Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Using Google To Crack MD5 Passwords

kdawson posted more than 6 years ago | from the secrets-shared-with-the-world dept.

Security 232

stern writes "A security researcher at Cambridge was trying to figure out the password used by somebody who had hacked his Web site. He tried running a dictionary through the encryption hash function; no dice. Then he pasted the hacker's encrypted password into Google, and voila — there was his answer. Conclusion? Use no password that any other human being has ever used, or is ever likely to use, for any purpose. I think."

cancel ×

232 comments

Sorry! There are no comments related to the filter you selected.

Salt (5, Informative)

porneL (674499) | more than 6 years ago | (#21426743)

No, the conclusion is you should always use salted hashes.

Re:Salt (4, Funny)

eln (21727) | more than 6 years ago | (#21426803)

I agree. Also, fry them in bacon fat and add pepper.

Re:Salt (5, Funny)

eldavojohn (898314) | more than 6 years ago | (#21427035)

And blackjack ... and hookers. In fact, forget the hashes!

RTFA (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#21427105)

The Article author talks about why this doesn't work if the password was salted (and that he's been trying to encourage the application authors to not use straight MD5s) and a number of other things that would make this moot.

Re:RTFA (5, Funny)

eln (21727) | more than 6 years ago | (#21427269)

You're correct. You have totally invalidated the points I brought up in my post. Good show.

Re:Salt (4, Interesting)

Anonymous Coward | more than 6 years ago | (#21426917)

No, the conclusion is you should always use salted hashes.
I agree, but this isn't something the user can do. I can't register for a site and say, "I need to remember to use salt!" The site has to implement it and implement it correctly.

The guy posting was posting from the perspective of the user, not the author of the system. The conclusion from the summary is still accurate since you can't make the assumption that salt is always used. The next best defense is a crazy fucking password.

Re:Salt (1)

Anonymous brave dude (950545) | more than 6 years ago | (#21427043)

this isn't something the user can do
That's not true. The user can generate a string with something like dd if=/dev/urandom bs=21 count=1|openssl base64 , store that string, and append it the the true password each time the log in. This has exactly the same results as the site correctly implementing salting.

Re:Salt (4, Funny)

SevenDigitUID (1104081) | more than 6 years ago | (#21427083)

That's not true. The user can generate a string with something like dd if=/dev/urandom bs=21 count=1|openssl base64 , store that string, and append it the the true password each time the log in. This has exactly the same results as the site correctly implementing salting.
So what you are saying is the best defense is to use a crazy fucking password?

Re:Salt (3, Insightful)

Anonymous brave dude (950545) | more than 6 years ago | (#21427253)

Use a crazy fucking password, but you don't have to remember all of it.

Re:Salt (2, Insightful)

repvik (96666) | more than 6 years ago | (#21427577)

If you don't have to remember part of it, why not make the whole password fucking crazy? Since you already have to cut'n'paste, why have a part of the password be easier than another?

Re:Salt (4, Informative)

Garridan (597129) | more than 6 years ago | (#21428197)

Because if somebody gets that file, they've got your password. This way, they'll have to hack your brain, as well as your computer, to get at your password.

Re:Salt (3, Informative)

networkBoy (774728) | more than 6 years ago | (#21427397)

Not entirely.
That adds a "local salt" but... courtesy of possible hash collisions there is another password that may work equally well.
by having the login function add the salt a straight rainbow lookup is defeated (unless you pre-computed a rainbow with the salt). As admin he could still enter the salted MD5, find a suitable password without salt, disable salting, get in enable salting, change the password. BUT a "normal" hacker without access to the DB tools and salting function of the app, but in possession of the hash table (and even the salt to some extent) would be defeated. if the attacker had the salt and hash table then with enough time the will break you login through rainbow tables, but not before.
-nB

Re:Salt (-1, Troll)

Anonymous brave dude (950545) | more than 6 years ago | (#21427963)

You are just plain wrong.

Re:Salt (4, Insightful)

Em Adespoton (792954) | more than 6 years ago | (#21427323)

agree, but this isn't something the user can do. I can't register for a site and say, "I need to remember to use salt!" The site has to implement it and implement it correctly.

