Google Password Hacking…

Back in October, a hacker broke into a security-themed blog named Light Blue Touchpaper. The hacker then promoted himself to an administrator. I am not aware of any damage caused by the perpetrator since the blog owner rapidly discovered the break-in, disabled the account, and tightened up security. In doing so, he examined the database to see if he could learn more information about the hacker.

What he discovered was the MD5 hash of the password. At first he wrote a rudimentary brute-force cracking program to try to determine the password. Quickly giving up, he turned to Google, surprisingly finding the answer right away: “Anthony”

Of course, I decided to do the same on a larger scale. The following list of common names, words, and passwords and their “secure” MD5 hashes was found simply by Googling:

  • 006cb570acdab0e0bfc8e3dcb7bb4edf (jon)
  • 012d7ca0ce1d7acc274b3c005a58188a (rogers)
  • 02558a70324e7c4f269c69825450cec8 (alan)
  • 03b083fd0aadc8883198881ba88111ab (gary)
  • 07d0876261b410e608588d34d764518e (thomson)
  • 084bf25cb5d7ea954e13e264437daf1c (mitchell)
  • 098f6bcd4621d373cade4e832627b4f6 (test)
  • 0a909ffe7be1ffe2ec130aa243a64c26 (christopher)
  • 0acf4539a14b3aa27deeb4cbdf6e989f (michael)
  • 0be5a6c82893ecaa8bb29bd36831e457 (personal)
  • 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)
  • 0dae4a923e4ae71d0a8960c6f89c3c18 (morgan)
  • 0f4137ed1502b5045d6083aa258b5c42 (windows)
  • 1a1dc91c907325c69271ddf0c944bc72 (pass)
  • 334c4a4c42fdb79d7ebc3e73b517e6f8 (none)
  • 3c3662bcb661d6de679c636744c66b62 (sex)
  • 4d5257e5acc7fcac2f5dcd66c4e78f9a (mickey)
  • 51149f6fea1a3179b364f1994e06e4d4 (secretpw)
  • 5d41402abc4b2a76b9719d911017c592 (hello)
  • 5ebe2294ecd0e0f08eab7690d2a6ee69 (secret)
  • 5f4dcc3b5aa765d61d8327deb882cf99 (password)
  • 5f532a3fc4f1ea403f37070f59a7a53a (microsoft)
  • 6ae199a93c381bf6d5de27491139d3f9 (richard)
  • 7c6a180b36896a0a8c02787eeafb0e4c (password1)
  • 827ccb0eea8a706c4c34a16891f84e7b (12345)
  • d0763edaa9d9bd2a9516280e9044d885 (monkey)
  • d8578edf8458ce06fbc5bb76a58c5ca4 (qwerty)
  • df53ca268240ca76670c8566ee54568a (computer)
  • e10adc3949ba59abbe56e057f20f883e (123456)
  • e99a18c428cb38d5f260853678922e03 (abc123)
  • eb0a191797624dd3a48fa681d3061212 (master)
  • f561aaf6ef0bf14d4208bb46a4ccb3ad (xxx)

I found hundreds, if not thousands of common words and their MD5 hashes — far too easily. Another reason to use hard-to-guess, non-dictionary passwords. Lucky for me, none of the MD5 hashes of my medium- or high-security passwords are in Google’s results yet. The MD5s for all my simple passwords (less than seven digits long) are all readily available.

This is dámn scary.

If you liked this, you might also be interested in:

This rambling was posted on December 20, 2007
and filed under Surfing the Web

Responses

4 Responses to “Google Password Hacking…”

  1. Response #1
    richard on December 20th, 2007 at 4:54 pm

    Just as scary: when I later Googled one of the hashes a few hours later, Google already had this page near the top of their search results!

  2. Response #2
    prabinpeecee (IP) on February 8th, 2008 at 12:33 pm

    19df4b3caa2c29ad64645bb57150845c43672e7d

  3. Response #3
    richard on February 8th, 2008 at 2:01 pm

    I’m assuming that by leaving that MD5 hash as a comment, you’re asking for help on cracking it. I will not condone or support that sort of behavior on my website. This article was written only to point out how easy it is to obtain commonly used passwords by searching Google for their hashes.

  4. Response #4
    Rich (IP) on March 30th, 2008 at 9:55 pm

    pleas tell big brothers somethink how do hackng orkut web account
    pleas pleas @};-
    i will wait ur answers brothers

Contribute to the Conversation: