Google as a password cracker

Light Blue Touchpaper does a nice job explaining the utility of a giant online cache of password hashes:

In both the webpages, the target hash was in a URL. This makes a lot of sense — I’ve even written code which does the same. When I needed to store a file, indexed by a key, a simple option is to make the filename the key’s MD5 hash. This avoids the need to escape any potentially dangerous user input and is very resistant to accidental collisions. If there are too many entries to store in a single directory, by creating directories for each prefix, there will be an even distribution of files. MD5 is quite fast, and while it’s unlikely to be the best option in all cases, it is an easy solution which works pretty well.

Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before. Google is doing what it does best — storing large databases and searching them. I doubt, however, that they envisaged this use though.

Maybe they thought weak passwords are not their problem to solve, and for good reason. The fact that MD5 hashes are now considered weak and common makes them about as “secret” as the origin words they try to obfuscate. It is like MD5 hashes have become as common as words themselves, since there are so many computers “speaking” them, sort of like Chinese becoming common as there are more Chinese people.

Thus, this is similar to asking whether a library should have any vision of how people will use the popular words they collect in their shelves. If we are to say Google should be regulated and hide or destroy the MD5 hashes, just like pornography or other sensitive and offensive material, they will have the interesting task of correctly identifying MD5 hashes to remove from their databases. The more practical answer is for people to use better secrets, with better hashing (e.g. use salts and SHA1), and realize that Google collects everything, or just move away from secrets towards multi-factor authentication. WordPress needs a plugin that gives better authentication options, for sure.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.