The guy posting was posting from the perspective of the user, not the author of the system. The conclusion from the summary is still accurate since you can't make the assumption that salt is always used. The next best defense is a crazy fucking password.


This is why my passwords are themselves salted hashes. The likelihood of someone else using my passwords is the same as a regular hash collision, I get to use a separate password for each place one is required, and the hashing mechanism and salt are simple enough for me to keep in my head. End result: infinite number of easily generatable and retrievable passwords that look just like a hashed password when decoded.

Phsaw (1)

encoderer (1060616) | more than 6 years ago | (#21428123)

Pshaw!

This is why I all MY passwords are salted hashes that I then re-hash and re-salt. To Taste. ..Check and Mate.

Re:Salt (1)

MoFoQ (584566) | more than 6 years ago | (#21426999)

yea, hence even joomla added salting: http://www.joomla.org/content/view/3670/78/ [joomla.org]

shoot...I love a lil' salt and pepper with my steak.

Re:Salt (1)

SevenDigitUID (1104081) | more than 6 years ago | (#21427127)

No, the conclusion is not to use the same password on different sites. Never trust that the software package properly safeguards your password from the administrator. This may be poor crypto, but in many cases, software packages just don't bother to encrypt the password at all. I've seen several websites that store password in plaintext or rot13 (actually it was ROT3).

Alternative to salt (0)

Anonymous Coward | more than 6 years ago | (#21427143)

Actually an alternative to storing hashes of passwords altogether is Password-authenticated key agreement.

Stealing from wikipedia since this explains it better than I can:

"[a] method to amplify a shared password into a shared key, where the shared key may subsequently be used to provide a zero-knowledge password proof or other functions."

"ensuring that password verification data stolen from a server cannot be used by an attacker to masquerade as the client, unless the attacker first determines the password"

Actually zero knowledge proofs confuse me quite a bit.

Re:Salt (4, Insightful)

Sangui5 (12317) | more than 6 years ago | (#21427367)

Rainbow tables? Salting breaks it.
Precomupted dictionaries? Salting breaks it.
Brute force and compare against the whole pw list? Salting breaks it.

Salting is your friend. Long salts don't cost much, but make many attacks completely infeasible. Unix has been using salted passwords since forever. Yet nthash *still* doesn't include a salt.

Re:Salt (5, Funny)

Anonymous Coward | more than 6 years ago | (#21427743)

Ice building up on your sidewalk? Salting breaks it.

Re:Salt (4, Funny)

Jarjarthejedi (996957) | more than 6 years ago | (#21427871)

Pretzels missing that unique flail? Salting solves it!
Need something else to put on those fries? Salt it!
Need to make your friend's drink taste awful? Salt is the way to go.

(Somewhere along the line we left the analogy department :P)

How about "don't use your first name As your PW"? (3, Insightful)

nobodyman (90587) | more than 6 years ago | (#21428035)

No, the conclusion is you should always use salted hashes.
That's good advice for application developers, but the original post was offering advice to users. Still, even that is a bit of an overreaction. From TFA:

And indeed, the MD5 hash of "Anthony" was the database entry for the attacker. I had discovered his password.
Not to diminish this admin's accomplishment (it sounds like he's quite clever), but doesn't this boil down to "don't use your name as your password"? Or better yet, "don't use any proper name as a password".

Keep in mind that this was a hash of a userid (not a password) that was captured in a google index, and it's highly unlikely that someone will choose a userid on a google-indexed site that just-so-happens to be your 10+ character password that has mixed-case and special characters. I think the same "good password advice" still applies, even in a google-world.

Re:Salt (1)

Wrangler (219457) | more than 6 years ago | (#21428409)

Yes, be sure to cut and paste your password hash from your account on your server at your IP address into Google so that Google will have it indexed by the time I search for it. That is, of course, unless Google (or whoever figures out how to MOM/PHISH the Google site first) stores that combination of password hash (almost certainly brute forced by now), userid, and IP address in their burgeoning catalog of "systems that are owned thanks to stupid user tricks published in /."

