Using Google to Crack Passwords

Back in October, a hacker broke into a security-themed blog named Light Blue Touchpaper. The hacker then promoted himself to an administrator. I am not aware of any damage caused by the perpetrator since the blog owner rapidly discovered the break-in, disabled the account, and tightened up security. While doing so, he examined the database to see if he could learn more information about the hacker.

What he discovered was the MD5 hash of the password. At first he wrote a rudimentary brute-force cracking program to try to determine the password. Quickly giving up, he turned to Google, surprisingly finding the answer right away: “Anthony”

Naturally, I decided to do the same on a larger scale. The following list of common passwords and their “secure” MD5 hashes was found simply by Googling:

  • 098f6bcd4621d373cade4e832627b4f6 (test)
  • 0be5a6c82893ecaa8bb29bd36831e457 (personal)
  • 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)
  • 0f4137ed1502b5045d6083aa258b5c42 (windows)
  • 1a1dc91c907325c69271ddf0c944bc72 (pass)
  • 334c4a4c42fdb79d7ebc3e73b517e6f8 (none)
  • 3c3662bcb661d6de679c636744c66b62 (sex)
  • 51149f6fea1a3179b364f1994e06e4d4 (secretpw)
  • 5d41402abc4b2a76b9719d911017c592 (hello)
  • 5ebe2294ecd0e0f08eab7690d2a6ee69 (secret)
  • 5f4dcc3b5aa765d61d8327deb882cf99 (password)
  • 5f532a3fc4f1ea403f37070f59a7a53a (microsoft)
  • 7c6a180b36896a0a8c02787eeafb0e4c (password1)
  • 827ccb0eea8a706c4c34a16891f84e7b (12345)
  • d8578edf8458ce06fbc5bb76a58c5ca4 (qwerty)
  • e99a18c428cb38d5f260853678922e03 (abc123)
  • eb0a191797624dd3a48fa681d3061212 (master)
  • f561aaf6ef0bf14d4208bb46a4ccb3ad (xxx)

I found hundreds, if not thousands of common words and their MD5 hashes — far too easily. Another reason to use hard-to-guess, non-dictionary passwords. Lucky for me, none of the MD5 hashes of my medium- or high-security passwords are in Google’s results yet. The MD5s for all my simple passwords (less than seven digits long) are all readily available.

This is dåmn scary.

5 Responses to “Using Google to Crack Passwords”

  1. richard

    I’m assuming that by leaving that MD5 hash as a comment, you’re asking for help on cracking it. I will not condone or support that sort of behavior on my website. This article was written only to point out how easy it is to obtain commonly used passwords by searching Google for their hashes.

    Reply
  2. Rich

    pleas tell big brothers somethink how do hackng orkut web account

    pleas pleas @};-

    i will wait ur answers brothers

    Reply
  3. Spicoli

    That’s why we salt the password before hashing. It’s a major failure of the software if they didn’t do that.

    Reply


Leave a Reply

  • (will not be published)