Slashdot Mirror
Using Google To Crack MD5 Passwords
stern writes "A security researcher at Cambridge was trying to figure out the password used by somebody who had hacked his Web site. He tried running a dictionary through the encryption hash function; no dice. Then he pasted the hacker's encrypted password into Google, and voila — there was his answer. Conclusion? Use no password that any other human being has ever used, or is ever likely to use, for any purpose. I think."
The guy posting was posting from the perspective of the user, not the author of the system. The conclusion from the summary is still accurate since you can't make the assumption that salt is always used. The next best defense is a crazy fucking password.
You do realize that most businesses (and therefore most websites you have accounts on) just store passwords plain text because it's easier to do tech support that way. Salted hashes are better than unsalted hashes, but most don't bother hashing at all.
1984 was not supposed to be an instruction manual.
That Wordpress uses unsalted MD5 sums to store passwords boggles my mind. It shows that the developers know even less about cryptography than I do. That's scary.
Oh it's even better than that. It stores your md5 password in a plain text cookie, and if it receives such a cookie, sets an $already_md5 flag to true that's then passed to wp_login() which then just compares it literally against the unsalted md5 entry.
<guinness>Brilliant!</guinness>
Done with slashdot, done with nerds, getting a life.
- I found this file on my computer and I forgot where it came from.
- I downloaded this file but I forget where I got it. It's too big to email so I would like to send a friend a link to the original file.
- I want to see if anyone has taken this pic from my site and posted it elsewhere.
- This download is taking FOREVER. Is anyone else hosting this exact file?
and many, many more. I had this idea years ago and sent it in to them but haven't heard anything since. I don't want any credit**, just implement it and let me know when it's up and running! And the funny thing is, I'm sure Google is already checksumming every file as part of how they do all their magic. All they have to do is post the data!* and, since collisions are possible, it would provide a nice corpus to study collisions, etc. in the real world.
** this isn't an entirely original idea. Linux distros have been posting checksums for years as a way to let users verify that their downloads were not corrupted; as a bonus, I (and I'm sure some others) have done searches of those values to find sites hosting that particular release.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
You're implying that salting on UNIX makes attacking the hash infeasible, this is simply not true.
There are only 4096 different combinations in the salting algorithm in crypt() will use which a brute forcer can easily iterate. [regardless of encryption technique md5 or des]
Salting a known algorithm is almost pointless because as I just described salted passwords can be just as easily defeated if you know the mechanism, this is why NT doesn't include salt. Also salt was used on UNIX only because when shadow passwords didn't exist the system had to be protected against users that had the same password and could easily read the password file to compare.
Google is now shutting down servers and re-routing as they try and halt the spread of the newly-detected worm that tries to do a DOS on google, by making affected machines do a google search with random strings that look like 0cfa9f600839f57e90e5559b8ee54864
:)
But seriously, as fun as it is to look up all your hashed responses on google, I'm going back to por... work
You might also want to check out http://utilitymill.com/utility/Goog_Your_Hash to see if your password is 'safe'.
Yeah, but I'd expect a "security" blog to know better. WordPress's list of vulnerabilities is way too long and is often held up as an example of insecure PHP code. The whole thing is deeply flawed.