Hunting passwords with Google
That Google frequently offers a glimpse into protected content is not news. By using 'Google hacks', entering carefully selected search parameters, users can sometimes reach information which is otherwise accessible only with a password. Google can also be helpful when searching for security vulnerabilities. Now it seems that Google has also found a use as a cracking tool for finding the plaintext corresponding to MD5 hashes.
Steven Murdoch of the University of Cambridge Computer Laboratory stumbled on this capability as he was investigating an unknown user account on his blog, which had recently been compromised by an attacker. Murdoch recently published a report on cookie generation in WordPress, also arising from his investigations into the recent hack. The hash of the attacker's password stored in the blog database did not coincide with any MD5 hashes he obtained using various dictionaries and he did not have access to a rainbow table. So he entered the hash into Google on the off chance and quickly landed a direct hit – 20f1aeb7819d7858684c898d1e98c1bb yielded "Anthony".
Certainly Google's usefulness as an MD5 cracker is limited. In contrast to rainbow tables, strings are not systematically hashed and saved. Instead one must simply hope that Google has at some point stumbled across the hash in question – often, for example, as a saved session ID in a URL. However, nowadays there are enough MD5 crackers and free rainbow tables available that there is really little need to trouble Google.
Nevertheless this once again illustrates how important it is to abandon ancient methods for storing passwords and to use procedures which use a salt value when calculating the hash. This does not prevent attacks involving precomputation from being carried out, but it does make the storage capacity required too large for current technology. Unfortunately, in many off the shelf products, this option is not available. WordPress MD5 hashes, for example, are not salted and allow anyone to cobble together authentication cookies fairly easily that entirely circumvent the need for a password. Other products also still use simple MD5 hashes.
- Google as a password cracker, blog entry by Steven Murdoch