×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Using Google to crack MD5 passwords.

stern (37545) writes | more than 6 years ago

Security 2

stern writes "A security researcher at Cambridge, trying to figure out the password used by somebody who had hacked his website, ran a dictionary through the encryption hash function. No dice. Then he pasted the hacker's encrypted password into Google, and Shazzam — the all-knowing Google delivered his answer. Conclusion? Use no password any other human being is ever likely to use for any purpose, I think."
Link to Original Source

2 comments

Unfortunately, you can't prove it anymore (0)

Anonymous Coward | more than 6 years ago | (#21421105)

Because Google is polluted with people referring to his exploits (pun intended). Also, the password that he cracked was 'Anthony' which, for some reason, wasn't found in his dictionary attack. That probably means that random-ish passwords will be fine. Here's the most interesting part from TFA:

Instead, I asked Google [google.com]. I found, for example, a genealogy page [rootsweb.com] listing people with the surname "Anthony", and an advert for a house [fizber.com], signing off "Please Call for showing. Thank you, Anthony". And indeed, the MD5 hash of "Anthony" was the database entry for the attacker. I had discovered his password.

In both the webpages, the target hash was in a URL. This makes a lot of sense -- I've even written code which does the same. When I needed to store a file, indexed by a key, a simple option is to make the filename the key's MD5 hash. This avoids the need to escape [wikipedia.org] any potentially dangerous user input and is very resistant to accidental collisions. If there are too many entries to store in a single directory, by creating directories for each prefix, there will be an even distribution of files. MD5 is quite fast, and while it's unlikely to be the best option in all cases, it is an easy solution which works pretty well.

The real problem (1)

MobyDisk (75490) | more than 6 years ago | (#21422149)

Wordpress stores raw MD5 hashes in the user database (despite my recommendation to use salting).
This is not an issue if the database uses salting in the passwords.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...