Google as a password cracker

Usually we’re into hardware hacks, but once in a while I run across something that’s just too good. [Steven]‘s blog was cracked a while back, and while he was doing forensics, he was trying to crack the md5 hashed password for the unauthorized account. Eventually he slapped the hash into Google, and guess that it was ‘Anthony’ based on the results that came up. Thanks to [gr] for pointing it out.
(Yes, I know it was on Slashdot a few days ago, but I don’t care.)


  1. Jeroen Domburg says:

    And this is why you should salt your hashes.

  2. Skyler Orlando says:

    That is cool… and scary… simultaneously. I’ll have to try that next time I hack Microsoft. :-P

  3. thermald says:

    Not to mention ketchup and tabasco sauce.

  4. Joe says:

    This is only useful if Google has at one point indexed a hash and its decrypted counter-part (which is highly unlikely), and if you can actually get your hands on the hash in the first place! Your better off using a reverse MD5 database utility like this one:

  5. Matt says:

    This is equivalent to saying, look my name is in google!

    Nothing really special about it and there are much better tools for doing it.

    Now if google included a reverse lookup for md5 that would be something to talk about.

  6. Jason says:

    Actually, this is more effective than you would think–it worked for me in a test situation 15 times out of 20.

  7. sean says:

    thats pretty interesting, i was looking for a similar hash to decrypt, i’m not sure if it’s md5, but I wish i thought of it.

  8. ??? says:

    You know, google tracks every search.

  9. errabbaa says:

    so , it s nice what i m saying , i already test it, but it doesn’t work every time, if it’s stored in some pages we can say it but not every time
    i think that i will speak about that in my blog if u wanna let a comment :

  10. FRODUS says:
  11. Jordan says:

    ya… This just goes to show that you should definetly salt your hashes, but some people are just too stupid / lazy to do so.

  12. cde says:

    Even better. You can take a password, hash it, then search google for the hash to find out if other admins have used it as a password :D

  13. TJhooker says:

    If this works on production site or database then the people there must be morons.

    It’s the equivalent of having your password guessed by a human..literally. Hash tables work on the same model. They don’t actually attack the algorithm just the lack of creativity by a user base.

  14. NNM says:

    That’s why you have to add some “custom” encryption and not rely on built in functions…
    Simply reading/translating a sha1 or md5 takes 0.0002 seconds and about 5 lines of code…

  15. samodelkin says:

    So if I googlefight MD5 hashes, I could check which passwords are used more often? I understand it wouldn’t be very accurate because people salt their hashes and stuff, but with googlefight, how convenient is that!

  16. beatnik says:

    I think this is something people tend to be interested in check out try a MD5 here

  17. Asi says:

    hi,I dont know much about hashes and i got a question: i got this hash “JR:1003:aad3b435b51404eeaad3b435b51404ee:37c088d8d1e18c245c25483c5fd5314d/empty/:
    How can i know if is ntlm or md5? and if is ntlm there is a way to convert it in md5? thanks for the help

  18. Angus says:

    While using Google to crack MD5 passwords is interesting and useful, I don’t think it’s really worth posting about. I thought this use of Google was obvious; I’ve done it myself a few times.

  19. xoomthemodder says:

    hmm lets hash a password

    take hash pop it into Google and trys it….

    op my password looks good, not in Google.

    I would think this only works for a dictionary of common words. Trick is add #’s to your passwords people. Lets be smart.

  20. dubayou says:

    I wrote this site to do this with relative ease. check it out

  21. infin8 says:

    Uhmm.. what is an md5 hash?

  22. Billy says:

    Funny, when I $ `echo anthony | md5sum`, I get “e4ea5477492b160a8d7aeac1fb16d107 -“

  23. Kristina Horvat says:

    Hello. I am woman. Could you help me, that I find out password of Admin of one forum? I am from Croatia and in one Forum, they behave very very unfair to me. So, now I want to log myself as Admin, and do one little funny revenge to them. Could you tell me what is the way for doing that? Thank you. Some Trojan program, or something similar?

  24. Kristina says:

    Could you please move my surname? :)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 96,459 other followers