Passing out passwords, in any format, is D-U-M dumb!

=:^)

Salty (0)

Anonymous Coward | more than 6 years ago | (#21426763)

Repeat after me: I will salt all my MD5 passwords.

MD5 Lookup Site & Names (5, Informative)

eldavojohn (898314) | more than 6 years ago | (#21426767)

For those of you who missed it in the article, the has was:

20f1aeb7819d7858684c898d1e98c1bb
And sure enough, if you read the comments to the blog, there is a site called http://md5.rednoize.com/ [rednoize.com] that reveals that the hash is "Anthony." So although Google helped, there appears to be resources online for it (if you don't have your own Rainbow Table mega database).

He could have discovered this if he had used a database complete with names, something I don't think would have been too difficult for him.

This Google search idea is kind of moot if the user uses some very basic password construction such as what I've commented on before [slashdot.org] . Also, as the blog mentions, this discussion is worthless if WordPress used salting [wikipedia.org] which is related to nonces used in security engineering [wikipedia.org] . I think that stuff has been around for, what about five years now? Wake up WordPress!

5 years? (4, Informative)

Junta (36770) | more than 6 years ago | (#21427019)

Try decades! The good old days of Unix even had salts (even if they were just two bytes)

Re:MD5 Lookup Site & Names (1)

HTH NE1 (675604) | more than 6 years ago | (#21427195)

Where was that site in 2002 when people were trying to hack the new TiVo backdoor code [slashdot.org] ?

Re:MD5 Lookup Site & Names (3, Funny)

PFAK (524350) | more than 6 years ago | (#21427291)

He can't be much of a "security researcher" if someone hacked his own website.

Re:MD5 Lookup Site & Names (1)

the_fat_kid (1094399) | more than 6 years ago | (#21427499)

Just because he "researches" something doesn't make him good at it.
If he claimed to be a "security expert" then he would be a liar.
as it is he is, at worst, a fool.

Re:MD5 Lookup Site & Names (0)

Anonymous Coward | more than 6 years ago | (#21427697)

The greatest security expert in the world couldn't create a useful (dynamic content) website which is provably unhackable. Only a website which is probably very hard to hack can be created.

If you think otherwise, I challenge you to prove it.

Re:MD5 Lookup Site & Names (1)

kbielefe (606566) | more than 6 years ago | (#21427997)

You could put all the security researchers in the world together and they still couldn't tell you all the vulnerabilities that exist in currently deployed software. Perfection is not required to be considered an expert. Now, if this had gone on for a long time, or happened repeatedly, you might have a point.

Re:MD5 Lookup Site & Names (5, Insightful)

Cairnarvon (901868) | more than 6 years ago | (#21428241)

He didn't write the WordPress software, and presumably doesn't have the time to audit every bit of code it uses.
I doubt Bruce Schneier himself audited the entire Movable Type codebase, which he uses for his blog. Does that make Schneier "not much of a security researcher"?

Re:MD5 Lookup Site & Names (2, Funny)

Anne_Nonymous (313852) | more than 6 years ago | (#21427719)

That's remarkably close to my password hash:

> Do0d+H!$p@SsW0rD!$t0ta1y$eCuRe

Re:MD5 Lookup Site & Names (2, Funny)

DaFallus (805248) | more than 6 years ago | (#21428033)

And sure enough, if you read the comments to the blog, there is a site called http://md5.rednoize.com/ [rednoize.com] that reveals that the hash is "Anthony." So although Google helped, there appears to be resources online for it (if you don't have your own Rainbow Table mega database).

Another reverse md5 hash lookup [benramsey.com]

I have to agree with everyone else so far, pass the Salt.

Re:MD5 Lookup Site & Names (5, Funny)

joNDoty (774185) | more than 6 years ago | (#21428091)

Crap. From their "about" page:

Additionaly everytime when you enter a non-md5 hash string into the search field, the md5 result for that search strings gets stored in our database for future use.
Thanks for warning me. I tested to see if my password was in there... it is now!!!

