
How we cracked millions of Ashley Madison passwords - ctz
http://cynosureprime.blogspot.com/2015/09/how-we-cracked-millions-of-ashley.html
======
djrogers
The real lesson here is that when you fix your mistakes, go back and fix your
mistakes retroactively!

AM used an insecure login token at one point, and 3 years ago they fixed it.
They switched from an MD5 of lower(pass)+username to an MD5 of the bcrypted
pass+username, which is no longer reversible.

Apparently they never updated all of the previous login tokens though, so
anyone who had created an account before the new secure system was put in
place still had a vulnerable token stored.

When it comes to security, when you fix something - fix it for everyone
people! Even if it's hard.

The good news for these folks is that the passwords revealed appear to be over
3 years old, and we all chang our passwords more often than that, right????

~~~
heynk
I thought the standard way of migrating your PW hashing function was that you
could only do it during a login, because that's the only time you have the PW
in plain text. No?

~~~
encoderer
No, you just take the original _MD5 of lower(pass)+username_ and run that thru
your new bcrypt. You will have a more complicated authentication process but
it's worth it.

~~~
TallGuyShort
The entropy in the resulting hash is almost the same as a salted MD5 though,
is it not? You have more bits, but not significantly more possible hashes.

edit: I guess most people only start out with short passwords, thus limiting
the possible entropy anyway...

~~~
msbarnett
> The entropy in the resulting hash is almost the same as a salted MD5 though,
> is it not? You have more bits, but not significantly more possible hashes.

The entropy isn't the significant problem with MD5. The problem is how damn
fast you can perform 2 billion MD5 hashes on modern machines.

------
jand
For a non-native speaker, could you please confirm or invalidate my
understanding of this interesting text:

1\. They attacked some login/api-token unrelated to bcrypt.

2\. If I use bcrypt-validate for logins and only temporarily associate
rotating, random login/api-tokens with an account, I should not be prone to
such attacks.

Thank you very much for your help.

~~~
lostcolony
1\. Yes 2\. Yes

AM took the unencrypted password, lowercased it, and hashed it into an MD5
token that they then stored - conjecture is that it was used as a login token.
That is what the article indicates was cracked, since MD5 is very weak, to get
a lowercased password, then tried every permutation of capital letters on the
bcrypted passwords, to get the actual passwords out.

To avoid similar issues, if you generate a token, don't use the unencrypted
password as part of it. Random tokens are fine.

~~~
jand
I cannot upvote yet, so: Thank you, I appreciate your help!

------
snowwolf
The title of the article should really be changed to "How we cracked millions
of Ashley Madison passwords by bypassing their strong bcrypt hashes because
they thought they were clever" but that's less clickbaity

Also, never ever roll your own encryption - it will be flawed (unless you
employ at least 3 crypto experts and get it peer reviewed - and even then it's
probably still flawed).

~~~
hellbanner
I understand "never roll your own encryption" \-- history is full of examples
why and we all know that encryption is hard.

But who makes encryption in the first place -- groups?

~~~
rnovak
There's a US Govt agency called NIST. They sponsor "contests" basically for
academics and engineers to put forth proposals for crypto algorithms, which
are then reviewed. I'd read up on here[1], if it interests you at all, you can
find the original academic papers regarding each of what became the standards,
and I think they have references as to the review process as well.

[1][http://csrc.nist.gov/](http://csrc.nist.gov/)

~~~
pjscott
There are also contests run by groups without any NSA affiliation, such as the
CAESAR contest for authenticated encryption [1] and, relevant to this subject,
the Password Hashing Competition [2], which recently decided on a pretty
impressive winner.

[1]
[http://competitions.cr.yp.to/index.html](http://competitions.cr.yp.to/index.html)

[2] [https://password-hashing.net/](https://password-hashing.net/)

------
dsp1234
I recently found out that piwik also uses a login token of the MD5 of the
password[0]. So this mistake is still very prevalent.

 _If you want to provide a one-click automatic login to Piwik for your users,
you can use the ‘logme’ mechanism, and pass their login & the md5 string of
their password in the URL parameters:

[https://stats.example.org/index.php?module=Login&action=logm...](https://stats.example.org/index.php?module=Login&action=logme&login=your_login&password=your_MD5_password*)

[0] - [http://piwik.org/faq/how-to/#faq_30](http://piwik.org/faq/how-
to/#faq_30)

~~~
notfoss
Can you open a feature request on their bug tracker to change it to a more
secure alternative?

~~~
etjossem
Good call.
[https://github.com/piwik/piwik/issues/8753](https://github.com/piwik/piwik/issues/8753)

It seems like this has been on the back burner for a while, though ...

------
nly
Don't worry. One day we'll have a standard for web login using hard hashes and
solid PAKE protocols. Right? ...right?

Nevermind then, let's go back to berating sysadmins for implementing crypto
improperly.

------
flipp3r
tl;dr they had a bad implementation and used md5 previously

~~~
ins0
they stored a static login key generated by
md5(strtolower($username).'::'.strtolower($password)); - so they could crack
the md5 part easly and bypass the bcrypt encryption

~~~
gvb
Slightly pedantic: "Discovery 1" email indicates that the $loginkey encryption
was the weak md5 method until it was changed to bcrypt in a 2012-06-14 commit.

As a result, any accounts that were created before 2012-06-24 _and_ that did
not have their password changed after that date (which would generate a new
bcrypted $loginkey) were vulnerable.

------
chinathrow
I abandon any sites which give me direct logins via URLs sent over plain text
emails.

I know, password reset keys are as bad as login keys, but usually they expire
after a certain time frame.

F*ck login keys.

