Researchers at Cambridge University’s computer science department successfully used Google to crack passwords obfuscated in the Message-Digest Algorithm 5 (MD5) format.
Initially, Steven Murdoch, a security researcher who runs the Light Blue Touchpaper blog, found out that an intruder had broken into his website. Even the administrator account in the WordPress blogging software was installed on the server.
After taking his system to computer forensics, he discovered the extent of damage.
WordPress passwords are MD5 hashed and stored in the user database. Thus to recover this hacked password, Murdoch wrote a script which hashed all words in the English dictionary to find a match. However this was an unsuccessful attempt.
The next time Murdoch switched to a Russian dictionary. Comments in Russian language were discovered in the new code installed on the server. When even this attempt failed, Murdoch decided to try Google.
The researcher keyed in the MD5 password hash into Google and got several hits with one thing in common: the name ‘Anthony’. It was sure ‘Anthony’ was the password.
“Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before,” said Murdoch.
“Google is doing what it does best: storing large databases and searching them. I doubt, however, that they envisaged this use,” he added.
Now it’s open that Google, the lifeline of Internet users can help cracking passwords. Now it’s up to hackers for what the technique should be used. This can be used for destructive as well as for positive purposes.