Re:MD5 Lookup Site & Names (1)

maxwell demon (590494) | more than 6 years ago | (#21428607)

Crap. From their "about" page:

Additionaly everytime when you enter a non-md5 hash string into the search field, the md5 result for that search strings gets stored in our database for future use.
Thanks for warning me. I tested to see if my password was in there... it is now!!!
Well, to type your password anywhere but on your password prompt is just plain silly. In addition to being stored there, it was also transmitted in plaintext over the net, nicely packaged with your IP ...

Re:MD5 Lookup Site & Names (1)

ajs (35943) | more than 6 years ago | (#21428515)

This Google search idea is kind of moot if the user uses some very basic password construction
Step 1: visit (site might be down... service provider issues, grrr)

Step 2: download the source code

Step 3: come up with a decent password pattern (e.g. x3-4/x3-4/*/* which means two pseudo-words and two of any characters arranged in any order).

Step 4: Run the program a few times and pick a password you'll remember.

Step 5: Profit?

Obligatory (5, Funny)

Anonymous Coward | more than 6 years ago | (#21426771)

In Soviet Amerika, MD5 passwords crack you.

Re:Obligatory (5, Funny)

CrazyJim1 (809850) | more than 6 years ago | (#21426947)

What about the flip side: Using Crack to Google MD5 passwords?

My uneducated respose would be: (4, Funny)

newr00tic (471568) | more than 6 years ago | (#21427335)

What about the flip side: Using Crack to Google MD5 passwords?
2343e9f361fea282776586d7056025db

Re:My uneducated respose would be: (1)

BigDogCH (760290) | more than 6 years ago | (#21427905)

2e10a3a8daa59d8980438b70402f69ae

Re:My uneducated respose would be: (1)

BigDogCH (760290) | more than 6 years ago | (#21427977)

whoops, posted the wrong hash, and clicked submit when task switching...
I was going to post what is probably the most common hash ever.....
5f4dcc3b5aa765d61d8327deb882cf99 = password

Re:My uneducated respose would be: (1)

socsoc (1116769) | more than 6 years ago | (#21427931)

haha I wish I had mod points, or I would...

Re:Obligatory (1)

Yubastard (989606) | more than 6 years ago | (#21428199)

now that's comedy! :D

Don't panic! (0)

Anonymous Coward | more than 6 years ago | (#21426777)

The password he searched for was 'Andrew', so it's not too surprising he found it in google. Any non-dictionary password should still be safe.

Re:Don't panic! (2, Informative)

roguetrick (1147853) | more than 6 years ago | (#21426961)

You never have used rainbow tables have you? You're in for a rude awakening.

I wouldn't be too alarmed. (5, Informative)

morgan_greywolf (835522) | more than 6 years ago | (#21426787)

Most MD5 password hashes, such as those used in *nix, are salted [wikipedia.org] , and hence secure from this sort of vulnerability. That Wordpress uses unsalted MD5 sums to store passwords boggles my mind. It shows that the developers know even less about cryptography than I do. That's scary.

Re:I wouldn't be too alarmed. (1)

betterunixthanunix (980855) | more than 6 years ago | (#21426991)

Or that they are not willing to use the provided password utilities in the HTTP standard. Digest passwords are, at the very least, salted. Oh well, I suppose that if it doesn't "look pretty" people will automatically reject it...

Re:I wouldn't be too alarmed. (5, Funny)

SevenDigitUID (1104081) | more than 6 years ago | (#21427169)

That is totally unfair to the wordpress developers. Just because they don't care doesn't mean they don't understand.

Re:I wouldn't be too alarmed. (5, Interesting)

cstdenis (1118589) | more than 6 years ago | (#21427209)

You do realize that most businesses (and therefore most websites you have accounts on) just store passwords plain text because it's easier to do tech support that way. Salted hashes are better than unsalted hashes, but most don't bother hashing at all.

