funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Password Hashes via Google :-)

From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Wed, 21 Nov 2007 15:22:02 -0500
Nice Find!

http://www.theregister.co.uk/2007/11/21/google_md5_crack/

A Cambridge University researcher successfully used Google to unearth
a password used by an attacker to compromise its security blog.

The attacker created an account in Wordpress when he attacked the
Light the Blue Touch Paper blog, the online journal of the Computer
Laboratory at Cambridge University. Wordpress stores passwords as MD5
hashes without salting, a process that adds length and complexity to
password hashes.

Curious to know what this password might be, Cambridge researcher
Steven Murdoch tried a dictionary attack in both English and Russian
(the likely native language of the attacker).

Rather than building a rainbow table that maps passwords to hashes for
a more exhaustive range of possible inputs, Murdoch plugged the MD5
into Google which revealed multiple sites featuring the word
"Anthony", the attacker's password. The approach hit on a result
because the hash was in the URL.

"This makes a lot of sense - I've even written code which does the
same. When I needed to store a file, indexed by a key, a simple option
is to make the filename the key's MD5 hash. This avoids the need to
escape any potentially dangerous user input and is very resistant to
accidental collisions," Murdoch notes.

The new variant on Google hacking illustrates a couple of important
points: that Google is indexing password hashes, albeit inadvertently,
as well as everything else; and that MD5 hashes without salting are
next to useless.

Murdoch's posting on his findings has sparked a lively thread on the
Light the Blue Touch Paper blog. One respondent created a utility that
lets users find out if their passwords are safe.

Using hard to guess passwords is simple common sense that somehow
often gets overlooked. As one poster notes, searching for hashes of
common default passwords such as "admin" throws up database dumps and
the likes.

------------------
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: