Hashed passwords fall prey to search engine
Researchers at Cambridge University's computer science department have used Google to help crack passwords obfuscated in the Message-Digest Algorithm 5 (MD5) format.
Steven Murdoch, a security researcher who runs the Light Blue Touchpaper blog, discovered that an intruder had broken into his website and created an administrator account in the Wordpress blogging software installed on the server.
While carrying out computer forensics to discover the extent of the damage, Murdoch became interested in learning the hacker's Wordpress password.
As Wordpress passwords are MD5 hashed and stored in the user database, Murdoch wrote a script which hashed all words in the English dictionary to find a match.
When this failed Murdoch switched to a Russian dictionary, as comments in that language were discovered in the new code installed on the server. This did not work either, so he turned to Google.
Murdoch inputted the MD5 password hash into Google and got several hits with one thing in common: the name 'Anthony'. Sure enough, 'Anthony' was the password.
"Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before," said Murdoch.
"Google is doing what it does best: storing large databases and searching them. I doubt, however, that they envisaged this use."
Researchers at Cambridge University's computer science department have used Google to help crack passwords obfuscated in the Message-Digest Algorithm 5 (MD5) format.
Steven Murdoch, a security researcher who runs the Light Blue Touchpaper blog, discovered that an intruder had broken into his website and created an administrator account in the Wordpress blogging software installed on the server.
While carrying out computer forensics to discover the extent of the damage, Murdoch became interested in learning the hacker's Wordpress password.
As Wordpress passwords are MD5 hashed and stored in the user database, Murdoch wrote a script which hashed all words in the English dictionary to find a match.
When this failed Murdoch switched to a Russian dictionary, as comments in that language were discovered in the new code installed on the server. This did not work either, so he turned to Google.
Murdoch inputted the MD5 password hash into Google and got several hits with one thing in common: the name 'Anthony'. Sure enough, 'Anthony' was the password.
"Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before," said Murdoch.
"Google is doing what it does best: storing large databases and searching them. I doubt, however, that they envisaged this use."
0 comments:
Post a Comment Subscribe to Post Comments (Atom)