| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080103144135.A20818@gwyn.tux.org> Date: Thu, 3 Jan 2008 14:41:35 -0500 From: Peter Watkins <peterw@....net> To: "Memisyazici, Aras" <arasm@...edu> Cc: Ofer Shezaf <ofers@...ach.com>, bugtraq@...urityfocus.com Subject: Re: Latest round of web hacking incidents for 2007 & Project news On Sun, Dec 30, 2007 at 07:13:24AM -0500, Memisyazici, Aras wrote: > >>The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup. > > Could you please be more specific? Do you mean, Google had crawled an entire MySQL DB and had access to the contents of the password field in encrypted form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table repo. to compare hashes against? Or... ? I think this is the original report http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/ which Bruce Schneier highlighted http://www.schneier.com/blog/archives/2007/11/using_google_to.html The basic idea: somebody had a hash, 20f1aeb7819d7858684c898d1e98c1bb, and searched for that hash on Google, and discovered it was a hash for the string "Anthony". It's a cute trick, but not very meaningful for databases of salted hashes, and probably not very important for passwords that cracklib, the standard Windows "strong password" rules, etc. would accept. -Peter
Powered by blists - more mailing lists