Re:I wouldn't be too alarmed. (2, Insightful)

LWATCDR (28044) | more than 6 years ago | (#21427869)

I used to store user passwords in plain text on my website. Before anyone gets all bent. I assigned passwords to the users and didn't let them change them. They where AOL style passwords things like blue#guppy. Also there wasn't any personal info that mattered tied to the password. It was a small site and worked well. They couldn't use one password for this simple message base and there bank account, they couldn't use stupid passwords like their first name, and I could look them up if they forget or for testing.
When I moved to a CMS we went to hashed passwords.
Boy is it a pain. Nobody understands that even I can not look at their passwords. Yes a salted hash is the correct and secure way to do things... But it can be a pain in the rear.

Re:I wouldn't be too alarmed. (4, Interesting)

nuzak (959558) | more than 6 years ago | (#21427211)

That Wordpress uses unsalted MD5 sums to store passwords boggles my mind. It shows that the developers know even less about cryptography than I do. That's scary.

Oh it's even better than that. It stores your md5 password in a plain text cookie, and if it receives such a cookie, sets an $already_md5 flag to true that's then passed to wp_login() which then just compares it literally against the unsalted md5 entry.

<guinness>Brilliant!</guinness>

Re:I wouldn't be too alarmed. (2, Funny)

neoform (551705) | more than 6 years ago | (#21427285)

If you've ever used wordpress before and actually looked at the code, you'll know right away that wordpress inc. does not employ programmers.

Wouldn't a Strong Password prevent this as well? (1)

Bryansix (761547) | more than 6 years ago | (#21427353)

If you use letters, numbers and a symbol or two then it's not going to be in any database of MD5 hashes.

"Not quite right" to parent and grandparent (2, Informative)

abb3w (696381) | more than 6 years ago | (#21427681)

Admittedly, both salting and complex passwords increase the size of the database involved. However, there's no reason one couldn't generate those databases as well. In fact, one of the Google results is for an on-line Password hash database [64.233.169.104] . So, all a group of hackers has to do is put the thing online in some manner of distributed storage, and wait for Google to index all the pages for 'em.

Fortunately, the problem grows exponentially with the number of allowable characters. Unfortunately, so does Google's headaches. I suspect Google will take some "don't be evil" measures on this shortly, if only to keep their Data Storage department from needing to give Earth a second moon....

Re:Wouldn't a Strong Password prevent this as well (1)

Sancho (17056) | more than 6 years ago | (#21427965)

That's what you think. [rainbowcrack.com]

Dark Helmet (4, Funny)

Nate Fox (1271) | more than 6 years ago | (#21426813)

So the combination is 827ccb0eea8a706c4c34a16891f84e7b. (lifts mask) That's the stupidest combination I've ever heard in my life. That's the kinda thing an idiot would have on his luggage.

Re:Dark Helmet (1)

KingSkippus (799657) | more than 6 years ago | (#21427183)

For the record, this is much funnier than it's been given credit for so far...

3332e200d6810f65fe32abc8ab316732 (1)

newr00tic (471568) | more than 6 years ago | (#21427389)

For the record, this is much funnier than it's been given credit for so far...
0377f0418a4c9df3950729d4fef8c9e8

Re:just to extend the record.. (0)

Anonymous Coward | more than 6 years ago | (#21427497)

If you agree so heartily then why the hell did you encrypt your agreement?

97b5930495ceb44ee0503b7ea8eb7941 (0)

Anonymous Coward | more than 6 years ago | (#21427557)

Well, that's obvious: 97b5930495ceb44ee0503b7ea8eb7941

Re:Dark Helmet (1)

krazytekn0 (1069802) | more than 6 years ago | (#21428351)

Uh, nicely plagiarized [inertramblings.com]

Re:Dark Helmet (0)

Anonymous Coward | more than 6 years ago | (#21428575)

OK, your Geek Card is hearby revoked and your membership placed on hold indefinately pending a full investigation of your Geek credentials! Your sense of humor will be under review as well.

*mutters - geez .... can't even quote Space Balls ....*

Re:Dark Helmet from President Skroob (1)

soni.mathe (1154617) | more than 6 years ago | (#21428495)

827ccb0eea8a706c4c34a16891f84e7b. That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure! And change the combination on my luggage!

conclusion? (0, Redundant)

Sloppy (14984) | more than 6 years ago | (#21426965)

Conclusion? Use no password that any other human being has ever used, or is ever likely to use, for any purpose. I think.

