Tuesday, 25 August 2015

Researcher Cracks 4000 Passwords Ashley Madison


A researcher has managed to crack 4000 passwords of users of Ashley Madison, which demonstrates how important it is to choose a strong password. Attackers managed last month to steal a large amount of data from Ashley Madison, the site for cheaters.

The data were published last week in part. Among the stolen data there were also 36 million password hashes. Ashley Madison had the passwords are not stored in plain text, but in hashed form. This makes them not directly readable, but they can be cracked. Dean Pierce, Linux security engineer at chip giant Intel, password hashes ended with his special "squat machine" to crack.

Computer Pierce consists of four R9 290 ATI video cards. For hashing the password had Ashley Madison the bcrypt algorithm used, and there was also a "salt-made 'use. This makes it much more difficult to crack password hashes. In a weaker algorithm, such as MD5, it is possible to try millions of password combinations per second. In the case of the make bcrypt hashes came Pierce with his computer not go beyond 156 hashes per second.

The experiments also revealed the extent of the number of password hashes problematic, so he could load 6 million of the 36 million password hashes. For cracking the hashes he used the RockYou dictionary. RockYou is a company developing widgets for social media. In 2009 it was hacked, giving attackers more than 32 million managed to steal passwords. These passwords were stored in plain text, and finally appeared on the Internet. Since then the passwords of RockYou be used by many researchers as the default password cracking.

Crack Time

Pierce had his machine power for five days, during which he finally managed to crack 4000 passwords. That equates to 32.6 cracked passwords per hour. It also showed that there were 1191 unique passwords between. The most common password is "123456", which occurred 202 times. It also showed that 105 users had chosen the password "password". Pierce made ​​a Top 20 of the most common passwords. The list is very similar to other password lists that are regularly published.

According to the researcher, it is probably impossible to crack each bcrypt password, but will in the case of Ashley Madison eventually many passwords are outdated anyway. It is in this case especially for weak passwords which are found in many dictionaries, or simply through brute force to retrieve his. Thus, on the list of passwords of the short Pierce especially less than eight characters.

No comments:

Post a Comment