Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ashley Madison's Passwords Cracked, Soon To Be Released

Posted by timothy on from the 'splainin'-to-do dept.

New submitter JustAnotherOldGuy writes with some news that might worry anyone caught up in the Ashley Madison data breach. ("Uh-oh," he says.) Now, besides any other possible repercussions of having one's name on the list of account holders, there's a new wrinkle. The passwords used to secure those accounts were theoretically robustly protected with bcrypt. However, as Ars Technica reports, That assurance was shattered with the discovery of the programming error disclosed by a group calling itself CynoSure Prime. Members have already exploited the weakness to crack more than 11 million Ashley Madison user passwords, and they hope to tackle another four million in the next week or two. This would matter much less if passwords weren't so frequently re-used.

4 of 146 comments (clear)

  1. Re:Programming error by sirber · · Score: 4, Interesting

    saved tokens for automatic login, in MD5

    --
    Be or ben't
  2. Re:See who changes their password in the coming we by SQLGuru · · Score: 4, Interesting

    And that's when anonymized data is no longer anonymized.

    We only publish anonymized data......but you can query down to all white men, aged 24, born in Wisconsin, living in New York city, own an Apple MacBook Air, earn $60k/yr, graduated from NYU, has a degree in Marketing, etc.

    If you can add enough data points, your set gets down to one person -- even though that data is anonymized.

  3. Do great app devs now understand security is hard? by raymorris · · Score: 3, Interesting

    The Ashley Madison developers did a lot of things right. They even used strong encryption for the passwords. They improved their security over time. Yet, a couple of security bugs ended up taking the company down completely. With security, if you score 98 and the attackers score 2, finding two vulnerabilities, the bad guys win. Bugs happen. Security bugs are not okay, however.

    I have a lot respect for good application developers. The blend of skills required is fairly comprehensive - UI design, database, understanding scalability, etc. With your wide breadth of skills, are you fine folks starting to understand that security is HARD, and requires a depth of understanding? That it's one of those things where it is wise to get expert assistance?

    I've been programming professionally for 20 years, and I'm pretty competent; yet I'd never design and implement my own filesystem, because filesystems are HARD to do well. There are maybe a dozen people in the world who have the specialized knowledge and experience needed to design and implement a filesystem that rivals btrfs or even ext4. I KNOW that I don't have that specialized skill. One of my best friends has also been a professional developer for 20 years. Every month, he asks me about a security related issue, because he knows that he's not a security specialist, and that bugs happen, but security bugs are not okay. Will you let those of us who live and breath security 24/7 lend a hand before you release it next time?

  4. Security by ledow · · Score: 5, Interesting

    It still gets me.

    You run a huge operation, with thousands of users and millions of dollars flowing through it.

    At which point do you need to stop and think "Actually, I need a server that does NOTHING but authentication, isolated from everything else?"

    Literally a machine that can only communicate Yes or No and maybe a tiny token and every communication to it can only be replied to by yes, no, or issue of a temporary token (which can only be verified by the same machine answering yes or no).

    Changing passwords is a rare, deliberate, easy-to-audit and unusual act - you could literally have a guy who has to press a button to okay each such action. Apart from that, an application has absolutely no need to do anything more than pass on info to a server that can reply yes or no. Whether that's from a initial password login, or checking a temporary token issued, that's all it needs to do.

    It's not the be-all-and-end-all - you can compromise the interface and wait for a user to log on and thus capture a successful transaction - but this outright theft of every login detail and a list of things that, given time, can be turned back into passwords shouldn't be happening, should it?

    I mean, quite literally, a serial cable should be able to handle such information on the scale of a half-decent sized website. Is this user 1's password? No. This is what user 2 claims his password is, can I get a token for that valid for the next hour? Is this token valid for user 2? What more beyond that do you need to program against to authenticate absolutely anything imaginable?

    And even password updates - they operate on the same principle as the way that admins cannot see their user's passwords. We can update them, but we can't actually see what they were and the very act of updating them locks out (and therefore alerts) the genuine user.

    Isolate this stuff. Seriously. An entire network that is air-gapped from your real network and literally the applications either side can ONLY communicate over a protocol that contains the bare minimum of commands. You could do it with an embedded device. Why are places with millions of dollars of business storing anything on a device that can be read back en-masse by even their own staff, let alone a compromised machine on the company's office network or similar?