Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ashley Madison's Passwords Cracked, Soon To Be Released

Posted by timothy on from the 'splainin'-to-do dept.

New submitter JustAnotherOldGuy writes with some news that might worry anyone caught up in the Ashley Madison data breach. ("Uh-oh," he says.) Now, besides any other possible repercussions of having one's name on the list of account holders, there's a new wrinkle. The passwords used to secure those accounts were theoretically robustly protected with bcrypt. However, as Ars Technica reports, That assurance was shattered with the discovery of the programming error disclosed by a group calling itself CynoSure Prime. Members have already exploited the weakness to crack more than 11 million Ashley Madison user passwords, and they hope to tackle another four million in the next week or two. This would matter much less if passwords weren't so frequently re-used.

2 of 146 comments (clear)

  1. See who changes their password in the coming weeks by Schezar · · Score: 2, Insightful

    If I were interested and had the access, I'd keep a log of anyone who changed their password on any system that I owned in the next couple weeks.

    I wouldn't do anything with that data. But I'd keep it. If anything interesting happened later, and I could correlate an account on AM with an account on my system that changed its password shortly after this news broke... Well, that data could be interesting.

    Data isn't dangerous. Looking at it and then looking at related information is.

    --
    GeekNights!
    Late Night Radio for Geeks!
  2. Never reuse passwords by CastrTroy · · Score: 4, Insightful

    This kind of stuff is the reason I never re-use passwords across services. All my passwords are randomly generated and stored by KeePass. Sure, it's a little less convenient to have to unlock the password safe in order to get into services, rather than just type in something you've already memorized. But, it's the only way to be sure that having your password compromised on one service won't compromise an account on another service. Even if the service isn't externally compromised, there's probably a lot of systems out there where employees (DB administrators, programmers) can gain access to the passwords from various methods such as logs or unaudited code.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.