Ashley Madison user passwords are as stupid as the rest

  • Liam Tung (CSO Online)
  • 26 August, 2015 09:02

Despite Ashley Madison using a recommended encryption algorithm to protect user passwords, a portion of them have been cracked revealing once again that people pick bad passwords.

A security consultant, using an old cryptocoin mining rig, has cracked a sliver of the more than 30 million encrypted passwords that were included in the Ashley Madison database leaked by Team Impact last week.

Unsurprisingly, it appears Ashley Madison’s users were no better at picking good passwords than anyone else based on an analysis of 4,007 passwords that security consultant Dennis Fratric “cracked” over a period of five days.

Exposed passwords are probably the last worry of victims affected by the leak, but the passwords Fratric discovered provide a reminder that even encryption algorithms recommended for protecting against guessing attacks won’t offer total protection when it comes to large leaks that contain extremely weak and non-unique passwords.

The top password so far is 123456, which was used by 200 of Ashley Madison’s users, or five percent of the 4,000 strong sample. This was followed by: password, 12345, qwerty, 12345679, ashley, baseball, abc123, 69696969, 111111, football, fuckyou, madison, asshole, superman, fuckme, hockey, 123456789, hunter, and harley.

Many of the top 20 passwords are the same as those revealed in previous password leaks.

Fratric noted that there were just 1,191 unique passwords among the cracked list.

He admitted that many of the passwords could be “throwaways” — passwords to protect information not considered that important — but, as he noted, getting anything was a win given that they were encrypted using the bcrypt algorithm. bcrypt is considered superior to the oft used MD5 at slowing down password guessing attacks, which becomes particularly important when guessing attacks are moved offline as is the case with the Ashley Madison dump.

“To someone who's used to cracking md5 passwords, this looks pretty disappointing, but it's bcrypt, so I'll take what I can get,” noted Fratric.

Fratric used the Hashcat password recovery program in combination with a list of passwords derived from the 32 million passwords that were exposed after RockYou — which didn’t encrypt user passwords at all — was hacked in 2009.

Due to power constraints, he was only able to process six million hashes from the database dump but the cryptocurrency mining rig was enough to crunch through 156 hashes a second. The rig was able to discover about 32.6 passwords per hour.

The key lesson Fractric offers from the Ashley Madison breach: “It may also be infeasible to crack any given bcrypt password, but given enough users, it doesn't matter if passwords are bcrypted and salted, a ton of passwords are eventually going to pop out.”

A few other popular passwords revealed by Fractric included zxcvbnm — a similar keyboard configuration based password to qwerty — superman, secret, scooter, mustang, mother, monkey, letmein, iloveyou and hello.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list. 

Get newsletters, updates, events and more right here