(H)Ashley Madison Curiosity of the Loginkey
Date: December 2015 Publication: 9th International Conference on Passwords (Passwords15 London) Source 1: https://passwordscon.org/wp-content/uploads/2015/12/Michael_Sprecher.pdf Abstract or Summary:
A member of the CynoSure Prime group discusses how they cracked some of the leaked Ashley Madison user passwords. Their analysis of site source code disclosed that not only were passwords hashed using the strong Bcrypt algorithm with a high cost, but also a weakened MD5 in the form of a 'loginkey' field. This poor software design decision leftover from before Bcrypt had been implemented on the site allowed people to quickly crack millions of passwords within days instead of the expected few thousand. PasswordResearch.com Note: Video of presentation: https://www.youtube.com/watch?v=FvTfMNFbhyI
Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.
<-- Back to Authentication Research Paper Index |