Join us at TNW Conference 2022 for insights into the future of tech →

The heart of tech

This article was published on September 11, 2015

    It took just 10 days to crack over 11 million Ashley Madison passwords

    It took just 10 days to crack over 11 million Ashley Madison passwords
    Abhimanyu Ghoshal
    Story by

    Abhimanyu Ghoshal

    Managing Editor

    Abhimanyu is TNW's Managing Editor, and is all about personal devices, Asia's tech ecosystem, as well as the intersection of technology and Abhimanyu is TNW's Managing Editor, and is all about personal devices, Asia's tech ecosystem, as well as the intersection of technology and culture. Hit him up on Twitter, or write in: [email protected].

    A cracking team called Cynosure Prime has deciphered over 11.2 million passwords from the recent Ashley Madison hack in just 10 days, thanks to a programming blunder that made the task surprisingly easy.

    After the hackers publicly leaked mountains of documents, emails and data including roughly 37 million users’ details, Cynosure Prime sifted through the site’s source code and found 15.26 million passwords that were secured using MD5, a hashing algorithm that’s faster than others like bcrypt, but far less effective.

    One of the group’s members estimates that the blunder made by Ashley Madison’s security team allowed them to crack these passwords about a million times faster than if they attempted to decipher the bcrypt hashes.

    In order to protect end users, Cynosure Prime isn’t releasing the passwords it’s cracked. However, it’s detailed all the steps necessary to replicate the passcode recovery.

    That doesn’t mean just about anyone can try it at home. You’ll still need plenty of computing power and specialized software to crack the passwords yourself.

    The group’s efforts and discoveries underline the need for Web-based businesses to implement sophisticated security measures that go beyond protecting their servers from attacks.

    Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked [Ars Technica]

    Published
    Back to top