Petronella Blog Archive

Visit our New Blog

As if the Ashley Madison hack wasn't bad enough already...

Blog Post

The one thing Ashley Madison had going for it in the big mess of having 100 GB of data leaked by hackers was that they weren't able to decrypt the passwords of account holders.  That's no longer the case.

Ashley Madison, a website very concerned about security (because it's a website for people looking for someone outside of their relationship to hook up with), encrypted user passwords with bcrypt.  The algorithm is so strong and slow that it would take hundreds of years to crack all 36 million passwords.  Unfortunately for the users, who have already been humiliated by being tied to a website for extramarital affairs, some password crackers found programming errors that make almost half of those passwords much easier to uncover.  11 million passwords have already been decrypted and they expect to be able to decrypt 4 million more in the next week and a half or so.  That's 15 out of the 36 million user passwords.  

The hobbyist password crackers, who called themselves CynoSure Prime, found the vulnerability after combing through code that was leaked along with other data.  That code included a database of bcrypt hashes encrypted by MD5, which is an algorithm built for speed and efficiency.  To put in in plain terms, they locked the house, but left the key under that conspicuous rock next to the door.

No one is exactly sure why the information was left where it was.  Some speculation is that it was part of a system to make it so users didn't have to enter their password every time they logged in.  The problem stemmed from errors running plain text through MD5.  This let CynoSure Prime use MD5 cracking technology instead of having to slog through bcrypt, allowing their computers to try billions of passwords per second, which one CynoSure Prime member estimated to be about a million times faster.  To make matters even easier, Ashley Madison converted all usernames to lowercase and didn't require any capital letters or non-alphanumeric characters.  They reported that 90% of the passwords didn't have any uppercase letters anyway.

CynoSure Prime members aren't releasing the passwords, but they have discussed the methods they used.