[Cryptography] millions of Ashley Madison bcrypt hashes cracked efficiently
fergdawgster at mykolab.com
Fri Sep 11 22:48:28 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 9/10/2015 10:51 PM, Tom Mitchell wrote:
> On Thu, Sep 10, 2015 at 10:16 PM, Ray Dillinger <bear at sonic.net
> <mailto:bear at sonic.net>> wrote:
> On 09/10/2015 09:42 PM, Tony Arcieri wrote:
>> tl;dr: they cracked MD5 digests instead. The MD5 version was
>> Once recovering the downcased password, they recovered the case
>> version by brute forcing all possible case variants against the
>> bcrypt digests.
> They've cracked 11.2 million accounts "so far". I'm completely
> stunned that Ashley Madison had 11.2 million accounts i
> Some reports say many of the accounts were fabrications. i.e.
> Some 95% of the female accounts were fabricated. Fabrications or
> not this is amazing. With so many fabrications one wonders if this
> attack could be used to identify the real accounts. Identifying the
> real accounts (eliminating the 95% false accounts) further
> amplifies efforts to expose real user accounts+info.
> This is still amazing at many levels.
We've seen some of our spam trap dummy accounts subscribed into this
- - ferg
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the cryptography