Slashdot Mirror
Ashley Madison's Passwords Cracked, Soon To Be Released
New submitter JustAnotherOldGuy writes with some news that might worry anyone caught up in the Ashley Madison data breach. ("Uh-oh," he says.) Now, besides any other possible repercussions of having one's name on the list of account holders, there's a new wrinkle. The passwords used to secure those accounts were theoretically robustly protected with bcrypt. However, as Ars Technica reports,
That assurance was shattered with the discovery of the programming error disclosed by a group calling itself CynoSure Prime. Members have already exploited the weakness to crack more than 11 million Ashley Madison user passwords, and they hope to tackle another four million in the next week or two.
This would matter much less if passwords weren't so frequently re-used.
What is exactly the programming error they did?
Mooooo.
I can't wait to see how many users had terrible passwords, especially gov't officials. I wonder if someone could use these to get access to other sites the person uses? If, like most people, they use the same password for everything, someone could access e-mails, banks, you name it. Most of these people probably won't know if their password has been leaked until it's too late. I'm guessing few will actually change their password despite the site's hack.
Damn! They cracked my password already.
Have gnu, will travel.
If I were interested and had the access, I'd keep a log of anyone who changed their password on any system that I owned in the next couple weeks.
I wouldn't do anything with that data. But I'd keep it. If anything interesting happened later, and I could correlate an account on AM with an account on my system that changed its password shortly after this news broke... Well, that data could be interesting.
Data isn't dangerous. Looking at it and then looking at related information is.
GeekNights!
Late Night Radio for Geeks!
Instead of cracking the slow bcrypt hashes directly, which is the hot topic at the moment, we took a more efficient approach and simply attacked the md5(lc($username).”::”.lc($pass)) and md5(lc($username).”::”.lc($pass).”:”.lc($email).”:73@^bhhs&#@&^@8@*$”) tokens instead. Having cracked the token, we simply then had to case correct it against its bcrypt counterpart.
the summary hints of this, but somebody can illuminate more. I understand the danger of password re use. say you use the same password for AM as for gmail, they could get into your gmail with a script that tries to apply your AM password.
Aside from this risk, are there any other risks involved? presumably if CC info was already revealed then there's no more risk from the pws getting revealed. also, AM probably changed all the pws already so nobody can log into your account and update your profile for you.
what else am i missing here?
This kind of stuff is the reason I never re-use passwords across services. All my passwords are randomly generated and stored by KeePass. Sure, it's a little less convenient to have to unlock the password safe in order to get into services, rather than just type in something you've already memorized. But, it's the only way to be sure that having your password compromised on one service won't compromise an account on another service. Even if the service isn't externally compromised, there's probably a lot of systems out there where employees (DB administrators, programmers) can gain access to the passwords from various methods such as logs or unaudited code.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
If I were interested and had the access, I'd keep a log of anyone who changed their password on any system that I owned in the next couple weeks.
I wouldn't do anything with that data. But I'd keep it. If anything interesting happened later, and I could correlate an account on AM with an account on my system that changed its password shortly after this news broke... Well, that data could be interesting.
Data isn't dangerous. Looking at it and then trying to fucking blackmail people with it, is.
There ya go. FTFY.
And that's when anonymized data is no longer anonymized.
We only publish anonymized data......but you can query down to all white men, aged 24, born in Wisconsin, living in New York city, own an Apple MacBook Air, earn $60k/yr, graduated from NYU, has a degree in Marketing, etc.
If you can add enough data points, your set gets down to one person -- even though that data is anonymized.
If I were interested and had the access, I'd keep a log of anyone who changed their password on any system that I owned in the next couple weeks.
I wouldn't do anything with that data. But I'd keep it. If anything interesting happened later, and I could correlate an account on AM with an account on my system that changed its password shortly after this news broke... Well, that data could be interesting.
Data isn't dangerous. Looking at it and then looking at related information is.
Creep.
Can you really believe that some bad actor either inside or outside such a site won't find a way to ID you?
Is worst than no encryption at all.
Whale hunting season has begun. (I mean seriously.... so much effort is being put into cracking this one site and the reason is simple. To extort money. How the world can't manage to wake up and realize they could do this to any government, any business, any body... so long as there was a juicy enough target, is beyond me.
you havent solved the problem.. youve just moved it down a notch.
Does this mean I have to change my password of "12345678" back to "Password"?
Damnit, now I have to go change all of my banking passwords.
If a person knows he used that site, he can just go ahead and change his passwords everywhere else. Probably even without raising suspicion of his spouse.
Similar to Panopticlick. Even just information that is easily available from your web browser can narrow you down to a specific machine. Who needs to store cookies on machines when you can pretty much identify the machine uniquely anyway.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
And I thought *my* slashid was a big number!! [I had a 5 digit one, but lost the password and the email address a decade ago :(]
Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
I'm always horribly unique whenever I check. Doesn't matter what browser I use.
Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
LOL, you're assuming peoples details were accurate. I'm 7 foot tall, make 8 million per year and have 20" penus
And then? How do you get the person's name?
IDidThisToYourMama123
Okay, but how long is your penis?
I learned a lesson about this when Google notified me that someone in China used my password last weekend. Fortunately 2-factor authentication saved me from a devastating breach. I used to use 4 different passwords, depending on the type of site I used it on, with easy passwords used for non-critical logins. I now have separate random passwords on every site. It's a pain in the ass, but should be much more secure.
The Ashley Madison system stored an MD5 hash of the lower-cased username and password on the user's computer, so that they could revisit the site without having to reenter their login info.
Computing MD5 hash values is much faster than computing bcrypt() values, the hackers already had the username, and both fields were lower-cased.
They just brute forced the MD5 hash until they got a match. About 90% of the MD5 passwords matched exactly (ie - the passwords were already in lower case), of the remaining 10% they tried uppercasing the individual letters of the password until it matched.
Security is hard. Basing the MD5 hash on a reduced-space plaintext password was the fundamental error.
Also there were some administrative lapses. They changed password hash algorithms, and then forced users to change passwords at next login. Many users hadn't logged in in several years, so this left a lot of old, insecurely hashed passwords around.
Generally poor security for such a sensitive site. Makes me wonder how good other popular sites are at security.
We really should figure out this security thing.
Perhaps an open-source fixed-function password keeper (as Mooltipass) in separate trustable hardware would work?
Oink?
The Ashley Madison developers did a lot of things right. They even used strong encryption for the passwords. They improved their security over time. Yet, a couple of security bugs ended up taking the company down completely. With security, if you score 98 and the attackers score 2, finding two vulnerabilities, the bad guys win. Bugs happen. Security bugs are not okay, however.
I have a lot respect for good application developers. The blend of skills required is fairly comprehensive - UI design, database, understanding scalability, etc. With your wide breadth of skills, are you fine folks starting to understand that security is HARD, and requires a depth of understanding? That it's one of those things where it is wise to get expert assistance?
I've been programming professionally for 20 years, and I'm pretty competent; yet I'd never design and implement my own filesystem, because filesystems are HARD to do well. There are maybe a dozen people in the world who have the specialized knowledge and experience needed to design and implement a filesystem that rivals btrfs or even ext4. I KNOW that I don't have that specialized skill. One of my best friends has also been a professional developer for 20 years. Every month, he asks me about a security related issue, because he knows that he's not a security specialist, and that bugs happen, but security bugs are not okay. Will you let those of us who live and breath security 24/7 lend a hand before you release it next time?
Was it 12345? If so, sounds like the combination an idiot would use on his luggage...
Do not look into laser with remaining eye.
Ashley Madison assures everyone thousands of new members, a huge number of whom are women, are signing up daily. Fresh passwords all around.
It still gets me.
You run a huge operation, with thousands of users and millions of dollars flowing through it.
At which point do you need to stop and think "Actually, I need a server that does NOTHING but authentication, isolated from everything else?"
Literally a machine that can only communicate Yes or No and maybe a tiny token and every communication to it can only be replied to by yes, no, or issue of a temporary token (which can only be verified by the same machine answering yes or no).
Changing passwords is a rare, deliberate, easy-to-audit and unusual act - you could literally have a guy who has to press a button to okay each such action. Apart from that, an application has absolutely no need to do anything more than pass on info to a server that can reply yes or no. Whether that's from a initial password login, or checking a temporary token issued, that's all it needs to do.
It's not the be-all-and-end-all - you can compromise the interface and wait for a user to log on and thus capture a successful transaction - but this outright theft of every login detail and a list of things that, given time, can be turned back into passwords shouldn't be happening, should it?
I mean, quite literally, a serial cable should be able to handle such information on the scale of a half-decent sized website. Is this user 1's password? No. This is what user 2 claims his password is, can I get a token for that valid for the next hour? Is this token valid for user 2? What more beyond that do you need to program against to authenticate absolutely anything imaginable?
And even password updates - they operate on the same principle as the way that admins cannot see their user's passwords. We can update them, but we can't actually see what they were and the very act of updating them locks out (and therefore alerts) the genuine user.
Isolate this stuff. Seriously. An entire network that is air-gapped from your real network and literally the applications either side can ONLY communicate over a protocol that contains the bare minimum of commands. You could do it with an embedded device. Why are places with millions of dollars of business storing anything on a device that can be read back en-masse by even their own staff, let alone a compromised machine on the company's office network or similar?
