When hackers released password data for more than 36 million Ashley Madison accounts last week, big-league cracking expert Jeremi Gosney didn’t bother running them through one of his massive computer clusters built for the sole purpose of password cracking. The reason: the passwords were protected by bcrypt, a cryptographic hashing algorithm so strong Gosney estimated it would take years using a highly specialized computer cluster just to check the dump for the top 10,000 most commonly used passwords.
So fellow security expert Dean Pierce stepped in to fill the vacuum, and his experience confirms Gosney’s assessment. The long-and-short of his project is that after five days of nonstop automated guessing using a moderately fast server specifically designed to carry out compute-intensive cryptographic operations, he deciphered just 4,000 of the underlying plaintext passwords. Not surprisingly, the passwords Pierce extracted from just the first 6 million entries in the Ashley Madison table look as weak as those from just about any data breach. Here are the top 20 and number of users who chose each one:

password
Number of users

123456
202

password
105

12345
99

qwerty
32

12345678
31

ashley
28

baseball
27

abc123
27

696969
23

111111
21

football
20

fuckyou
20

madison
20

asshole
19

superman
19

fuckme
19

hockey
19

123456789
19

hunter
19

harley
18

Most of the lessons gleaned from Pierce’s exercise involve the secure storage of passwords at rest. We’ll get to that in a moment. But first, a few observations about the top 20 passwords uncovered. First, they come from the beginning six million hashes stored in the Ashley Madison database. Depending on how the list was organized, that may mean they belong to the earliest six million accounts created during the site’s 14 years in operation. Passwords from the last million entries—which might have been created in the last few years—could be stronger.
Read 14 remaining paragraphs | Comments

Leave a Reply