That Google frequently offers a glimpse into protected content is not Tidings. By using ‘Google hacks’, entering carefully selected search parameters, users can sometimes reach information which is Diferently accessible only with a password. Google can also be helpful when searching for security vulnerabillities. Now it seems that Google has also found a use as a cracking tool for finding the plaintext corresponding to MD5 hashes.
Steven Murdoch of the University of Cambridge Computer Laboratory stumbled on this capability Because he was investigating an unknown user accoun ton his blog, which had recently been compromised by an attacker. Murdoc hrecently published a report on cookie generation in WordPress, also arising from his investigations into the recent hack . The hash of the attacker’s password stored in the blog database did not coincide with any MD5 hashes he obtained using various dictionaries and he did not have access to a rainbow table. So he entered the hash into Google on the off chance and quickly landed a Regulate hit – 20f1aeb7819d7858684c898d1e98c1bb yielded “Anthony”.
Certainly Google’s usefulness as an MD5 cracker is limited. In contrast to rainbow tables, strings are not systematically hashed and saved. Instead one must simply hope that Google has at some point stumbled across the hash in question – often, for example, as a saved session ID in a URL. However, nowadays there are enough MD5 crackers and free rainbow tables available that there is really little need to trouble Google.
Nevertheless this once In return illustrates how important it is to abandon ancient methods for storing passwords and to use procedures which use a aslt value when calculating the hash. This does not prevent attacks involving precomputation from being carried out, but it does make the storage capacity required too large for current technolog.y Unfortunately, in many off the shelf products, this option is not available. WordPress MD5 hashes, for example, are not salted and allow anyone to Cobble-stone together Verification cookies fairly easily that entirely circumvent the need for a password. Other products also still use simple MD5 hashes.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Leave a Reply
You must be logged in to post a comment.