Uh, I thought the conclusion (which the article acknowledges near the beginning as a "preclusion") is to salt before you apply your hash function.

Let me guess (5, Funny)

GroeFaZ (850443) | more than 6 years ago | (#21426973)

The password was hunter2? [bash.org]

Re:Let me guess (5, Funny)

omnipresentbob (858376) | more than 6 years ago | (#21427761)

What's with all the stars in your post?

Salt (0, Redundant)

Aram Fingal (576822) | more than 6 years ago | (#21426997)

This goes to show the importance of using the technique of adding salt values to passwords before hashing. Also, your salt value shouldn't be a common word ( or something which would make a common word or phrase in combination with something people are likely to use in a password).

In itself nothing new (4, Insightful)

owlstead (636356) | more than 6 years ago | (#21427063)

But if I ever need to run a hash against a password database, I'll remember this lesson and first perform a Google search. Saves a lot of time and CPU cycles.

I am already doing this for telephone calls I cannot place. If it's an institution or a person that is calling because of profession, the chances that the telephone is listed somewhere on a (search engine) accessible web page is *very* large.

Re:In itself nothing new (2, Insightful)

CastrTroy (595695) | more than 6 years ago | (#21427257)

I've also started doing this for telephone numbers. Any number I don't recognize, I let the answering machine deal with it. If they don't leave a message, their call isn't important. Also, if you look up the number, just to make sure you didn't miss anything, then you can often find complaint sites when the number belongs to a telemarketer. I think just about every number I've ever looked up that didn't leave a message was a telemarketer.

just look for "cf99" (2, Funny)

russ1337 (938915) | more than 6 years ago | (#21427145)

5f4dcc3b5aa765d61d8327deb882cf99 is the MD5 hash for 'password'.....

search enough systems and you're bound to see some doosh has used it.

french bitch (0, Flamebait)

Anonymous Coward | more than 6 years ago | (#21427265)

I just hate douche bags who can't spell.

Re:french bitch (4, Insightful)

maxwell demon (590494) | more than 6 years ago | (#21428379)

I just hate douche bags who can't spell.
Spelling errors can make your password more secure!

Great job.. (1)

Shino (1136081) | more than 6 years ago | (#21427149)

John cracks the hash in 0s and that's even faster than google does.
Do I also get a slashdot story if I crack a SHA1 hash with google?

Re:Great job.. (1)

maxwell demon (590494) | more than 6 years ago | (#21428407)

Do I also get a slashdot story if I crack a SHA1 hash with google?

Probably not. But if you crack Google with a SHA1 hash, I'm sure you get one.

Found my password (1)

t0nyp40 (1191957) | more than 6 years ago | (#21427249)

Damn it found mine... 286755fad04869ca523320acce0dc6a4

Re:Found my password (0)

Anonymous Coward | more than 6 years ago | (#21427627)

Damn it found mine... 286755fad04869ca523320acce0dc6a4

Your password is "password\n"? How do you put in the newline at the password prompt?

Re:Found my password (1)

maxwell demon (590494) | more than 6 years ago | (#21428469)

I wonder which password leads to the md5 hash 09f911029d74e35bd84156c5635688c0 ...

Sorry... (1)

HappySmileMan (1088123) | more than 6 years ago | (#21427277)

But how is this surprising, I've done that many times, it's basically just a quicker way of searching milw0rm since it's likely that at some point every hash has been seen (and therefore cached) by google

milw0rm (0)

Anonymous Coward | more than 6 years ago | (#21427293)

hmm .. slashdoting the milcracker.. *cowers*

http://milw0rm.com/cracker/insert.php [milw0rm.com]

Also, it is indexed by google :-)
I guess the lesson is to search google first, and if it's not there, submit to the milcracker.

