Wednesday December 3, 2008 2:17 AM AEST

SC Magazine Australia/NZ > News > Access Control > Password Manager > Google used as password cracker

Vulnerability Alerts

SANS

Microsoft

MS07-068 - Critical: Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275) - Version:2.3
MS07-005: Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723) - Version:2.0

CERT/CC

Latest Comments

"I feel it with you guys. These irritating interruptions on privacy MUST be stopped. It is a ..."

on Yahoo and Microsoft take aim at lottery scams

by Jan Wilmans | Dec 2, 2008 7:11 PM

"My AVG WILL NOT UPDATE"

on AVG update deletes critical Windows file

by James Downs | Dec 2, 2008 5:58 AM

"Concerned man's comments seem to intimate that if I'm using agents all will be well but the ..."

on Shavlik Technologies to broaden its patch management offerings

by Werner K | Nov 26, 2008 8:36 PM

"That will enhance Microsoft Office system, including SharePoint - good platform for enterprise ..."

on Companies have security to consider with in-the-cloud Office

by SGE | Nov 25, 2008 3:29 PM

"how many users allow per session? because the digital persona password manager allows only 10 ..."

on DigitalPersona Pro Workstation/Pro Server

by Daniel | Nov 25, 2008 12:14 AM

Password Manager

Google used as password cracker

By Clement James
Nov 26, 2007 9:45 AM
Tags: Google | used | as | password | cracker

Steven Murdoch, a security researcher who runs the Light Blue Touchpaper blog, discovered that an intruder had broken into his website and created an administrator account in the Wordpress blogging software installed on the server.

While carrying out computer forensics to discover the extent of the damage, Murdoch became interested in learning the hacker's Wordpress password.

As Wordpress passwords are MD5 hashed and stored in the user database, Murdoch wrote a script which hashed all words in the English dictionary to find a match.

When this failed Murdoch switched to a Russian dictionary, as comments in that language were discovered in the new code installed on the server. This did not work either, so he turned to Google.

Murdoch inputted the MD5 password hash into Google and got several hits with one thing in common: the name 'Anthony'. Sure enough, 'Anthony' was the password.

"Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before," said Murdoch.

"Google is doing what it does best: storing large databases and searching them. I doubt, however, that they envisaged this use."

Ads by Google

Thoughts on this article? Add a comment below.

Be the first to comment on this article.

Report this comment as offensive:

* Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.

Name:

Email:

(will not be displayed)

Comment:

(HTML not permitted)

Validation

Enter the code you see below:

Most Read
Most Discussed
Latest News

Access Control Whitepapers

Google used as password cracker

Sponsored Links

SC MAGAZINE SITEMAP

CATEGORIES

News

Alerts

Products

Stats

Blogs

Photo Galleries

Whitepapers

Events

Jobs

Downloads

Vulnerabilities & Exploits

Breaches & Exposures

Messaging

Mobile

Access Control

Biometrics & Forensics

Legal

Risk Management

Job Centre

Patch Management