A password cracking group has managed to unlock the 11 million passwords used by members of the adultery website Ashley Madison. The crack has uncovered flaws in both Ashley Madison's approach to password security and that of its members.
The passwords were cracked by a team of hobbyists that go by the name of CynoSure Prime, based in San Diego. The team managed to crack the encryption used by Ashley Madison, not by brute force attacks but by clever use of flaws in the way the passwords were protected.
This is not the first time that weak security has been found in Ashley Madison's source code.
The team initially thought that the encrypted passwords were unhackable due to the way they were encrypted.
“Since the developers used a cost factor of 12 for the bcrypt hash, this made the process an extremely compute intensive task. We decided to take a different approach and made some rather interesting discoveries,” the team said in a blog post.
It added that without much information about the $loginkey variable and how it was generated, the team decided to look at a second leak of Git dumps. It found identified two functions of interest and upon closer inspection, the team discovered that could exploit these functions as helpers in accelerating the cracking of the bcrypt hashes.
“Through the two insecure methods of $logkinkey generation observed in two different functions, we were able to gain enormous speed boosts in cracking the bcrypt hashed passwords,” the team said.
With new methods in place, the cracking of 11 million passwords took only 11 days instead of many years. Previous attempts only managed to crack a small number of badly created passwords. The new attack focused on tokens encrypted with MD5, which is known to harbour several cryptographic weaknesses.
“Instead of cracking the slow bcrypt hashes directly, which is the hot topic at the moment, we took a more efficient approach and simply attacked the MD5 […] tokens instead. Having cracked the token, we simply then had to case correct it against its bcrypt counterpart,” said the team.
In a follow up blog post, CynoSure Prime gave some insight into the types of passwords used by users of the site. Out of a total 11,716,208 password entries, 4,867,246 were unique.
Most passwords were six characters in length, closely followed by those with eight characters.
“The majority of passwords that we have cracked so far appear to be quite simple, either being lowercase with numbers or just lowercase. We also observed some UTF-8 encoded passwords,” it said. “Passwords containing purely numbers also appear to be relatively popular. Note that we crack passwords in gradual increasing complexity, so it is normal that we have recovered most of the simpler ones first.”
Jonathan Sander, VP of product strategy at Lieberman Software, told SCMagazineUK.com that from reading the description of how the Ashley Madison passwords were cracked, “you can hear the pride and enthusiasm pouring through the very technical details”.
“If a high profile dump of encrypted passwords appears, you can be sure experts will attempt to crack it,” he added. “It's like a crossword lover finding a puzzle on the street marked 'difficult'. The challenge is too much to pass up.”
Sander added that the trouble the good guys face is that if they encrypt their passwords so securely that they would be in any practical sense uncrackable, then they make them unusable at the same time.
“Logging in at a website using passwords like that could be so slow most users would give up and move on,” Sander said. “Today's ultra competitive internet can't allow that. This attack also showed that the encryption isn't the only concern when securing passwords.
“The Ashley Madison developers used decent encryption, but then used poor coding to handle the passwords in their application which allowed the attack to, in a sense, side step that encryption."
Steve Ward, senior director at iSIGHT Partners, told SC that Ashley Madison's poor security practices associated with the login key function undermined their use of bcrypt.
“We are certain that some adversaries would be capable of identifying this weakness and using it to target users who have re-used credentials on other services. Furthermore, this will be even easier now that the method for cracking Ashley Madison passwords is publicly available,” he said.
Brendan Rizzo, technical director EMEA for HP Security Voltage told SC that the information security industry is quickly moving to a data-centric approach to security and, in this case, the passwords were the data that needed to be protected.
“While the passwords were protected with strong encryption in one area, they were stored as part of a simple hash in another,” he said. “This meant that the researchers could attack this security gap to avoid having to take on the encryption itself, which would have taken years to crack. As is the case in the vast majority of data breaches, criminals aren't driven by the challenge of beating state-of-the-art security, they are after the data itself.”
He added that criminals will always choose the path of least resistance, therefore companies must ensure that all paths to sensitive data are blocked by strong encryption.
“Thankfully, new encryption techniques such as format-preserving encryption now allow companies to utilise strong encryption in all areas – including systems that would otherwise never have supported the use of strong encryption,” said Rizzo.
Gavin Reid, VP of threat intelligence at Lancope, told SC that the “lesson to be learned here is to have your security applications tested and retested by smart people to find implementation issues before they become a problem”.
Lieberman Software's Sander said that protecting passwords well boils down to tried and true security advice.
“If there had been a mindset where security was top of mind at every turn at Ashley Madison, then the application flaw that allowed this attack to succeed so quickly may not have happened,” he said. “Security is never as simple as one checkbox. You don't give in to the one guy about using decent encryption, tick a box that says 'secured' on your list, and move on to the rest of your project thinking nothing else about security.”