Flaws found in Ashley Madison password protection

Ashley Madison site on a smartphone Image copyright Reuters
Image caption Hackers stole gigabytes of data from Ashley Madison including login names, passwords and website code

More than 11 million passwords stolen from the Ashley Madison infidelity dating website have been decoded, says a password cracking group.

When stolen data from the site was first dumped, the encrypted passwords were said to be almost uncrackable because of the way they were scrambled.

But programming changes by the site's developers meant more than a third of the passwords were poorly protected.

The cracking group said it would not be sharing the decoded passwords.

However, it had detailed the method it used to get at the passwords which would make it straightforward for criminal hackers to replicate the work. This may mean those who reused their Ashley Madison password could see other accounts breached.

Poor protection

The Ashley Madison website was breached by a group of hackers called The Impact Team which stole gigabytes of data including login names and passwords of more than 30 million users.

Initial analysis of the data dump showed that the passwords were stored on a database after they had been protected using a process known as hashing that employs the bcrypt algorithm.

The way this scrambles passwords makes it hard to carry out so-called "brute force" attacks that try lots of different word and letter combinations because hashing with bcrypt takes a lot of computer power. As a result, a brute force attack on the passwords would take years.

However, an amateur password cracking group called Cynosure Prime looking through code also stolen from Ashley Madison realised that at some point the site changed the way passwords were stored. This stripped away the protection bcrypt bestowed on passwords.

In a blogpost, the group said it had found two insecure functions in the site code that meant it was "able to gain enormous speed boosts in cracking the bcrypt hashed passwords".

Instead of taking years, the 11 million passwords were cracked in about 11 days.

Image copyright Reuters
Image caption The password crackers exploited changes Ashley Madison made to the way it stored passwords

The insecure functions involved the use of easier to attack hashing systems and changes the site made to passwords when they were entered by users.

By focussing on these vulnerable steps the group has already managed to decipher 11.2 million passwords and is hopeful it can crack a total of more than 15 million which were scrambled with the insecure functions.

The remaining passwords from the site are not susceptible to this attack because they were hashed by code lacking the insecure functions.

The group said it would not be releasing the passwords it had recovered to "protect end users".

Cynosure Prime said it was not sure exactly why Ashley Madison's developers had changed the way that it dealt with passwords that introduced the insecure functions.

It speculated to news site Ars Technica that the insecure hashing system was introduced to ensure that users could log in to the site quickly.

More on this story