UPDATE: CynoSure Prime won’t be releasing the passwords over the internet. They decrypted it to raise the awareness towards making strong passwords.
Security research group CynoSure Prime deciphered around 11 million passwords from the leaked private data of married dating service site Ashley Madison.
Online married dating service Ashley Madison has found itself interlaced with replete controversy lately. Vital information of its registered users were compromised. The private data became public after the site was hacked. However, that was not the end of the story. Much to the dismay of the users, it has now been revealed that their passwords have also been decrypted.
Another set of hackers, or rather password-decrypters worked on the data released by the hackers of the website. Security research group CynoSure Prime succeeded in discovering and exposing blunders made by Ashley Madison to encrypt passwords of around 16 million accounts out of the 32 million that were hacked. It was thus able to unveil 11,542,930 passwords. The hobbyist crackers revealed the findings in a blog post on Thursday.
The source code of the site revealed that although the passwords were cryptographically scrambled using the ‘bcrypt’ feature, the website used MD5 for some of its login tokens which is a weak hashing algorithm.
This was evidenced by the fact that out of the 36 million hashed passwords, 2.6 million were cracked in a few hours using just one computer. According to the cracking team, the foremost mistakes made by Ashley Madison were converting all passwords to lowercase letters and running MD5- which is one of the weakest encryption algorithms for passwords. In addition to this, it was surprising to note that the dating site used one kind of encryption tool for a single set of passwords and another tool for the remaining passwords. According to the researchers, less than 5 million of the cracked passwords are unique.
Since they have more deciphers flowing in, they will release the full bundle of statistics to the press in the near future via blogs and articles.
CynoSure took advantage of their mistakes by attacking MD5 tokens to decipher the simplistically encrypted passwords. Unleashing one-third of the total hoard of leaked passwords, the Californian company discovered that the most common and frequently used passwords included s123456, 12345, password, default among several others.
Cybersecurity firm Avast also took the lead to crack 27,000 passwords of the same site. According to Avast, there were many other terms used for passwords which are so vulgar that they cannot be published.
Users are advised not to use common words as passwords since they can be easily cracked by expert deciphers. Moreover, if they are too easy to decrypt, novice hackers might also find it easy to get their hands on the encrypts. It was very surprising to see words like DEFAULT, password, qwerty, abc123, football, baseball, etc. in the list of decrypted passwords.
Privacy cannot be guaranteed by using such passwords. Further, websites should use strong encryption algorithms to secure their users’ private information. But on second thoughts, all websites cannot be trusted completely. Hence, the onus eventually falls on the users. They should also not use the same passwords for all accounts on all websites. Hacking of one website might lead to accounts on various other sites across the web being comprised. Indeed, a unique password is better than a strong one.