/How safe are your passwords?/
*Forgotten your password? Google can find it for you. Unfortunately*
by Charles Arthur
When a Cambridge University team wanted to break a hacker's password,
they turned to Google - with startling results. But there's a lesson for
you too..
November 23, 2007 1:38 PM
There's a certain amount of crowing associated with hacking the blog of
a security team - which might be why a hacker, apparently Russian, broke
into the blog of the Cambridge University security team at the Light
Blue Touchpaper blog <http://www.lightbluetouchpaper.org/>.
He did it via some weaknesses in their Wordpress installation
<http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/>,
upgrading himself from a plain "can post" user to an admnistrator of the
blog using a zero-day (that is, previously unnoted) vulnerability, via
SQL injection <http://en.wikipedia.org/wiki/SQL_injection>.
But the interesting part came later, when the team was clearing up
<http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/>.
They could see the user, but what password had he used? All they had was
the entry in the MySQL database for the password; but that had been
loosely encoded (encrypted is too strong a word) using the MD5 hash
<http://en.wikipedia.org/wiki/MD5>.
You shouldn't, in theory, be able to extract the original text from an
MD5 hash. That would take millions, or at least thousands, of computers
running all the time.
But Steven Murdoch began thinking. Who is there out there who has
thousands of computers running all the time? Um, everyone. And some
might be generating MD5 hashes and putting them on the web...
He took the hash - 20f1aeb7819d7858684c898d1e98c1bb - from the database
and stuck it into Google
<http://www.google.com/search?q=20f1aeb7819d7858684c898d1e98c1bb>. Lo
and behold, it turned out to be "Anthony".
So far, so trivial. Except this: if someone does the same trick on a
site that you use, they might be able to get read access to the
database. They'll be able to see the username and email associated with
the MD5 hash. And, on the assumption that you use that password
repeatedly, such a hacker could trawl the web looking for places you log in.
So: want to check the security of your favourite password(s)? First, use
the MD5 hashing page here <http://pajhome.org.uk/crypt/md5/> (it's a
Javascript function; there's nobody grabbing your password, I'd wager,
though if you want to feel safe and have OSX, go to the terminal and
type md5 -s mypassword - though use your password, not mypassword.
Second, paste that code into your favourite search engine. If it returns
no results - well done! You've evaded that hack, for now.
So, how did you do? (I passed. Phew.)
Hints if you failed: change that password to one which includes both
letters and numbers.
And no, we don't know if the junior official at HMRC
<http://www.guardian.co.uk/technology/2007/nov/22/data.security> used MD5.
http://blogs.guardian.co.uk/technology/2007/11/23/forgotten_your_password_google_can_find_it_for_you_unfortunately.html
************************************************************************
* ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <==
* ==> the body of an email & send 'em to: [EMAIL PROTECTED] <==
* Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name
* Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST
* Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L
* New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress
* Need more help? Send mail to: [EMAIL PROTECTED]
************************************************************************
* List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/
* RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml
* Messages bearing the header "X-No-Archive: yes" will not be archived
************************************************************************
