Re: Latest round of web hacking incidents for 2007 & Project news

[Peter Watkins <peterw () usa net>]

On Sun, Dec 30, 2007 at 07:13:24AM -0500, Memisyazici, Aras wrote:
> > > The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so 
> > > big that it actually allows efficient encrypted passwords lookup.
>
> Could you please be more specific? Do you mean, Google had crawled an entire MySQL DB and had access to the contents 
> of the password field in encrypted form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table repo. 
> to compare hashes against? Or... ?

I think this is the original report
http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/
which Bruce Schneier highlighted
http://www.schneier.com/blog/archives/2007/11/using_google_to.html

The basic idea: somebody had a hash, 20f1aeb7819d7858684c898d1e98c1bb, and
searched for that hash on Google, and discovered it was a hash for the 
string "Anthony".

It's a cute trick, but not very meaningful for databases of salted hashes,
and probably not very important for passwords that cracklib, the standard
Windows "strong password" rules, etc. would accept.

-Peter