Ashley Madison coding blunder made over 11 million passwords easy to crack

The Web site's developers forgot about early users when they implemented strong password hashing three years ago

Until today, the creators of the hacked AshleyMadison.com infidelity website appeared to have done at least one thing well: protect user passwords with a strong hashing algorithm. That belief, however, was painfully disproved by a group of hobbyist password crackers.

The 16-man team, called CynoSure Prime, sifted through the Ashley Madison source code that was posted online by hackers and found a major error in how passwords were handled on the website.

They claim that this allowed them to crack over 11 million of the 36 million password hashes stored in the website's database, which has also been leaked.

A few weeks ago such a feat seemed impossible because security experts quickly observed from the leaked data that Ashley Madison stored passwords in hashed form -- a common security practice -- using a cryptographic function called bcrypt.

Hashing is a form of one-way encryption. A clear text string, like a password, is run through an algorithm, typically multiple times, in order to generate a unique string of characters that serves as its representation. The procedure is not supposed to be reversible unless the algorithm is flawed.

However, recovering the original password from a hash is sometimes possible by using brute-force methods. This is known as hash cracking and involves running a very large number of possible passwords through the exact same algorithm that was used to generate the original hashes and looking for matches.

The success of such efforts depends on many factors: the type of hashing function used, its implementation, whether additional secret values called salts were added to the passwords, the complexity of the passwords themselves and the hardware resources available to the attackers.

Bcrypt is more computationally intensive than some other functions like MD5, which favors performance over brute-force protection. In addition, the Ashley Madison developers used a cost factor of 12 in their implementation, meaning that each possible password an attacker wants to test needs to be put through 4,096 rounds of hashing.

This makes cracking, even with an average-size dictionary -- a collection of common passwords -- and a very powerful hardware rig, very slow. The larger the dictionary the greater the chance of findings matches, but the slower the process.

A security expert named Dean Pierce made an attempt on the first 6 million Ashley Madison hashes using a list of plain text passwords leaked from game publisher RockYou in 2009. After five days he managed to crack only 4,000 hashes. That's 0.06 percent.

Researchers from antivirus vendor Avast tried as well and let their hash-cracking rig run for two weeks. The result: 26,994 recovered passwords, of which only 1,064 were unique -- used by a single user.

The CynoSure Prime team realized that attempting to brute-force the bcrypt hashes will not get them much further, so they started to look for possible errors in how passwords were handled on the website.

A variable called $loginkey piqued their interest. The team found two locations in the code where it was generated, but in slightly different ways.

In one instance $loginkey was generated upon account creation and was defined as the MD5 hash of two other variables: one holding the username and one holding the bcrypt hash of the user's password.

This made the team wonder if the password variable had always been defined as the password's hash. Digging through old code changes they found that prior to June 2012, the variable was actually using the user's plain text password.

It also turned out that when the Ashley Madison developers later implemented bcrypt hashing, they didn't bother regenerating the loginkey variables for early users.

"This meant that we could crack accounts created prior to this date with simple salted MD5," the team said in a blog post. Also, the old code converted the password to lowercase characters before using it, reducing the number of possible characters in a password to 26 and making it faster to brute-force it, they said.

The second instance of $loginkey generation used a combination of the username, password and email variables, plus a constant. This method of generating the $loginkey was used when a user modified their account attributes -- username, password or email.

However, as in the first case, it hadn't always used the bcrypt password hash as the password variable. This meant that the CynoSure team could now recover passwords for accounts that had been modified prior to the code change in 2012.

By creating rules in their MD5 hash cracking program, the team managed to isolate the securely generated, post-2012, loginkey variables from the insecure ones. Just a few hours later, they had already cracked 2.6 million passwords and after a few days, 11.2 million.

Avid Life Media, the company that owns AshleyMadison.com, did not immediately respond to a request for comment.

The issue, though, poses significant online security risks for a very large number of Ashley Madison users who might have used the same password on other websites and haven't changed it since then. Past breaches have shown that password reuse is rampant on the Internet.

The incident should also serve as a lesson to other developers: When you implement a new security feature in your website or application, make sure that it's applied to everyone, not just new users.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?