Cracking out MD5 passwords with Google

November 20, 2007

As seen on Slashdot, a security researcher at Cambridge found a very interesting use for Google (full story) .

I am shocked… I didn’t know that WordPress is storing our precious passwords without a salt! and even more shocking is that Google is so great at storing and indexing everything that you can even use it to infer passwords giving the MD5 hash… that’s scary.

Of course if you have a strong password it won’t work, but it is a trivial way to break passwords of people oblivious to computer security using plain dictionary words as passwords, I don’t really know the trends but I wouldn’t be surprised if a lot of people still do that (when the site does not enforce a stronger password policy)

It is amazing how many things can be done with Google (maybe it will work with some other search engine… but I didn’t feel like trying), and it is really disappointing that WordPress got so careless, for most cases there is no reason to not use a salt, and the extra coding effort is negligible…. anyway if you have some simple wordpress password consider changing it.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: