The Ashley Madison hack has been nothing short of a disaster. Among the gigabytes of data leaked from the website's servers were 36 million passwords protected via an intense, slow algorithm known as bcrypt. Normally these passwords would take centuries to crack, but due to a programming error on Ashley Madison's part, 15.26 million of the passwords are vulnerable to much faster decryption.
CynoSure Prime, the group behind the cracking effort, discovered that around 40 percent of the passwords were obscured via the MD5 hashing algorithm, and stored alongside a bcrypt-hashed version. MD5 hashes are significantly easier to crack than bcrypt hashes, as the algorithm was designed primarily for speed rather than security.
The programming error involved storing an MD5-hashed "$loginkey" token that contained both the user's username and plaintext password converted to lowercase. Cracking these tokens was relatively easy, as all CynoSure Prime had to do was select a username and guess billions upon billions of passwords.
After the MD5 hashes were cracked, the team then had to restore the multi-case version of the password and test it against the bcrypt hash. While testing this hash was a relatively slow process, around 90 percent of users didn't even bother with a multi-case password, and testing the remaining ten percent turned out to be fairly straightforward.
Thanks to Ashley Madison's use of the efficient MD5 algorithm, the cracking team was able to successfully decrypt 11.2 million passwords in around ten days, and it won't take long to decrypt the remaining four million. The team estimated that cracking the MD5 hashes rather than the bcrypt hashes was around a million times faster.
The ease of cracking these passwords shows how important it is not to use the same password for more than one service, which prevents attackers from cracking username/password combinations and using them to unlock other accounts.
It also highlights to developers what not to do when storing passwords, as the MD5-hashed login credentials could have easily been made significantly more secure by hashing the bcrypt-protected password rather than a plaintext version. In fact the developers implemented this hashing solution after a certain point, which is why 60 percent of leaked Ashley Madison passwords remain uncracked.