The Wikipedia page for Ashley Madison (amongst many other sources) suggest that a large number of accounts on there were made by Ashley Madison themselves. It would be interesting to know if these 11 million are all from real people, or if some of them are the phony accounts.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
The Ashley Madison developers fulfilled a lot of management bullet points. They were presumably told to use strong encryption, so they did... incorrectly.
This will convince exactly 0 people to have their security relevant code audited, inspected, or likely even tested.
So small minded. If you were really interested, you would just log this activity forever, and then you can always mine the data for any date range. Disk is cheap, logs are small.
"I opened my eyes, and everything went dark again"
That's what I keep saying, except my first number was in the 400,000 range. My second one was in the 600,000 range. Now I have this one. The lesson learned was: Never use a difficult password for slashdot.
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
Nevermind that, she's missing her period.
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
You're not fooling us. You're just a cow speaking another language.
And that's when anonymized data is no longer anonymized.
Exactly. And a lot of people don't get this.
The fact is that if there are enough data points for meaningful statistical usefulness, then the data is almost certainly not genuinely "anonymous". It may be somewhat obfuscated or non-obvious, but as you pointed out you can drill down looking for valid (actual) matches and chances are very very good that you'll find them.
Just cruising through this digital world at 33 1/3 rpm...
I'm always horribly unique whenever I check. Doesn't matter what browser I use.
Pro tip: Even in 2010 UA strings in Firefox had become specific beyond the call of duty with build date, rendering engine verision, OS version, and other useless stuff that browser-quirk-sniffing techniques can discard without really breaking your rendering. Erm, I recognize that UA sniffing is stupid with modern pages, but the strings are a vestigial tracking item.
My getting a UA-changer extension with pre-populated defaults for iPhone 3, iPads or plain Firefox 3.5 back then brought the uniqueness from 1 in several (20?) million to one in a hundred thousand or maybe fifty thousand IIRC
Of course, none of that helps much until you do disable flash and install noscript, and turn off cookies... and delete all browser-request languages and keep just 'en' instead of 'en-US'.
An even bigger secret than the UA is that Flash and Javascript tracking your resolution and FONT-LIST makes for a unique fingerprint. No two home users that have installed software will end with the same combination of useless fonts. That's courtesy of installing office, photoshop, games and random OEM shovelware.
I forgot to say that my totals were a combination of JS and UA fudging so I didn't gain anything I didn't already report
Another thing is that I had to manually cut down the UA version with trial and error starting off a standard string to get something essential like gecko, FF 3.5, and some maybe the OS. Some of these changes did flag me as unique until I compensated.
To GP, thanks for reminding me of all this stuff. It's not been applied on my new computers. Cheers!
I'm still trying to remember my 3-digit username/password...
Running linux blows my uniqueness through the roof.
User Agent 16.07bits | 1 in 68587.24 | Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Take that one out and my next biggest is 1 in 4987 for Browser plugin details. So overall I end up 1 in c3m browsers.
I want to start a sight called marshamarshamarsha, where you can set up a profile to have sex with yourself. It's not cheating, and you do it anyway. $60 for an annual subscription to have wild, unanticipated gesticulations, guaranteed.
My domain password at work expires sometime in the near future since I got an email that says I need to change it. I guess I must be a AM user because I changed my password shortly after this news broke.
*says nothing, continues sipping coffee...*
Il n'y a pas de Planet B.
The bcrypt-ed passwords are unbroken. Apparently around 15 Million were stored using a single, non-salted, non-iterated MD5 hash. That many of these are easy to break is no surprise. Still, any user that used a good, high-entropy password is secure with MD5 as well.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
No, they did not do password protection right. Around 15 million only had MD5 as protection, and that is just utterly incompetent. And yes, it is quite possible to secure passwords you have as MD5 better retroactively, just do bcrypt(md5(password)). Apparently nobody cared or understood this.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Mad password protection is one of the absolute standard things to check in any security review that deserves the name. Apparently, these people were arrogant in addition to incompetent and though they could do without external review. Save a penny, lose a million (scaled up 10'000 times or so).
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Will you let those of us who live and breath security 24/7 lend a hand before you release it next time?
Sure, I'd love for you to lend a hand. Really.
I recently finished a two-year project for a client creating an API for aggregating and analyzing social media data in near-real-time. We could tell where an earthquake happened, minutes after it happens and before it hits the news, by the tweets, to within a few hundred KM of the actual epicenter. It was developed and implemented by myself, who studied mechanical engineering, not CS, and a small team that I led. Why me? Because I am a skilled applications developer, programming professionally for a decade and as a hobby for three. But I've no CS degree and no system that I've written has ever suffered a serious security breach. Id est, I'm probably naive about security even though I perform best practices such as using bcrypt today, and individually salting passwords before that, and prepared database queries, and XSS escaping, and CSRF token, etc.
