More than 11 million passwords
stolen from the Ashley Madison infidelity dating website have been
decoded, says a password cracking group.
When stolen data from the
site was first dumped, the encrypted passwords were said to be almost
uncrackable because of the way they were scrambled.
But programming changes by the site's developers meant more than a third of the passwords were poorly protected.
The cracking group said it would not be sharing the decoded passwords.
However,
it had detailed the method it used to get at the passwords which would
make it straightforward for criminal hackers to replicate the work. This
may mean those who reused their Ashley Madison password could see other
accounts breached.
Poor protection
The Ashley Madison website was breached
by a group of hackers called The Impact Team which stole gigabytes of
data including login names and passwords of more than 30 million users.
Initial
analysis of the data dump showed that the passwords were stored on a
database after they had been protected using a process known as hashing
that employs the bcrypt algorithm.
The way this scrambles
passwords makes it hard to carry out so-called "brute force" attacks
that try lots of different word and letter combinations because hashing
with bcrypt takes a lot of computer power. As a result, a brute force
attack on the passwords would take years.
However,
an amateur password cracking group called Cynosure Prime looking
through code also stolen from Ashley Madison realised that at some point
the site changed the way passwords were stored. This stripped away the
protection bcrypt bestowed on passwords. In a blogpost,
the group said it had found two insecure functions in the site code
that meant it was "able to gain enormous speed boosts in cracking the
bcrypt hashed passwords".
Instead of taking years, the 11 million passwords were cracked in about 11 days.
Image copyrightReutersImage caption
The password crackers exploited changes Ashley Madison made to the way it stored passwords
The insecure functions involved the use of easier to
attack hashing systems and changes the site made to passwords when they
were entered by users.
By focussing on these vulnerable steps
the group has already managed to decipher 11.2 million passwords and is
hopeful it can crack a total of more than 15 million which were
scrambled with the insecure functions.
The remaining passwords
from the site are not susceptible to this attack because they were
hashed by code lacking the insecure functions.
The group said it would not be releasing the passwords it had recovered to "protect end users".
Cynosure
Prime said it was not sure exactly why Ashley Madison's developers had
changed the way that it dealt with passwords that introduced the
insecure functions. It speculated to news site Ars Technica that the insecure hashing system was introduced to ensure that users could log in to the site quickly.
No comments:
Post a Comment