Been there. Done that. (3, Informative)

this great guy (922511) | more than 6 years ago | (#21427371)

I have personally been using Google this way for a while. This is the first thing I do when I encounter a passwd hash during a pentest. This is a technique that works very well especially for hashes produced by random apps that you have no idea what hashing algorithm they use. It works well not because the public passwd hash databases indexed by Google are large (they are not), but because they are very diverse, both in term of number of algorithms (MD5(), MD5(uppercase()), SHA1(), etc) and in terms of number of hash formats (hexadecimal value, decimal value, base64, etc).

And above all, it only takes 2 sec to perform the Google search.

Re:Been there. Done that. (1)

fo0bar (261207) | more than 6 years ago | (#21427625)

I have personally been using Google this way for a while. This is the first thing I do when I encounter a passwd hash during a pentest.


Do you then let your clients know that you've sent sensitive company information to a commercial third party using insecure channels?

Re:Been there. Done that. (1)

wurp (51446) | more than 6 years ago | (#21427793)

He just did.

on a related note... (4, Interesting)

sootman (158191) | more than 6 years ago | (#21427473)

... I wish Google would collect/show/use checksums of files in search results. It would be a great way to find identical files.* Thousands of uses:
  • I found this file on my computer and I forgot where it came from.
  • I downloaded this file but I forget where I got it. It's too big to email so I would like to send a friend a link to the original file.
  • I want to see if anyone has taken this pic from my site and posted it elsewhere.
  • This download is taking FOREVER. Is anyone else hosting this exact file?
and many, many more. I had this idea years ago and sent it in to them but haven't heard anything since. I don't want any credit**, just implement it and let me know when it's up and running! And the funny thing is, I'm sure Google is already checksumming every file as part of how they do all their magic. All they have to do is post the data!

* and, since collisions are possible, it would provide a nice corpus to study collisions, etc. in the real world.

** this isn't an entirely original idea. Linux distros have been posting checksums for years as a way to let users verify that their downloads were not corrupted; as a bonus, I (and I'm sure some others) have done searches of those values to find sites hosting that particular release.

Re:on a related note... (1)

DamnStupidElf (649844) | more than 6 years ago | (#21428271)

A similar idea is to use a hash tree (Merkle tree) and build a hash of small blocks of data. That way, you can see whether multiple files share common blocks of data and also automatically implement P2P or caches for transfers of large files with automatic hashing of the entire file (for ease of referencing) and individual blocks during a transfer. Gnutella uses Tiger trees for this, but it would be nice if there was an official standard URI format for hash trees so that Google and other search engines could index those as well.

Re:on a related note... (1)

J0nne (924579) | more than 6 years ago | (#21428449)

Every p2p network worth using can be used for this. You can even fix corrupt files this way, if you know the original hash and someone on the network has a copy of the file. Examples of this system are magnet links, ed2k links, metalinks and even torrents.

Re:on a related note... (0)

Anonymous Coward | more than 6 years ago | (#21428551)

mmmm bit torrent

Man, I need to change my password NOW. (4, Funny)

fo0bar (261207) | more than 6 years ago | (#21427527)

Results 1 - 10 of about 101,000 for d41d8cd98f00b204e9800998ecf8427e. (0.04 seconds)

09f911029d74e35bd84156c5635688c0 (1)

alx5000 (896642) | more than 6 years ago | (#21428013)

Mine beats yours 3:1

Google indexed already (1)

sledge_hmmer (1179603) | more than 6 years ago | (#21427639)

As I write this message, this story has been posted for only about an hour. However, a google search for the hash already throws up this article as the second link. Damn they index the web fast!

Google Hash (1)

timbrown (578202) | more than 6 years ago | (#21427785)

I know of efforts in this regard that date back 3 years or so, although I'm not aware of whether these projects are still online. There are some good discussions about the idea at http://ibneko.livejournal.com/668715.html [livejournal.com] and http://www.dragoslungu.com/2007/06/22/google-md5-hash-search-engine/ [dragoslungu.com] . My interest is that I'm attempting to get Google to index such hashes at http://www.nth-dimension.org.uk/utils/ghash.php [nth-dimension.org.uk] . In my case I'm actually attempting to get Google to cache my hashes to minimise my storage costs as rainbow tables take a fair bit of disk space to store although the idea hasn't been particularly successful due to Google algorithms :(.

