Decryption of 11 million Ashley Madison passwords by hobbyist hackers brings more woe to Ashley Madison.com users. Stolen password data was thought to be secure; shock, horror, surprise…it wasn’t. But just how much are Ashley Madison themselves responsible for using simple and easy to break passwords?
It’s the data breach story that just won’t go away. Just when the FileHippo.com writers thought that maybe, just maybe, Ashley Madison would stop being news BANG, along comes this story…
Last month, the hacking group known as “Impact Team” dumped almost 100 gigabytes of affair specialists Ashley Madison’s user data onto the internet. It was thought that Ashley Madison’s users could take some solace in the fact that at least their passwords were encrypted. Not that there was much solace to go round. After having your login, email, and credit card details, and geographic locations released on Tor, it probably couldn’t get much worse.
Ashley Madison: the extramarital affair story that just keeps getting worse for its users.
Security experts had commented widely in the days after the data breach that Ashley Madison programmers were to be commended for the strong cryptography they had used to protect users passwords. Using a specialist tool known as Bcrypt, a security algorithm that not only encrypts but slows down even brute force cracking of passwords. It had been generally assumed that even with the use of a Super Computer, cracking the passwords could take centuries.
But now, a different hacking group, CynoSure Prime, (enthusiastic hobbyists, apparently) have according to several tech websites, managed it in just over a week of trying. The group revealed they had cracked the Ashley Madison secure encrypted passwords in a blog post, last Thursday.
The Bcrypt algorithm itself was however not to blame. It turns out that Ashley Madison had, in the past, used a different method to encrypt passwords, that, well, wasn’t so secure. The result? CynoSure Prime could brute force their way the old protection quickly; about a million times faster according to Arstechnica.com
Bcrypt wasn’t used at Ashley Madison until after May 2012, leading to some estimates that nearly 15 million accounts could be at risk, in total. CynoSure Prime have decrypted 11 million already, but expect to get through the remaining 4 million or so, sometime in the next week.
Simple Passwords were easy to crack
Cynosure Prime have stated in another blogpost that the “majority of passwords that we have cracked so far appear to be quite simple,” CynoSure Prime seemed surprised at just how easy it was to crack some of the passwords. For example, Password, itself came up as having been used 630,000 times.
Don’t use “Password” as your password.
Not that it will really help, but Ashley Madison users have been advised to change their passwords if they have not already done so, to something not so simple. For some good advice on creating strong passwords, check back to this website tomorrow for some password creation tips.
The picture below from CynoSure Prime’s blog post shows some of the more interesting passwords chosen by users.