[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Latest round of web hacking incidents for 2007 & Project news

On Sun, Dec 30, 2007 at 07:13:24AM -0500, Memisyazici, Aras wrote:
> >>The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.
> Could you please be more specific? Do you mean, Google had crawled an entire MySQL DB and had access to the contents of the password field in encrypted form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table repo. to compare hashes against? Or... ?

I think this is the original report
which Bruce Schneier highlighted

The basic idea: somebody had a hash, 20f1aeb7819d7858684c898d1e98c1bb, and
searched for that hash on Google, and discovered it was a hash for the 
string "Anthony".

It's a cute trick, but not very meaningful for databases of salted hashes,
and probably not very important for passwords that cracklib, the standard
Windows "strong password" rules, etc. would accept.