Linked by Thom Holwerda on Mon 4th Jul 2011 21:43 UTC
Apple So, Anonymous, under the guise of its AntiSec campaign, has hacked an Apple server, got access to 27 administrator usernames and passwords, and put them on Pastebin. Is it time to panic? Is it time to point and laugh at Apple? Is it time to stop using iTunes? Not really - this is a small hack that will cause little to no damage.
Permalink for comment 479615
To read all comments associated with this story, please click here.
RE: SHA1 hashed
by StephenBeDoper on Tue 5th Jul 2011 19:50 UTC in reply to "SHA1 hashed"
Member since:

SHA1 is a one way hash like MD5. So can't get passwords from it, its pretty much useless to the hacker.

All the google results are pointing to the same hacked paste dump. How do you figure that they are not salted from that?

My understanding is that it works something like this:

1) You have a hashed version of a password (and you don't know the real password), E.g. 81dc9bdb52d04dc20036dbd8313ed055

2) In the past, you've also created hashes from a large number of common passwords (dictionary words, given names, etc), giving you a database listing the plain text passwords in one column and the hashed output in another column.

3) You look up "81dc9bdb52d04dc20036dbd8313ed055" in this collection and notice that it's the same hash you get when running MD5 on the password "1234".

The "googleable" part comes in at step 2, I'd imagine: instead of creating the list of un-hashed and hashed passwords yourself, you just google "81dc9bdb52d04dc20036dbd8313ed055", under the assumption that someone has already done that work and posted the details online.

Lo and behold, the first google result shows the un-hashed text right in the summary:

"Google Hash. md5(1234) = 81dc9bdb52d04dc20036dbd8313ed055"

Reply Parent Score: 2