Ashley Madison passwords not that hard to crack, actually

11 Sep 2015

Despite numerous security experts offering tempered praise of how Ashley Madison secured its users’ passwords, it turns out they’re pretty easy to crack.

A group called CynoSure Prime claims to have found a quick way of revealing passwords from Ashley Madison accounts, despite previous estimates of it taking decades to do something similar.

Rather than tackling the bcrypt configuration used by the affair website, which was to the power of 12 and therefore a fruitless, near never-ending process, CynoSure Prime looked at the second leak of git dumps for alternative methods.

“We identified two functions of interest and upon closer inspection [discovered] that we could exploit these functions as helpers in accelerating the cracking of the bcrypt hashes,” said the group in a blog post.

The team targeted two md5 processes, which it discovered in the same database as the fairly impenetrable bcrypts.

Md5 obscures passwords, sure, but it allows you to guess them so fast that, once you know the configuration and the username that you want to crack, you can run reams of guesses through until you discover the right one.

Avast had reported findings of a far more miniscule nature the other day, through targeting the bcrypt head on. It was a slow, slow task – although it revealed some truly awful password choices.

“By design, bcrypt is slow,” it said. “The same card that can test 8.5 billion hashes per second with md5 can test in the order of 50 per second with bcrypt. Not 50 million, or even 50 thousand. Just 50.”

Speed is king, and it’s the reason CynoSure Prime had, as of yesterday, cracked 11.2m of the 15m susceptible passwords it had found.

A detailed look at how CynoSure Prime managed to crack the code is over on Arstechnica.

As security expert Graham Cluley points out, though, the discovery by CynoSure Prime is not the problem. The revelation that others can find out users’ details, however, is.

“If CynoSure Prime has worked out how to extract millions of passwords in a relatively short period of time, so could criminal hacking gangs,” he said.

“Therefore, if you have used the same password anywhere else on the internet, you need to change it immediately.”

However, not everyone agrees on what users, or hosts, should do with passwords. Today the UK spy agency GCHQ released a report on how it thinks passwords should be handled online.

The irony of GCHQ doing this is not lost on anyone. Amongst its advice to both users and website operators, it says:

  • Users must change default passwords provided to them immediately
  • Help users cope with password overload by only requiring them where they are really needed. Also, stop automatic password expirations, only prompt for changes when a breach is suspected
  • Get rid of password strength metres, instead use blacklists of overused passwords
  • Make machine-generated passwords easier to remember
  • Put an emphasis on secure administrator access
  • Only allow the wrong password input a few times before locking
  • Don’t store passwords as plaintext (something Ashley Madison did).

Main image via Shutterstock

Gordon Hunt was a journalist with Silicon Republic

editorial@siliconrepublic.com