A group of password-cracking hobbyists, analyzing the data released by the Ashley Madison hackers, have found mistakes in the way the website encrypted about half of the 32 million stolen accounts.
As a result, the password cracking squad, known as CynoSure Prime, was able to uncover 11 million passwords from Ashley Madison customers’ accounts.
The group’s findings first appeared in a report by ArsTechnica.
CynoSure Prime determined that Ashley Madison had made two strange mistakes when it encrypted about 15 million customer passwords: 1) it converted them all to lowercase letters and 2) it ran one of the weakest available encryption algorithms on the passwords.
Both are big no-nos in protecting passwords.
For example, if your password for Ashley Madison was “Password,” the website might have converted it into: “5f4dcc3b5aa765d61d8327deb882cf99.”
Believe it or not, that’s an easy code to crack.
Properly encrypted, “Password” would appear as the far more complex (and essentially impossible to crack): “$2a$10$ci9jdQQRdTe4U2wIncJt9uRs.HKatci/30iJcXDzsfqtX4APwTaLS.”
The less-safe encryption tool Ashley Madison used is about a million times faster to crack than the more robust one, CynoSure Prime said. It’s not clear why Ashley Madison used one encryption tool for one subset of passwords and another tool for the rest of the passwords. A spokesman for Ashley Madison parent company, Avid Life Media, did not respond to a request for comment.
CynoSure Prime wasn’t the only group to crack Ashley Madison’s passwords. Cybersecurity company Avast also took a stab, uncovering 27,000 passwords.
From that subset, Avast provided a list of the top passwords used for Ashley Madison — many of which are words that you probably wouldn’t want to say in front of your mother (and we won’t publish here).
Here are the top five (all safe for work):
1: 123456 2: password 3: 12345 4: 2345678 5: qwerty Other common passwords included “secret,” “helpme,” “midnight” and, interestingly, “yamaha.”
The problem with super-common passwords is that they’re easily guessed or cracked by password-guessing algorithms. What’s worse is that most people use a single password for all their online activities. As with Ashley Madison, the most commonly used password in the world is 123456, according to Symantec.
So a hacker who uncovers your password on a site like Ashley Madison could easily click over to bankofamerica.com, gmail.com or facebook.com and have a good shot at getting into your bank, email or social network account.