Using MD5 or other hash functions is common to store sensitive information like password. Many websites authenticate the user by hashing the entered password and matching the hash with the hashed password stored in their database. This addresses the security concern associated with passwords kept in clear text. This technique works since given a hash it’s almost impossible to arrive at the original text, while it’s easy to get the hash given the clear text. That’s why hashing is called a “one-way” operation.

Yesterday, however as reported by “The Register”, a Cambridge university researcher used Google search to crack the password of a hacker who was trying to compromise the computer lab journal of the university. Hoping that the password was a commonly used word, he got the hashed password stored by wordpress and simply googled for it and got a few hits for the password “Anthony”! So essentially, he was able to use Google search to get the clear text from its hash - something that’s very difficult to achieve computationally.

This of course won’t have worked if the password was complex enough, or if hashing had used a salt (additional data added to clear text before hashing). But this incident has a lesson for everyone - this time it was used to crack the password of hacker, but unless you have complex passwords, going forward hackers might use the same technique to get yours!