The Inquirer-Home

Google can crack passwords

Don't post it online
Wed Nov 21 2007, 18:38

A CLEVER bloke into security research at the University of Cambridge computer lab wrote in his bog last Friday that he's discovered Google works as a password MD5 hash cracker.

Someone had hacked into his bogsite a few weeks ago and created a user account. After he quickly disabled the rogue account, Steven J. Murdoch did some forensics work -- he's doing academic security research, remember -- and thought to figure out the attacker's password.

Since his bogsite uses Wordpress, which stores passwords as unsalted MD5 hashes in its user database, he tried a dictionary attack. That didn't find any match, even with numbers added to the ends of words. He then used a Russian dictionary, because shell code that had been installed by the attacker had Russian in the comments. No word matchup there, either.

Murdoch writes that he could have found or written a better password cracker. He could have varied the case of letters, added symbols to the mix, or used common substitutions of numbers for letters, but he didn't want to spend more time. Instead, he turned to Google.

He plugged the raw MD5 hash of the attacker's password into a Google search and, voila, Google found him some matches. One was a geneology page for people with the surname of "Anthony" and another was a real estate advertisement placed by a guy named "Anthony".

Murdoch writes, "And indeed, the MD5 hash of 'Anthony' was the database entry for the attacker. I had discovered his password."

In both cases, the target hash was embedded within a URL. It seems MD5 hashes are often used to index webpages, with the input to the MD5 algorithm being the webpage's name.

He concludes, "Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before. Google is doing what it does best -- storing large databases and searching them. I doubt, however, that they envisaged this use though."

So don't go typing your passwords into pages that get posted on the worldwide interwibble. µ

Light Blue Touchpaper


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?