In August, when hackers released Ashley Madison user data, I wrote that "Ashley Madison's security actually had some things going for it" because the site stored passwords in a secure way that would be hard to infiltrate. So young! So naive! A research group has already cracked them.
Called CynoSure Prime, the team posted an explanation Thursday of how it has been able to decrypt 11.2 million of 36 million leaked passwords so far. Rather than using a brute force approach, which would be "an extremely compute intensive task," according to the hackers, and would take years, the group looked for errors or loopholes in Ashley Madison's source code, released in a second dump after the initial user information trove. And it found something.
Though Ashley Madison hashed and stored many of its users' passwords using the resilient bcrypt encryption utility, Ars Technica reports that 15.26 million passwords (almost half) were hashed using the more convenient, but potentially more crackable MD5 algorithm. The researchers wrote, "Instead of cracking the slow bcrypt hashes directly, which is the hot topic at the moment, we took a more efficient approach and simply attacked the md5 ... tokens instead."
In a comparison of bcrypt and MD5 in 2014, cryptographer Thomas Pornin wrote about the "configurable slowness" of the algorithms on StackExchange, noting "A slow function is slow for everybody, attacker and defender alike." Basically, it seems like Ashley Madison took a shortcut to make its password trove easier to deal with, sacrificing some security in the process. As a result, it only took a few days instead of years to crack one-third of the entries.
Ars points out that since Ashley Madison seems to have improved its password encryption system over time (not all the hashed passwords can be cracked by exploiting the MD5 token flaw), the service's developers may have been aware of the problem and chose not to, or were not allowed to, take the time to correct it.
Ashley Madison users just can't catch a break. CynoSure Prime isn't releasing the millions of passwords it decrypted, but since it published its approach to cracking them, others might not be so kind. As always, here's your reminder not to reuse passwords between services.