On Sun, Dec 30, 2007 at 07:13:24AM -0500, Memisyazici, Aras wrote: > >>The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup. > > Could you please be more specific? Do you mean, Google had crawled an entire MySQL DB and had access to the contents of the password field in encrypted form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table repo. to compare hashes against? Or... ? I think this is the original report http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/ which Bruce Schneier highlighted http://www.schneier.com/blog/archives/2007/11/using_google_to.html The basic idea: somebody had a hash, 20f1aeb7819d7858684c898d1e98c1bb, and searched for that hash on Google, and discovered it was a hash for the string "Anthony". It's a cute trick, but not very meaningful for databases of salted hashes, and probably not very important for passwords that cracklib, the standard Windows "strong password" rules, etc. would accept. -Peter
