by Tamara Kachelmeier and Biodun Iginla, BBC News technology reporters, New York
45 minutes ago
But programming changes by the site's developers meant more than a third of the passwords were poorly protected.
The cracking group said it would not be sharing the decoded passwords.
However, it had detailed the method it used to get at the passwords which would make it straightforward for criminal hackers to replicate the work. This may mean those who reused their Ashley Madison password could see other accounts breached.
Initial analysis of the data dump showed that the passwords were stored on a database after they had been protected using a process known as hashing that employs the bcrypt algorithm.
The way this scrambles passwords makes it hard to carry out so-called "brute force" attacks that try lots of different word and letter combinations because hashing with bcrypt takes a lot of computer power. As a result, a brute force attack on the passwords would take years.
However,
an amateur password cracking group called Cynosure Prime looking
through code also stolen from Ashley Madison realised that at some point
the site changed the way passwords were stored. This stripped away the
protection bcrypt bestowed on passwords.
In a blogpost, the group said it had found two insecure functions in the site code that meant it was "able to gain enormous speed boosts in cracking the bcrypt hashed passwords".
Instead of taking years, the 11 million passwords were cracked in about 11 days.
Full article Germans chide Facebook over race hate
Full article How to pick the perfect password
Full article Tor gets help to anonymise users
45 minutes ago
More than 11 million passwords
stolen from the Ashley Madison infidelity dating website have been
decoded, says a password cracking group.
When stolen data from the
site was first dumped, the encrypted passwords were said to be almost
uncrackable because of the way they were scrambled.But programming changes by the site's developers meant more than a third of the passwords were poorly protected.
The cracking group said it would not be sharing the decoded passwords.
However, it had detailed the method it used to get at the passwords which would make it straightforward for criminal hackers to replicate the work. This may mean those who reused their Ashley Madison password could see other accounts breached.
Poor protection
The Ashley Madison website was breached by a group of hackers called The Impact Team which stole gigabytes of data including login names and passwords of more than 30 million users.Initial analysis of the data dump showed that the passwords were stored on a database after they had been protected using a process known as hashing that employs the bcrypt algorithm.
The way this scrambles passwords makes it hard to carry out so-called "brute force" attacks that try lots of different word and letter combinations because hashing with bcrypt takes a lot of computer power. As a result, a brute force attack on the passwords would take years.
In a blogpost, the group said it had found two insecure functions in the site code that meant it was "able to gain enormous speed boosts in cracking the bcrypt hashed passwords".
Instead of taking years, the 11 million passwords were cracked in about 11 days.
The insecure functions involved the use of easier to
attack hashing systems and changes the site made to passwords when they
were entered by users.
By focussing on these vulnerable steps the group has already managed to decipher 11.2 million passwords and is hopeful it can crack a total of more than 15 million which were scrambled with the insecure functions.
The remaining passwords from the site are not susceptible to this attack because they were hashed by code lacking the insecure functions.
The group said it would not be releasing the passwords it had recovered to "protect end users".
Cynosure Prime said it was not sure exactly why Ashley Madison's developers had changed the way that it dealt with passwords that introduced the insecure functions.
It speculated to news site Ars Technica that the insecure hashing system was introduced to ensure that users could log in to the site quickly.
By focussing on these vulnerable steps the group has already managed to decipher 11.2 million passwords and is hopeful it can crack a total of more than 15 million which were scrambled with the insecure functions.
The remaining passwords from the site are not susceptible to this attack because they were hashed by code lacking the insecure functions.
The group said it would not be releasing the passwords it had recovered to "protect end users".
Cynosure Prime said it was not sure exactly why Ashley Madison's developers had changed the way that it dealt with passwords that introduced the insecure functions.
It speculated to news site Ars Technica that the insecure hashing system was introduced to ensure that users could log in to the site quickly.
Germans chide Facebook over race hate
- 5 hours ago
- From the section Europe
How to pick the perfect password
- 4 hours ago
- From the section Technology
Tor gets help to anonymise users
- 7 hours ago
- From the section Technology
No comments:
Post a Comment