7 comments

[ 5.2 ms ] story [ 37.2 ms ] thread
Cool, it claims to find every hash for "478oytvbosertvobaWEC"
Wow, every password has been cracked, even the ones I just made up like "ldkfjg832u23rsiu32842)(/&()". No password is safe anymore, so I can just stick my old "Password!".
it is the colors that are confusing. red means 'not found'. if you click on the results it will bring up the google result

i've pinged the developer to inverse the color scheme and to add a note about clicking through to see the results

at least, if you submit a form with your password to an unknown site, it is potentially insecure.
Dev here. The red results are because of Google's limitation for searches from one IP. Now, I wrote the app again, but instead of scraping the Google results, I used the official Google search API. This way there should not be any limits whatsoever. It works like a charm, BUT the API excludes the biggest hash databases from the results (of course...), so the results can be green even though a cracked hash has been found.
The awesome thing about an app like this is that when you have a lot of people use it you can then use the logged password checks as dictionary attacks against hashed passwords that you steal. Very clever social engineering attack.
Now I reversed the app back to where it was at first; fast and only searches "hash+plainstring". Now the results include all the hash databases too. The server IP gets banned from time to time, but the IP should be dynamic, so the bans won't last forever.

I could use Yahoo, but it doesn't find nearly as much hashes as Google.

Also, no logs are kept.