What Ashley Madison got right

Ashley Madison

Amongst the hyperbole and horror of the Ashley Madison hack there is a bit of good news. OK, perhaps not exactly good news, but some more bad news that might have happened and didn’t.

There isn’t a trove of millions of cracked Ashley Madison passwords.

If a username and password can be stolen from one site there’s a good chance it will work on lots of others too because many users habitually reuse their passwords. It’s a bad habit that gives successful attackers a free hit at dozens of other websites and spreads the misery a lot more widely.

That hasn’t happened to Ashley Madison users, which means that while the scope of the attack might be devastating, it is in some important respects contained.

And that’s because the passwords held by Ashley Madison were stored correctly, something that’s laudable enough that it’s worth pointing out.

In fact, strictly speaking, Ashley Madison didn’t store any passwords at all. What the company kept in its database were hashes created by passing users’ passwords through a key derivation function (in this case bcrypt).

A key derivation function takes a password and transforms it through the magic of cryptography in to a hash—a string of binary data of a fixed length, typically from 160 to 256 bits (20 to 32 bytes) long.

💡 Learn more: Salting, hashing and key derivation ►

That’s good, because passwords can be turned in to hashes, but proper cryptographic hashes are “one way functions”, so you can’t turned them back into passwords.

The authenticity of a user’s password can be determined when they log in by passing it through the key derivation function and seeing if the resulting hash matches a hash stored when the password was first created.

That way, an authentication server only ever needs a user’s password very briefly in memory, and never needs to save it on disk, even temporarily.

So, the only way to crack hashed passwords stored to guess: try password after password and see if the right hash turns up.

Password cracking programs do that automatically: they generate a sequence of possible passwords, put each one through the same key generation function their victim used, and see if the resulting hash is in the stolen database.

Most guesses fail, so password crackers are equipped to make billions of guesses.

Hash derivation functions like bcrypt, scrypt and PBKDF2 are designed to make the cracking process harder by requiring lots more computational resources than just a single hash calculation, forcing crackers to take longer to make each guess.

A single user will barely notice the extra time it takes to log in, but a password cracker whose aim is to generate as many hashes as possible in the shortest possible time can be left with little to show for the effort.

An effect ably demonstrated by Dean Pierce, a blogger who decided to have some fun cracking Ashley Madison hashes.

The optimistic Mr Pierce set about cracking the first 6 million hashes (from a total of 36 million) from the adultery hookup site’s stolen database.

Using oclHashcat running on a $1,500 bitcoin mining rig for 123 hours he managed to test 156 hashes per second:

Yes, that's right, 156 hashes per second.  To someone who's used to cracking md5 passwords, this looks pretty disappointing, but it's bcrypt, so I'll take what I can get.

After five days and three hours work he stopped. He had cracked just 0.07% of the hashes, revealing a little over 4,000 passwords having tested about 70 million guesses.

That might seem a lot of guesses but it’s not.

Good passwords, created according to the kind of proper password advice that we advocate, can stand up to 100 trillion guesses or more.

What Pierce uncovered were the very dregs at the bottom of the barrel.

Password crackers are carefully programmed to try what they think are the most likely guesses first, so that 123456 and PASSWORD will be tried long before WXZQAN and 34DF%%R9.

In other words, the first passwords to be revealed are inevitably the easiest to guess, so what Pierce found was a collection of truly awful passwords.

The top 20 passwords he recovered are listed below. For anyone used to seeing lists of cracked passwords, or the annual list of the worst passwords in the world, there are no surprises.

Password Occurrences (out of 4007)
123456 202
password 105
12345 99
qwerty 32
12345678 31
ashley 28
baseball 27
abc123 27
696969 23
111111 21
football 20
f***you 20
madison 20
a**hole 19
superman 19
f***me 19
hockey 19
123456789 19
hunter 18
harley 18

The terrible nature of these passwords demonstrates neatly that password security is a partnership between the users who think up the passwords and the organisations that store them.

If Ashley Madison hadn’t stored their passwords correctly then it wouldn’t matter if users had chosen strong passwords or not, millions of good passwords could have been compromised.

When passwords are stored correctly, however, as they were in this case, they’re unbelievably hard to crack, even if the data theft is an inside job.

Unless the passwords are really bad.

If your password is PASSWORD or 123456, or a word you’d find in a dictionary with a few L3TT3R5 5W4PP3D 0UT for numbers then it’s toast, no matter how well it’s stored.

(I’m not going to let Ashley Madison completely off the hook, of course: the company stored its users’ passwords well but it didn’t stop users from choosing truly bad ones, and it didn’t stop the hashes from being stolen.)

Crackers tend to unearth a lot of bad passwords very quickly, but the law of diminishing returns soon kicks in.

In 2012 Naked Security’s own Paul Ducklin spent a few hours cracking passwords from the Philips data breach (passwords that were not as well stored as Ashley Madison’s).

He was able to crack far more passwords than Pierce with less powerful equipment, because the hashes weren’t computationally expensive to crack, but the results clearly show how the total number of passwords cracked quicky levels out.

25% of the Philips passwords lasted just 3 seconds.

Then it took 50 minutes to get the next 25% of of the passwords, and a full hour after that to crack a further 3%.

Had he continued, then the time between cracking each new password would have increased, and the curve would have looked flatter and flatter.

Before long he’d have been faced with hour-long gaps between successful password cracks, then days, then weeks…

Unfortunately, as Ashley Madison’s users found out, you can’t tell if the companies you deal with are going to keep all your data safe, just your password or none of it at all.

What you can do is be circumspect about who you give real data to, and keep your side of the password bargain by giving companies a strong and unique password to store:

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)