A password cracking group has managed to unlock the 11 million passwords used by members of the adultery website Ashley Madison. The crack has uncovered flaws in both Ashley Madison's approach to password security and that of its members.
The passwords were cracked by a team of hobbyists that go by the name of CynoSure Prime, based in San Diego. The team managed to crack the encryption used by Ashley Madison, not by brute force attacks but by clever use of flaws in the way the passwords were protected.
This is not the first time that weak security has been found in Ashley Madison's source code.
The team initially thought that the encrypted passwords were unhackable due to the way they were encrypted.
“Since the developers used a cost factor of 12 for the bcrypt hash, this made the process an extremely compute intensive task. We decided to take a different approach and made some rather interesting discoveries,” the team said in a blog post.
It added that without much information about the $loginkey variable and how it was generated, the team decided to look at a second leak of Git dumps. It found identified two functions of interest and upon closer inspection, the team discovered that could exploit these functions as helpers in accelerating the cracking of the bcrypt hashes.
“Through the two insecure methods of $logkinkey generation observed in two different functions, we were able to gain enormous speed boosts in cracking the bcrypt hashed passwords,” the team said.
With new methods in place, the cracking of 11 million passwords took only 11 days instead of many years. Previous attempts only managed to crack a small number of badly created passwords. The new attack focused on tokens encrypted with MD5, which is known to harbour several cryptographic weaknesses.
“Instead of cracking the slow bcrypt hashes directly, which is the hot topic at the moment, we took a more efficient approach and simply attacked the MD5 […] tokens instead. Having cracked the token, we simply then had to case correct it against its bcrypt counterpart,” said the team.
In a follow up blog post, CynoSure Prime gave some insight into the types of passwords used by users of the site. Out of a total 11,716,208 password entries, 4,867,246 were unique.
Most passwords were six characters in length, closely followed by those with eight characters.
“The majority of passwords that we have cracked so far appear to be quite simple, either being lowercase with numbers or just lowercase. We also observed some UTF-8 encoded passwords,” it said. “Passwords containing purely numbers also appear to be relatively popular. Note that we crack passwords in gradual increasing complexity, so it is normal that we have recovered most of the simpler ones first.”
Jonathan Sander, VP of product strategy at Lieberman Software, told SCMagazineUK.com that from reading the description of how the Ashley Madison passwords were cracked, “you can hear the pride and enthusiasm pouring through the very technical details”.
“If a high profile dump of encrypted passwords appears, you can be sure experts will attempt to crack it,” he added. “It's like a crossword lover finding a puzzle on the street marked 'difficult'. The challenge is too much to pass up.”