in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Ashley Madison Passwords Easy To Crack After All

Ah, Ashley Madison. Even as one tries to move away from it to other issues, new problems surface like toxic malaise at a swamp: fraudulent $19 data scrubbings, men being conned by bots, some of the weakest passwords known to mankind securing their servers, an ex-CTO who supposedly hacked the competition… Michael Corleone, I get you now

Remember how, at the beginning, despite everything that happened, Ashley Madison was given something of a tentative kudos for using bcrypt to secure their clients' passwords? The hashing algorithm that hinders brute-force hacking, and thus the unauthorized recovery, of passwords?  

Congratulations Released Prematurely

Well, according to Ars Technica, a team of crypto-cracking enthusiasts has found that the Ashley Madison passwords – released into the internet on August 18, along with internal emails and other data – were not strongly secured when you really get down to it. Yes, bcrypt was used. Yes, bcrypt is one of the better ways to secure passwords against brute-forcing. But it became a moot point (from arstechnica.com):
CynoSure Prime…an astounding discovery: included in the same database of formidable bcrypt hashes was a subset of 15.26 million passwords obscured using MD5, a hashing algorithm that was designed for speed and efficiency rather than slowing down crackers.
Digging into emails, the hobbyist hackers discovered that prior to June 14 of 2012, MD5 was used to secure passwords. It was only after this date that bcrypt was used. Furthermore, it turns out that Ashley Madison's engineers only used the lowercase of the alphabet when creating and storing MD5 hashes, which could indicate that Ashley Madison's customers may not have been as irresponsible when creating their passwords. For what it's worth, pasSworD is nominally more secure than password, but there's no way for us to know now if potential philanderers were cognizant of this detail. Incidentally, this is not the first time that I've run across a company transforming customers' passwords into less secure versions of themselves. Amazon, for example, supposedly was truncating and capitalizing passwords in the past. What are the ramifications when passwords are transmogrified in this manner? Again, from arstechnica.com:
If the setting was a nearly impenetrable vault preventing the wholesale leak of passwords, the programming errors—which both involve an MD5-generated variable the programmers called $loginkey—were the equivalent of stashing the key in a padlock-secured box in plain sight of that vault
In other words, because the MD5 passwords correspond to a subset of the bcrypt passwords, the former were attacked, since it was much easier to do, to gain the latter. It should be noted that this means only a subset of the passwords were easily compromised (if you can call 15 million out of 36 million a subset; it certainly is, but so is 36 million out of 36 million). As a client, if you signed up after June 2012, the assumption is that your password is still safe, assuming you didn't pick a weak one.  

What Happened in 2012?

"[Ashley Madison's] parent company Avid Life Media was at risk of a security breach," predicted the company's CTO in 2012. This was a comment, according to businessinsider.com, on the Grindr hack of January 2012. He also wrote (from vice.com):

"With what we inherited with Ashley [Madison], security was an obvious afterthought and I didn't focus on it either," the company's founding CTO Raja Bhatia wrote at the beginning of 2012. "I am pretty sure we stored passwords without any cryptography so a database leak would expose all account credentials.

Could this have been the impetus behind the switch to bcrypt from MD5 - a bungled one, obviously? If so, perhaps the criticism that they weren't interested in security at all should be curtailed a bit. Naturally, all other criticisms are still valid.

 

Related Articles and Sites:

http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
http://cynosureprime.blogspot.kr/2015/09/how-we-cracked-millions-of-ashley.html
http://www.businessinsider.com/ashley-madison-cto-predicted-security-risk-in-2012-2015-8
http://motherboard.vice.com/read/security-was-an-afterthought-hacked-ashley-madison-emails-show
 
<Previous Next>

Password Security: Ashley Madison Patrons Had Terrible Passwords

Courts Concrete FTC As Nation's Cyber Supercop

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.