Some researchers at Cambridge University's Computer Science department have used Google to help crack obfuscated passwords in the Message-Digest Algorithm 5 (MD5) format. Steven Murdoch (Security Researcher - Light Blue Touchpaper blog), discovered that someone had intruded his wordpress blog and created an administrator account.

He later carried out some computer forensics to discover the extent of the damage the intruder made, Murdoch then became interested in working out the intruder's password he used for the administrator account.

As Wordpress passwords are MD5 hashed and stored in a database, Murdoch wrote a script which MD5 hashed all the words in the dictionary to find a match. This failed, and so did using a Russian dictionary, so he turned to Google.

Murdoch simply inputted the MD5 password hash into Google and got several hits with one thing in common: the name 'Anthony'.

Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before, said Murdoch. Google is doing what it does best: storing large databases and searching them. I doubt, however, that they envisaged this use.