Google reveals secret passwords?
November 21, 2007
According to various reports, Steven Murdoch, a Cambridge University researcher has successfully utilized Google to reveal a secret password used by a potential hacker to compromise the university's security blog.
The Internet attacker allegedly created an account in Wordpress when he attacked the "Light the Blue Touch Paper" blog, the online journal of the Computer Laboratory at Cambridge University. Wordpress stores passwords as MD5 hashes without salting, a process that adds length and a lot of complexity to a typical password.
Curious to find out what this password might be, Murdoch then tried a dictionary attack in both English and Russian (the likely native language of the attacker). Rather than building a rainbow table that maps passwords to hashes for a more exhaustive range of possible inputs, Murdoch plugged the MD5 into Google which revealed multiple sites featuring the word "Anthony", the attacker's password.
The approach was successful in discovering the password, since the hash was located in the URL itself!
Murdoch said "this makes a lot of sense (!) (...) I've even written some code which does pretty much the same thing. When I needed to store a file, indexed by a key, a simple option is to make the filename the key's MD5 hash. This avoids the need to escape any potentially dangerous user input and is very resistant to accidental collisions."
Overall, Google's variant on hacking illustrates a few critical security elements:
Murdoch's Internet posting on his findings has understandably created a lively thread on the "Light the Blue Touch Paper" blog.
One respondent created a certain utility that lets users find out if their passwords are safe.
Generally speaking, utilizing difficult to guess passwords are fairly simple common sense that somehow often gets overlooked and in many IT circles.
As one poster notes, searching for hashes of common default passwords such as "admin" throws up some "database dumps" and various other similar instances.
Source: The Register
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing