After the scandalous Ashley Madison hack, there was a small light of hope that at least the infidelity site did a decent job in securing users’ passwords with a strong password hashing.
But a group of anonymous crackers now claim that they were able to decipher 11 million passwords due to an easily preventable security flaw.
Crackers from CynoSure Prime explained that the strong encryption algorithm the site used to hide user passwords since 2012 wasn’t applied to older passwords which account for about 11 million of 36 million passwords.
The flaw allowed the 16-man team to crack open considerably more passwords than cyber security experts managed to do. On the other hand, few people were crazy enough to try and crack the passwords before because Ashley Madison warned potential hackers that the encryption method was one of the best.
The technology called bcrypt can safely encrypt any password in a hash form by running it through an algorithm several times before it generates a unique code that represents the password. The method is uncrackable unless the algorithm is flawed, tech experts explained.
Additionally, Ashely Madison security team used a method that requires a hacker to run 4,096 attempts of hashing for every password before finding a match to it and crack it. With this encryption method, cracking a single password is a slow and painful process with little odds of success.
One security expert who tried to crack the passwords said it took him five days to decipher only 4,000 passwords. Avast experts were more persistent and managed to crack 26,994 passwords in a couple of weeks.
But the CynoSure Prime team found a back door. They identified a variable of the MD5 hash in the code prior to June 2012 when bcrypt was first implemented. That variable used the text version of a user password when generating the encryption code. The flaw allowed crackers to crack 11 million passwords in no time.
Moreover, CynoSure Prime also proved that you do not need expert cracking skills to break into Ashley Madison accounts since users themselves were low on imagination when trying to build a strong password.
Crackers reported that Ashley Madison users’ favorite password was ‘123456’ with more than 120,000 users using it, followed by ‘12345,’ ‘password,’ ‘DEFAULT,’ and ‘123456789.’ Other passwords included ‘ashleymadison,’ ‘madison,’ ‘pussy,’ ‘hello,’ ‘monkey,’ ‘cheater,’ ‘superman,’ and ‘iloveyou.’
But the situation shouldn’t be a surprise because recent reports had shown that ‘123456’ still ranks as the public’s all time favorite password. Moreover, countless data breaches in recent years were reported by users who used this incredibly simple password.
Security experts caution that predictable passwords expose your online accounts to cybercrime like no cracker does. Additionally, it is not recommended to use the same password to multiple accounts. Just think about it. If a cracker learns your master password he or she has access to all your online data and personal files.
Avid Life Media which runs the infidelity site declined to comment on the site’s password security.
Image Source: Flickr
Latest posts by Alan O’Leary (see all)
- Woman Found Alive After Missing for 42 Years - Oct 30, 2017
- October Will Welcome The Draconid Meteor Shower And The Orionids - Oct 6, 2017
- Scientists Are At A Loss After Unearthing A Porpoise Grave - Sep 22, 2017