The Ashley Madison front page screams, “Over 40,860,000 anonymous members”! Not for long if the recent revelations in Arstechnica go viral. If so, many AM users may be in for a lot of grief from their romantic partners. In the past week, we’ve reported on the hack and some of the fallout. But with some 11 million passwords cracked and the prospect for more on the way, containing the damage may be impossible to predict.
The highly touted bcrypt cryptography, an algorithm so slow and demanding it was once thought to be impregnable and would take centuries to crack, is unravelling faster than a cheap suit. Data that was designed to require decades to crack has instead been recovered in a matter of a week or two. And what is surprising in the process is the sheer lack of guile by millions of users in choosing passwords – some so simple they seemed to invite discovery!
The passwords unearthed by the decoding hobbyists known as CynoSure Prime so far suggest that many who were seeking thrills on the infidelity-focused site had poor digital hygiene – certainly strange behaviour for such a supposedly secretive site.
The top password uncovered so far… wait for it: 123456. The other passwords that made the top five aren’t much better: 12345, password, DEFAULT, and 123456789. But those (awful) passwords shouldn’t be too surprising: By some surveys, “123456” has been the most popular password uncovered in data breaches during the past two years.
This blatant lack of thought by users is so monumental that the researchers have already deciphered more than 11 million of the passwords in the past 10 days. In the next week they hope to tackle most of the remaining 4 million improperly secured account passcodes, although they cautioned they may fall short of that goal. The breakthrough underscores how a single misstep can undermine an otherwise flawless execution.
What is especially alarming, according to Ars Technica, is that what has been discovered in the process of cracking the passcodes is that Ashley Madison, by design, did not use better security because it might slow down their site, and that company programmers were aware of design flaws that could lead to the site being compromised.
This, however, is a different issue than feeble passwords. Even neophyte web users know that using common passwords makes it much easier for intruders to just guess their way into your accounts. And it’s a bad idea to reuse passwords, too – otherwise, a malicious hacker might be able to leverage a password uncovered in one breach to break into one of your other personal accounts.
In any event, the fiasco looks like the gift that keeps on giving for lawyers, and a headache not soon to go away for the millions of subscribers exposed by the breach. It is a cautionary tale for users of similar such tawdry sites. In this day and age, you’re never completely anonymous, and even less so when you use childishly contrived passwords. We haven’t had the last of the fallout yet – stay tuned.