Eleven Million Passwords Opened

So, you put your real name and address and real details into your online bank account. You know it will be encrypted by the bank and you also know if anything goes wrong, and the bank is at fault they will have the responsibility. Well, that is probably true.

Now, with all that great trust of the encryption system, you use your real name and address and details to sign up to a dating site. Yes, its Ashely Maddison again. This time, they told experts, that their encryption codes were intact and that the stolen information, or at least part of it could not be seen. Now, a company has found that they CAN see over 11 million names and full details.

Maybe if it was possible you should have used an alter ego?

From Network World

A few weeks ago such a feat seemed impossible because security experts quickly observed from the leaked data that Ashley Madison stored passwords in hashed form — a common security practice — using a cryptographic function called bcrypt.

Hashing is a form of one-way encryption. A clear text string, like a password, is run through an algorithm, typically multiple times, in order to generate a unique string of characters that serves as its representation. The procedure is not supposed to be reversible unless the algorithm is flawed.

However, recovering the original password from a hash is sometimes possible by using brute-force methods. This is known as hash cracking and involves running a very large number of possible passwords through the exact same algorithm that was used to generate the original hashes and looking for matches.

The success of such efforts depends on many factors: the type of hashing function used, its implementation, whether additional secret values called salts were added to the passwords, the complexity of the passwords themselves and the hardware resources available to the attackers.

Bcrypt is more computationally intensive than some other functions like MD5, which favors performance over brute-force protection. In addition, the Ashley Madison developers used a cost factor of 12 in their implementation, meaning that each possible password an attacker wants to test needs to be put through 4,096 rounds of hashing.

Article  Ashley Madison coding blunder made over 11 million passwords easy to crack

About the Author