Bugtraq mailing list archives
Re: Latest round of web hacking incidents for 2007 & Project news
From: Peter Watkins <peterw () usa net>
Date: Thu, 3 Jan 2008 14:41:35 -0500
On Sun, Dec 30, 2007 at 07:13:24AM -0500, Memisyazici, Aras wrote:
The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.Could you please be more specific? Do you mean, Google had crawled an entire MySQL DB and had access to the contents of the password field in encrypted form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table repo. to compare hashes against? Or... ?
I think this is the original report http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/ which Bruce Schneier highlighted http://www.schneier.com/blog/archives/2007/11/using_google_to.html The basic idea: somebody had a hash, 20f1aeb7819d7858684c898d1e98c1bb, and searched for that hash on Google, and discovered it was a hash for the string "Anthony". It's a cute trick, but not very meaningful for databases of salted hashes, and probably not very important for passwords that cracklib, the standard Windows "strong password" rules, etc. would accept. -Peter
Current thread:
- RE: Latest round of web hacking incidents for 2007 & Project news Memisyazici, Aras (Jan 03)
- RE: Latest round of web hacking incidents for 2007 & Project news Ofer Shezaf (Jan 03)
- Re: Latest round of web hacking incidents for 2007 & Project news Peter Watkins (Jan 03)
- Re: Latest round of web hacking incidents for 2007 & Project news s f (Jan 04)