[Cryptography] millions of Ashley Madison bcrypt hashes cracked efficiently

Tom Mitchell mitch at niftyegg.com
Fri Sep 11 01:51:56 EDT 2015

On Thu, Sep 10, 2015 at 10:16 PM, Ray Dillinger <bear at sonic.net> wrote:

> On 09/10/2015 09:42 PM, Tony Arcieri wrote:
> > tl;dr: they cracked MD5 digests instead. The MD5 version was downcased.
> > Once recovering the downcased password, they recovered the case sensitive
> > version by brute forcing all possible case variants against the bcrypt
> > digests.
> >
> They've cracked 11.2 million accounts "so far".  I'm completely stunned
> that Ashley Madison had 11.2 million accounts i

Some reports say many of the accounts were fabrications.   i.e. Some 95% of
the female accounts were fabricated.
Fabrications or not this is amazing.
With so many fabrications one wonders if this attack could be used to
identify the real accounts.
Identifying the real accounts (eliminating the 95% false accounts) further
amplifies efforts
to expose real user accounts+info.

This is still amazing at many levels.

  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150910/1c5a0b4c/attachment.html>

More information about the cryptography mailing list