Re: Latest round of web hacking incidents for 2007 & Project news
On Sun, Dec 30, 2007 at 07:13:24AM -0500, Memisyazici, Aras wrote:
> >>The researchers found that they can use Google to retrieve the hashed
> >>password of the hacker. Google has become so big that it actually allows
> >>efficient encrypted passwords lookup.
>
> Could you please be more specific? Do you mean, Google had crawled an entire
> MySQL DB and had access to the contents of the password field in encrypted
> form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table
> repo. to compare hashes against? Or... ?
I think this is the original report
http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/
which Bruce Schneier highlighted
http://www.schneier.com/blog/archives/2007/11/using_google_to.html
The basic idea: somebody had a hash, 20f1aeb7819d7858684c898d1e98c1bb, and
searched for that hash on Google, and discovered it was a hash for the
string "Anthony".
It's a cute trick, but not very meaningful for databases of salted hashes,
and probably not very important for passwords that cracklib, the standard
Windows "strong password" rules, etc. would accept.
-Peter