Thursday, 10 September 2015

Researchers Crack 11 Million Passwords Ashley Madison

Researchers have managed to crack more than 11 million passwords of Ashley Madison users, as they have announced today. The group of researchers called himself the cynosure Prime and examined the data that was stolen by the cheaters website. Attackers managed to steal gigabytes of data at Ashley Madison, including hashed passwords of users.

It involves a total of 36 million password hashes. Ashley Madison had the passwords are not stored in plain text, but in hashed form. This makes them not directly readable, but they can be cracked. For hashing the password had Ashley Madison the bcrypt algorithm used, and there was also a "salt-made 'use. This makes it much more difficult to crack password hashes. In a weaker algorithm, such as MD5, it is possible to try millions of password combinations per second. In the case of the gesalte bcrypt hashes came another researcher with his computer not go beyond 156 hashes per second. This investigator knew in five days 4000 passwords to crack.

It was therefore argued that the cracking of all Ashley Madison password hashes would last for centuries. That now seems not to be so. The researchers from Cynosure Prime investigated namely the second amount of data that was recently put online. In it they found information that helps them with the bcrypt hashed passwords could crack much faster. "Instead of cracking the slow bcrypt hashes, which is currently a hot topic, we decided to choose a more efficient approach and attack the MD5 tokens," the researchers said in their explanation.

The cheaters website appears to have used for reasons still unknown MD5 tokens. These tokens can be cracked much simpler than the bcrypt hashes. The information from the cracked tokens could then be used to crack the hashes bcrypt, she discovered. Since the researchers two weeks ago with their research, they began now more than 11.2 million bcrypt hashes cracked. In total there were in the stolen data over 15 million tokens.

No comments:

Post a Comment