After the Ashley Madison breach, everyone sighed a breath of relief because the passwords were encrypted with bcrypt. Bcrypt, as used by Ashley Madison, hashed the password 4,096 times. That calculation meant that even with fast computers it would take centuries to crack all of them.
Until a group of hobbyists – yes hobbyists, not professional hackers – discovered 15.26 million of those passwords were also stored with an MD5 hash. These hobbyists decided to try and crack the MD5 hash instead of the bcrypt hash.
To add insult to injury, since the source code was released, the hobbyists were able to examine it and find two “bugs” in how Ashley Madison’s programmers did the MD5 hash.
The combination of all this makes it one million times easier to crack the Ashley Madison passwords.
The hobbyists have already cracked 11 million of them and expect to crack another 4 million in the next two weeks.
So, what is the moral of this story? There are several.
- For users, password reuse, even though it is convenient, is a really bad habit because if one site gets hacked, the hackers can get into other sites where the user used the same password. We have seen this numerous times before.
- If you were/are an Ashley Madison customer, change your password now and DO NOT reuse that password anywhere else.
- Triage the web sites that you visit. For the important ones (such as banking or credit cards), if you are reusing those passwords, change them now.
- Finally, for programmers, an independent third party review of the security of your web site is a good plan. This means an in depth review, including the source code. Without an in depth review, reviewers would not have caught Ashley Madison’s use of MD5 or the programming shortcuts that they took that made cracking the MD5 hashs even easier than it would have been.
- While I never suggest that security by obscurity is sufficient to protect your company’s crown jewels, not protecting your source code will make it easier for hackers to find flaws to use against you. Ask the folks at Ashley Madison.
And given that nearly 100 gigabytes of data has been released so far (the hackers say that they have been 300 and 400 gigabytes and will release more), researchers and hobbyists are not done pouring over that dump yet – not to mention future dumps, if they happen. Don’t be surprised if there are more revelations.
We can use what we learn from this to make us safer. OR NOT.
Food for though.
Information from this post came from Ars Technica.