And yet, the API is running on AWS and is probably vulnerable to attacks specific to that platform. It is also vulnerable to zero-day exploits in Linux, Apache, and PHP itself. _I_ can't make it any more secure, without going down a very long tail of unlikely attack vectors, only one of which needs to be exploited.
So will you come in and lend a hand? Lets assume that you are willing to do that for free. Am I to just give you SSH access to all our systems, and trust you? Let's assume that we were to pay you as a consultant. How much would it cost this company to secure the systems, and keep them secure as a maintenance plan? And even as a consultant, how can I know to trust you? How about if I were to hire you as an employee, how much would that cost? And even so, how could I know that I trust you?
In the real world, IT systems are not 100% secure. As a user, never assume that they will be, and don't be surprised when they are cracked.
It is dangerous to be right when the government is wrong.
Ars has long advised readers to use 1Password, LastPass or another widely used password manager to store a long, randomly generated password that's unique for each account.
So their answer to online databases containing passwords being cracked is storing all your passwords in an online database? And what's worse, I see no reason to trust these companies or their employees. Once you own such a trove of people's passwords, at some point the temptation to monetize them becomes just too big.
Damn... Got to change the combination on my luggage...
It looks like someone with a clue implemented the original bcrypt system, but then later someone else came along and added the MD5 hash to making logging in easier. Classic example of a company employing a security expert to write their app, then later someone in management decides it's too much effort for their customers to be secure and tells someone else to make it easier.
I'm just amazed that AM is still in business. The loss of extremely sensitive data, the revelation about the extremely low male:female ratio and the extensive use of fembots to defraud users... Yet they are still around.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Once the cracked passwords have been published (presumably by somebody other than Cynosure) they will be analyzed by many of the same people who looked at the LinkedIn passwords and other such databases.
It's going to be interesting to find out
I mean, seriously, what AM user has not already changed their password???
All results must be an average, and if less than 10 rows are used, then return nothing.
People are generally pretty bad at estimating their own level of competence in their work, and the quality of their work, but let's assume that your work is in fact reasonably secure. There are only a few small improvements needed, it doesn't have to be completely rewritten.
Under that assumption, increased security can be quite affordable. I suspect you'll be very surprised by the low cost of a level 1 analysis. By security I don't just mean protecting confidentiality from malicious actors. If a system is put together such that you can't break it even if you're trying, it also won't break accidentally - it will be more robust. An example you're already aware of is prepared queries with bound parameters. The same coding practice protects against the same problem both as an attack and as an innocent error; both intentional injection and O'Malley trying to register. What this means is that a reasonable level of security review pays for itself in the form of better uptime and less time tracking down bugs. One hour of my time can save two hours of your time later.
Most exploitable vulnerabilities follow one of about a dozen patterns. You are already familar a few of those patterns. If you're familiar with Perl's taint mode, you can probably think up a couple more. Here's the cool thing - patterns in text, such as source code, can be described and found via regular expressions. That means that a set of regular expressions can find most of the common types of issues, and therefore most vulnerabilities. All you need in order to improve your security to some degree is to borrow my regular expressions for an hour. They'll show you lines of code that are probably risky. It's kinda cool. We do in fact find vulnerabilities in most custom software when we run this $150 analysis. So that's the bottom of the price range - $150 will normally find a couple of issues. Obviously more in-depth analysis costs more, but normally just a few hours of work makes a big difference.
How do you trust me, and how much do you need to trust me? At the least, you need to make a copy of your source code, then run my tool on that copy. I don't NEED any access to your systems at all. Better is to let me actually look st a copy of your code for a couple of hours, so I can filter through the results of the automated tool and take a closer look myself. It's also helpful to spend an hour on the phone talking about your system. If I hear you mention "login token", I'll be sure that gets looked at.
So how would you know who you can trust? I've been doing this for twenty years, and have built a reputation. If I were going to do something bad, I probably would have done it by now. I have a federal security clearance, I'm licensed and insured. So if I DID do anything bad, you have the assurance of my million dollar liability policy. Perhaps more importantly, you ALREADY trust me. If you use the Linux kernel, you're running my code. If you use Apache, you're running my code. If you use WordPress, I've ALREADY fixed security issues that affected your systems.
I'm not sure how the fonts list helps. On most of my computers I have the default fonts that come with the operating system. I can't think of the last time I bothered to try and install a new one.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
You just better hope that caffeine doesn't destroy memory cells. Although, with that nickname ... :^)
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
Are you the Ray Morris associated with Better CGI? Is there a better way to contact you if I ever do need your services?
Thanks.
It is dangerous to be right when the government is wrong.
I've emailed you through your contact form (which seemed to refresh, rather than confirm receipt of the message) and through the email address listed in your whois.
I'm on Slashdot a lot too. More often than I should be, if I want to have mod points.