[Cryptography] millions of Ashley Madison bcrypt hashes cracked efficiently
Paul Ferguson
fergdawgster at mykolab.com
Fri Sep 11 22:48:28 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 9/10/2015 10:51 PM, Tom Mitchell wrote:
> On Thu, Sep 10, 2015 at 10:16 PM, Ray Dillinger <bear at sonic.net
> <mailto:bear at sonic.net>> wrote:
>
>
>
> On 09/10/2015 09:42 PM, Tony Arcieri wrote:
>> tl;dr: they cracked MD5 digests instead. The MD5 version was
> downcased.
>> Once recovering the downcased password, they recovered the case
> sensitive
>> version by brute forcing all possible case variants against the
>> bcrypt digests.
>>
>
> They've cracked 11.2 million accounts "so far". I'm completely
> stunned that Ashley Madison had 11.2 million accounts i
>
>
> Some reports say many of the accounts were fabrications. i.e.
> Some 95% of the female accounts were fabricated. Fabrications or
> not this is amazing. With so many fabrications one wonders if this
> attack could be used to identify the real accounts. Identifying the
> real accounts (eliminating the 95% false accounts) further
> amplifies efforts to expose real user accounts+info.
>
> This is still amazing at many levels.
>
>
We've seen some of our spam trap dummy accounts subscribed into this
mess. :-)
http://blog.trendmicro.com/trendlabs-security-intelligence/ashley-madiso
n-why-do-our-honeypots-have-accounts-on-your-website/
- - ferg
- --
Paul Ferguson
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iF4EAREIAAYFAlXzknwACgkQKJasdVTchbKMBgEAySS3e/cDibXKZ0uFRwbSaJHa
rW5RVniXsjO/jj4cc2oBAK1jRbrRT2/GQ+fIRWnOuebMV9xFdWUgXU4B9tNa7y0h
=diwD
-----END PGP SIGNATURE-----
More information about the cryptography
mailing list