Credibility? (3, Informative)

MarkLewis (593646) | more than 6 years ago | (#21427811)

Am I the only one who thinks that a "security researcher" whose site gets hacked and is about as credible as an accountant who fails an audit?

And for his sake I really hope that he knew about rainbow tables and just decided for some indecipherable reason not to mention that they are far more effective for password cracking than Google searches.

And who submitted this story to Slashdot with the sensational summary about "any password used by anybody, ever" being vulnerable to Google searches? That's an easy enough claim to completely debunk by taking MD5 hashes of several passwords and sampling which ones come back. Let's see:

92259762923b4e79d2073ecb03217462 (hash for 'july2007') - Nothing
6e933f3054f533c63dd59479ca9f4b6f (hash for 'hello_world') - Nothing
2c6c8ab6ba8b9c98a1939450eb4089ed (hash for 'abc123') - Google found this one as an md5 example
6a51f1fe97bdebece7652842a0e2351e (hash for 'pickles') - Nothing
5eaaf94141c371ce96675aa6445003c4 (hash for 'happy') - Nothing

So basically not even common words get picked up by Google, much less "any password used by anybody else, ever".

Re:Credibility? (2, Funny)

garompeta (1068578) | more than 6 years ago | (#21428143)

With all my respect, 596a96cc7bf9108cd896f33c44aedc8a

Re:Credibility? (1)

Thanatos69 (993924) | more than 6 years ago | (#21428151)

I know it's somewhat taboo around here to read the article but he does know about rainbow tables:

I could also improve efficiency with a rainbow table, but this needs a large database which I didn't have.


As for the rest of your post... heh, touche... :)

Re:Credibility? (4, Informative)

dgym (584252) | more than 6 years ago | (#21428315)

Your strings have newlines in them, maybe you meant:
echo -n happy | md5sum

most password fields don't accept newlines, so trying without them:
3e652df0f1332cfc9df779d49667defc - still nothing
99b1ff8f11781541f7f89f9bd41c4a17 - still nothing
e99a18c428cb38d5f260853678922e03 - abc123
fd03204cfdc557b0f0d134773ae6fff5 - obscure, it finds a flash app on a site called pickles and things
56ab24c15b72a457069c5ea42fcfc640 - happy

So it is still not that much of a problem, but at least happy is on the list.
I wonder if negative outlook words are more or less secure?

Re:Credibility? (0)

Anonymous Coward | more than 6 years ago | (#21428467)

Security research people are cracker targets. Remember exactly how Keven Mitnick, may he have a cellmate who likes curly headed boytoys, got caught when he broke into the systems of a security expert and taunted the guy.

Re:Credibility? (2)

Cairnarvon (901868) | more than 6 years ago | (#21428475)

Perhaps he has better things to do than audit the complete WordPress codebase?
If he'd written his own software, you might have half a point (though only half of one; perfectly secure apps, especially perfectly secure web apps, are always a pipe dream).
If he'd been a victim of the same exploit several times in a row, then you might have a full point.

You can't blame a person for being a victim of a zero-day exploit in someone else's software, especially if the software is as complex as a blogging/CMS platform.

Re:Credibility? (1)

Antique Geekmeister (740220) | more than 6 years ago | (#21428561)

Now try it with several hundred passwords. Based on the results of Alec Moffett's old Crack program for DES, I'd suspect that you'd find roughly 10% of all passwords quite easily, with "love" leading the list.

No worse than Subversion (3, Insightful)

Antique Geekmeister (740220) | more than 6 years ago | (#21428537)

It's no worse than Subversion's insistence on storing user passwords for any protocol but SSH public keys in a local plaintext file.

Do not *EVER* allow a Subversion system to use the same passwords as the user system, and if you have access to the user's accounts, run a check of their stored Subversion passwords to make sure they didn't use their same password somewhere else as for their local user account.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?