Google's password cracker Last month, the security group at the University of Cambridge's Computer Lab had its group blog, Light Blue Touchpaper (lightbluetouchpaper.org), hacked via a previously unknown vulnerability in the popular blogging software Wordpress. While cleaning up, researcher Steven Murdoch discovered a new problem: Google makes a fine password cracker. Basic security principles prohibit storing a list of valid usernames and passwords in clear text. Instead, they are stored in a encrypted ("hashed") form, so the list is unreadable to anyone who does gain access. To check a password, you encrypt it and compare the result against what is stored. Your password never resurfaces in the clear. Wordpress encrypts passwords using a popular algorithm called MD5, a one-way function that had turned the hacker's password into "20f1aeb7819d7858684c898d1e98c1bb". Murdoch tried cracking it, then tried a Google search on the string. It spat back a few pages showing that the original word - the hacker's password - was "Anthony".
I generally use the same password for sites where it doesn't matter if someone cracks it. Following the above instructions, I used google (successfully) to find my password if I give it the one-way MD5 hash.