Google Served up Surprise Password Cracking Function

Steven Murdoch, Researcher, Cambridge University, used Google successfully to crack a password that was used by a cyber criminal to hack his blog a few days ago and made a user account.

Steven Murdoch - a security researcher who operates the Light Blue Touchpaper blog - found that a hacker had hacked his Website and made an administrator account in the Wordpress blogging software downloaded on the server.

While conducting forensics to found the extent of damage, Murdoch got interested in learning the hacker's Wordpress password. He discovered that it was because of an SQL injection flaw in the downloading of Wordpress that hacker has succeeded in upgrading his user account with comment postings benefits to a complete administrator. Naturally, the user account was made unavailable just after the first breach but in the clean up process, Murdoch discovered that he was deceived by the hacker about the password he was using.

Fortunately, Wordpress passwords are MD5 hashed and retained in the user database so it became easy for Murdoch to write a script that hashed all words in the English dictionary to find a match.

But unfortunately, this failed and Murdoch turned to Russian dictionary, as comments in that language were discovered in the latest code downloaded on the server. Further, this also did not materialize and then he chose Google.

Murdoch inserted the MD5 password hash in Google and received several hints with one thing in common: 'Anthony'. Undoubtedly, 'Anthony' was the password.

By changing a password into a MD5 hash, that can be conducted by accessing any number of offline converters or other tools that are easily available, and then looking for the consequent string using Google, it becomes easy to view how famous a particular password is, or rather more worrying, that if a user's hash code goes into wrong hands, it will become easy to find out what sites the users visits.

Single words are more prone to be tracked easily, so it would be better to use eight or over eight characters in the password to keep it safe.

Related article: Google Rectifies Gmail flaw in Three Days

» SPAMfighter News - 12/6/2007