Posts Tagged ‘security md5 crack google wordpress salt’


Cracking out MD5 passwords with Google

November 20, 2007

As seen on Slashdot, a security researcher at Cambridge found a very interesting use for Google (full story) .

I am shocked… I didn’t know that WordPress is storing our precious passwords without a salt! and even more shocking is that Google is so great at storing and indexing everything that you can even use it to infer passwords giving the MD5 hash… that’s scary.

Of course if you have a strong password it won’t work, but it is a trivial way to break passwords of people oblivious to computer security using plain dictionary words as passwords, I don’t really know the trends but I wouldn’t be surprised if a lot of people still do that (when the site does not enforce a stronger password policy)

It is amazing how many things can be done with Google (maybe it will work with some other search engine… but I didn’t feel like trying), and it is really disappointing that WordPress got so careless, for most cases there is no reason to not use a salt, and the extra coding effort is negligible…. anyway if you have some simple wordpress password consider changing it.