On Sun, Dec 30, 2007 at 07:13:24AM -0500, Memisyazici, Aras wrote: > >>The researchers found that they can use Google to retrieve the hashed > >>password of the hacker. Google has become so big that it actually allows > >>efficient encrypted passwords lookup. > > Could you please be more specific? Do you mean, Google had crawled an entire > MySQL DB and had access to the contents of the password field in encrypted > form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table > repo. to compare hashes against? Or... ?
I think this is the original report http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/ which Bruce Schneier highlighted http://www.schneier.com/blog/archives/2007/11/using_google_to.html The basic idea: somebody had a hash, 20f1aeb7819d7858684c898d1e98c1bb, and searched for that hash on Google, and discovered it was a hash for the string "Anthony". It's a cute trick, but not very meaningful for databases of salted hashes, and probably not very important for passwords that cracklib, the standard Windows "strong password" rules, etc. would accept. -Peter
