite uses Wordpress, which stores passwords as unsalted MD5 hashes in its user database, he tried a dictionary attack. That didn't find any match, even with numbers added to the ends of words. He then used a Russian dictionary, because shell code that had been installed by the attacker had Russian in the comments. No word matchup there, either.
Murdoch writes that he could have found or written a better password cracker. He could have varied the case of letters, added symbols to the mix, or used common substitutions of numbers for letters, but he didn't want to spend more time. Instead, he turned to Google. He plugged the raw MD5 hash of the attacker's password into a Google search and, voila, Google found him some matches.
News source: The Inquirer
12 Comments - Add comment