Cracking Passwords with Google

An article about an SQL injection vulnerability on a UK Parliament web site exposing usernames and passwords reminded me of a story last year about using Google as a gigantic password cracker. One of the big problems with the UK Parliament web site was that passwords were not encrypted. You may wonder, if you can extract passwords using SQL injection, why you cannot also extract all other information held in the database. In actual fact you probably can but it is much easier if you have a username and password to logon to the application and manipulate data via a friendly user interface. Additionally, people often use the same password for different accounts so a hacker could potentially use the same credentials for a more interesting application.

The recommended method for encrypting passwords is to use a one way hash, typically MD5. Besides protecting the password against SQL injection, lost backup tapes etc, it also stops malicious system administrators stealing user credentials as it is impossible to decrypt the one way hash.

Last year, an article suggested that Google could be used as a huge lookup table for MD5 hashes. This is easy enough to test, use one of the many online MD5 hash generators to calculate the MD5 for your potential password. Type the resulting hash into Google and see if it can come up with your original text.

My unscientific testing from a year ago, suggest that the above method worked well for correctly formatted dictionary words but little else. 12 months on it appears that simple dictionary words with common numeric substitution, e.g. I=1 O=0 are also picked up as are simple words with irregular capitalisation, e.g. bIke.

As ever it appears that we really do need to follow those guidelines we get from system administrators about password complexity. To test your password complexity, click here.

Note, MD5 is now considered ‘cryptographically broken’ but is still in common use. Using Google to decrypt MD5 hashes can also be defeated by the use of a salt.