Google as a password cracker


Usually we’re into hardware hacks, but once in a while I run across something that’s just too good. [Steven]‘s blog was cracked a while back, and while he was doing forensics, he was trying to crack the md5 hashed password for the unauthorized account. Eventually he slapped the hash into Google, and guess that it was ‘Anthony’ based on the results that came up. Thanks to [gr] for pointing it out.
(Yes, I know it was on Slashdot a few days ago, but I don’t care.)

24 thoughts on “Google as a password cracker

  1. This is only useful if Google has at one point indexed a hash and its decrypted counter-part (which is highly unlikely), and if you can actually get your hands on the hash in the first place! Your better off using a reverse MD5 database utility like this one: md5.benramsey.com

  2. This is equivalent to saying, look my name is in google!

    Nothing really special about it and there are much better tools for doing it.

    Now if google included a reverse lookup for md5 that would be something to talk about.

  3. ya… This just goes to show that you should definetly salt your hashes, but some people are just too stupid / lazy to do so.

  4. Even better. You can take a password, hash it, then search google for the hash to find out if other admins have used it as a password :D

  5. If this works on production site or database then the people there must be morons.

    It’s the equivalent of having your password guessed by a human..literally. Hash tables work on the same model. They don’t actually attack the algorithm just the lack of creativity by a user base.

  6. That’s why you have to add some “custom” encryption and not rely on built in functions…
    Simply reading/translating a sha1 or md5 takes 0.0002 seconds and about 5 lines of code…

  7. So if I googlefight MD5 hashes, I could check which passwords are used more often? I understand it wouldn’t be very accurate because people salt their hashes and stuff, but with googlefight, how convenient is that!

  8. hi,I dont know much about hashes and i got a question: i got this hash “JR:1003:aad3b435b51404eeaad3b435b51404ee:37c088d8d1e18c245c25483c5fd5314d/empty/:
    How can i know if is ntlm or md5? and if is ntlm there is a way to convert it in md5? thanks for the help

  9. While using Google to crack MD5 passwords is interesting and useful, I don’t think it’s really worth posting about. I thought this use of Google was obvious; I’ve done it myself a few times.

  10. Hello. I am woman. Could you help me, that I find out password of Admin of one forum? I am from Croatia and in one Forum, they behave very very unfair to me. So, now I want to log myself as Admin, and do one little funny revenge to them. Could you tell me what is the way for doing that? Thank you. Some Trojan program, or something similar?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s