No doubt, Google is the information holder of the universe. Even for your insecure passwords. Not long ago Steven J. Murdoch discovered that you could search Google with the MD5 hash of a password and get results in which contain the password.
In this case, the MD5 is in the URL:
http://freepages.genealogy.rootsweb.com/~camat/harvey/srn/2/0/20f1aeb7819d7858684c898d1e98c1bb.html
Example of MD5 values in a database
If you didn’t know, MD5 hashes are usually stored in databases in place of a password (or to verify file integrity). The password is passed through an algorithm to compute the hash value. This ’secures’ the password and prevents anyone from reading it in plain text. Depending on the size and complexity of your password is how long it takes to reverse engineer the hash back to the original value. This is achieved through a brute force method.
There are some other sites for searching for MD5 values.
What happened in Steven Murdoch’s case is that a Wordpress user elevated his privileges to administrator and comprised the Light Blue Touchpaper Blog. After cleaning up the mess, Steven was investigating and cleaning up after the incident. He was curious to what the password might be, so he pulled it from the Wordpress database and Googled it. There was his answer.
You can compute the MD5 hash of your password online — or if that doesn’t leave you feeling safe you could use xB Browser or a local application.
Interested in recovering MD5 hashes? Rainbow tables anyone?
![[Slashdot]](http://slashdot.org/favicon.ico)
![[Digg]](http://digg.com/favicon.ico)
![[Reddit]](http://reddit.com/favicon.ico)
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif)
![[Facebook]](http://www.facebook.com/favicon.ico)
![[Technorati]](http://technorati.com/favicon.ico)
![[Google]](http://www.google.com/favicon.ico)
![[StumbleUpon]](http://www.stumbleupon.com/favicon.ico)
I hear a lot of people that are whole heartedly against saving passwords in their browser. I would agree if these were not encrypted in any way, but by implementing a master password in Firefox, we can encrypt our saved passwords. Beware that any passwords saved before you set your master password are NOT encrypted and it is still possible for malicious code to steal your passwords through a web site.
Just for giggles, I will to try to crack my Firefox master password. I will do this by using Nagareshwar Talekar’s FireMaster Firefox master password recovery tool.
Firemaster is a Windows only tool so I am going to load it up in my VMware and see how long it takes to crack my Firefox master password.
Download Firemaster.
Extract the Firemaster.exe to a folder, like your desktop.
I am going to use the brute force method. If you like, run firemaster without options to see the syntax switches. The most important switches are the -n for number of characters and the -a to specify which characters to use when brute forcing. Now run FireMaster as so:
firemaster -q -b -n 15 -a “qwertyuiopasdfghjklzxcvbnm1234567890!@#$%^&*()” “C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\XXXXXX.default”
Read the rest of this entry …
What makes a strong password?
Length is the key. Some say to create password with uppercase, lowercase, numbers and special characters. This does make a password harder to crack, but also makes the password hard to remember and leads to some people writing the passwords down. A password with 8 characters is good; a password with greater than 14 characters is great. Alot of programs will not even try to crack a password that is over 14 characters.
A 15 character password of letters is about 30,000 times stronger than a password that is 8 characters composed of characters from the entire keyboard. Which leads me to believe that senctences are the answer to password security.
Read the rest of this entry …
