After the recent hack of infidelity website Ashley Madison, and the subsequent data dump, one area of solace was that the website seemingly encrypted user passwords securely. However, it has now been revealed that alongside the securely encrypted passwords were millions of others passwords that were hashed using the insecure hashing algorithm MD5. A team going by the name CynoSure Prime posted on Thursday about their success in cracking over 11.2 million passwords by exploiting the MD5 hashes.
Instead of cracking the slow bcrypt hashes directly, which is the hot topic at the moment, we took a more efficient approach and simply attacked the md5 […] tokens instead.
[...] we had in fact solved millions of bcrypt hashes...in days, not years. As of posting our team has successfully cracked over 11.2 million of the bcrypt hashes.
The team’s approach has granted them much more success than those trying to crack the bcrypt hashes directly. Researcher Dean Pierce attempted this and managed to reveal only 4000 passwords over 5 days.
Whilst the team have not revealed the list of passwords they were able to obtain, the details of their approach would allow others to replicate their work and they may not be so benevolent. This is yet another reminder not to engage in password reuse and to ensure you use complex passwords.
Source: CynoSure Prime Blog