[Cryptography] millions of Ashley Madison bcrypt hashes cracked efficiently

Ray Dillinger bear at sonic.net
Fri Sep 11 01:16:39 EDT 2015



On 09/10/2015 09:42 PM, Tony Arcieri wrote:
> tl;dr: they cracked MD5 digests instead. The MD5 version was downcased.
> Once recovering the downcased password, they recovered the case sensitive
> version by brute forcing all possible case variants against the bcrypt
> digests.
> 

They've cracked 11.2 million accounts "so far".  I'm completely stunned
that Ashley Madison had 11.2 million accounts in the first place, and
that counts only those who had signed up *before* they switched to more
secure methodology.  That would be approximately one for every 30
people in the US, and Ghu alone knows how many new accounts since
then and how many more insecure accounts remain to be cracked.  I
just didn't imagine that such a skeevy "service" would attract so
many clients.

I guess I haven't been reading the news closely enough; I've been
treating it as 'ho hum more of the same.' But I guess it has the
scale to be significant after all.

			Bear


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150910/f503a7e0/attachment.sig>


More information about the cryptography mailing list