Back in October, a hacker broke into a security-themed blog named Light Blue Touchpaper. The hacker then promoted himself to an administrator. I am not aware of any damage caused by the perpetrator since the blog owner rapidly discovered the break-in, disabled the account, and tightened up security. While doing so, he examined the database to see if he could learn more information about the hacker.
What he discovered was the MD5 hash of the password. At first he wrote a rudimentary brute-force cracking program to try to determine the password. Quickly giving up, he turned to Google, surprisingly finding the answer right away: “Anthony”
Naturally, I decided to do the same on a larger scale. The following list of common passwords and their “secure” MD5 hashes was found simply by Googling:
- 098f6bcd4621d373cade4e832627b4f6 (test)
- 0be5a6c82893ecaa8bb29bd36831e457 (personal)
- 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)
- 0f4137ed1502b5045d6083aa258b5c42 (windows)
- 1a1dc91c907325c69271ddf0c944bc72 (pass)
- 334c4a4c42fdb79d7ebc3e73b517e6f8 (none)
- 3c3662bcb661d6de679c636744c66b62 (sex)
- 51149f6fea1a3179b364f1994e06e4d4 (secretpw)
- 5d41402abc4b2a76b9719d911017c592 (hello)
- 5ebe2294ecd0e0f08eab7690d2a6ee69 (secret)
- 5f4dcc3b5aa765d61d8327deb882cf99 (password)
- 5f532a3fc4f1ea403f37070f59a7a53a (microsoft)
- 7c6a180b36896a0a8c02787eeafb0e4c (password1)
- 827ccb0eea8a706c4c34a16891f84e7b (12345)
- d8578edf8458ce06fbc5bb76a58c5ca4 (qwerty)
- e99a18c428cb38d5f260853678922e03 (abc123)
- eb0a191797624dd3a48fa681d3061212 (master)
- f561aaf6ef0bf14d4208bb46a4ccb3ad (xxx)
I found hundreds, if not thousands of common words and their MD5 hashes — far too easily. Another reason to use hard-to-guess, non-dictionary passwords. Lucky for me, none of the MD5 hashes of my medium- or high-security passwords are in Google’s results yet. The MD5s for all my simple passwords (less than seven digits long) are all readily available.
This is dåmn scary.