[Cryptography] millions of Ashley Madison bcrypt hashes cracked efficiently

Ray Dillinger bear at sonic.net
Mon Sep 14 02:53:31 EDT 2015



On 09/13/2015 07:51 PM, Bill Frantz wrote:
> On 9/12/15 at 2:59 PM, rsalz at akamai.com (Salz, Rich) wrote:

>>  Brushing it off with a "PITA but can be
>>  made right" is neither fair nor accurate.  Especially not for SSN,
>>  which is attached to you forever.

> Please explain how that statement is unfair and inaccurate. It would
> seem a victim should be able to get a new SSN. Why not?


IIRC, the law that made SSN's into as nearly a requirement as
they are now, also provides that anyone can get a new SSN if
they want to - it's in the same paragraph with the bit about
issuing a new card if the name changes.

However, people actually doing this is so rare that you probably
won't find an office where any SS employee actually remembers that
it's possible, much less how to do it. I remember reading someone's
account of basically forcing the local SS office to comply with the
law and go through the process back in the 1980's, but he fought
about it for a couple of years before he convinced them they really
had to because that's what the law said, and even when they discovered
they really had to, they had no idea how to do it until they got some
long-delayed interaction with some authoritative source that probably
made up the procedure they used on the spot. Ultimately I think the
FBI had to be involved - not because it's in any way criminal, but
because their Witless Protection Program is approximately the only
office where there is a known procedure to issue new valid SSN's to
people who already have one.

And I don't know if the social security account into which he'd been
paying taxes for years and which more or less determines his SS
benefit on retirement came with him when the number changed. If
not, then there's a definite downside to getting a new number
attached to a new, completely empty social security retirement
account.

				Bear


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150913/5fc13dfa/attachment.sig>


More information about the cryptography mailing list