We Live Online

I was justed reading slashdot when I found a quick and convenient way to get the cleartext for MD5 hashes.

A security researcher at Cambridge was trying to figure out the password used by somebody who had hacked his Web site. He tried running a dictionary through the encryption hash function; no dice. Then he pasted the hacker’s encrypted password into Google, and voila — there was his answer.

Take 2034f6e32958647fdff75d265b455ebf for example. If you ask google if it knows this hash you’ll get a number of hits, all containing the hash and the corresponding cleartext password.

The original article comes from the Security Group at the University of Cambridge Computer Laboratory and they describe correctly that

Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before. Google is doing what it does best — storing large databases and searching them.