~~~
asadhaider
Completely agree, Match.com does the same thing. Not so long ago a user signed
up to their site using my email address (never figured out why).

They were able to create an account and subscribe to the site without ever
verifying the email, so for a week or so I was getting notifications sent to
me without any way to unsubscribe from the email.

Clicking any of the links in the email signed me in as the user and gave me
full access to their account and billing information. I ended up going into
their account and turning off all email notifications to make the emails stop.

Edit: Just checked my trash folder and an email sent on the 8th of August
still contained valid login keys to access the account.

~~~
hellofunk
This is frightening. Who is running the security teams at these large
companies?

~~~
sbarre
You'd be surprised how often this happens. I had a similar situation with
someone who accidentally used my email when buying a new car.

For a while I was getting emails from the Hyundai dealership that had auto-
login links that would have let me do all kinds of things, including
_requesting a (paid) tow of the car from my house back to the dealership_ ,
scheduling (or cancelling) maintenance, ordering extras and part, and more..

Luckily through that logged-in area I was able to find the individual's phone
number and we texted back and forth until he understood the problem and called
his dealership to update his info.

~~~
hellofunk
This is genuinely amazing to me. And the IT guy that set up that Hyundai
system is probably getting paid plenty to do it, despite massive flaws like
this.

~~~
sbarre
I bet you someone somewhere is making a business decision to trade technical
support costs for their customer's data security..

I bet this happens all the time.

------
nilved
What's the risk of using plaintext passwords if we assume every user is
employing long, random, unique passwords? This has always seemed like a non-
issue to me because I've been using a password manager for a half-decade.

e: Downvoting questions is mean. FWIW I always use bcrypt.

~~~
valarauca1
Could you recommend a good password manager?

~~~
mr_sturd
I'll second nilved's suggestion of _KeePass_. The database is encrypted and
stored on the local machine. I currently use _Syncthing_ to share it between
my devices.

~~~
mikejarema
Likewise, I'm _very_ happy with this exact setup after coming from a mix of
memorized password and site-dependent password-generation schemes.

I'm on Mac and found KeePassX to be a better solution than the original
KeePass, it's much lighter weight. My only hope is that KeePassX gets browser
integration at some point via keepasshttp -
[https://www.keepassx.org/dev/issues/91](https://www.keepassx.org/dev/issues/91)

~~~
mr_sturd
Ah KeePassHTTP would be lovely on Android, too, but I'll live with temporarily
stashing the passwords in my clipboard for the time being.

------
lostgame
I used to work for these guys. Their CEO was probably the single most selfish
douchebag I'd ever met.

Glad this happened to them. 'bout time Karma came a'knocking.

Oh, p.s. can confirm all women (at least 90%) are bots.

~~~
zeveb
> Their CEO was probably the single most selfish douchebag I'd ever met.

He ran a website for men wishing to cheat on their wives. The one follows the
other as night follows the day.

~~~
rbanffy
Don't forget the bots wishing to cheat on their husbands.

------
tempVariable
Like protecting your business with an industrial grade door locks on a
building made of hay. Just a whole lot of cheating going on over there, ouch.

 _edit: I don 't know if this came up before, but based on how they stupidly
tried to cache the login session tokens with md5, instead of running through
the 12 work factor bcrypt, I can assume that they saw this as a bottleneck.

Instead of dropping the work factor or doing this caching baloney, could a
service be made that runs on extravagantly fast hardware, which provides an
API for strong, high work factor bcrypt, pbkdf2 based authentication.

I can assume that at around 10 rounds, each attempt takes about 50 - 100
millis_

Thoughts ?

~~~
stan_rogers
The "remember me" token doesn't need to contain or be derived from any
meaningful data at all; it merely _needs to be_ unique to the user so you can
associate it with the user, and _should be_ both unpredictable and frequently
changed/regenerated. It's just a more persistent version of the session ID
you'd be using in any case even if the "remember me" option wasn't selected.

------
grandalf
> This meant that we could crack accounts created prior to this date with
> simple salted MD5.

This means that there was a decision not to force previously created accounts
to update their passwords to make their accounts more secure.

Contrast this with the big Evernote vulnerability where all users were
required to reset their passwords.

------
aruggirello
One point is not clear to me: did the crackers know $username's already, or
did they perform some kind of dictionary attack? Brute forcing both $username
and $password out of millions of hashes seems a bit hard - even considering
md5 trivial, not employing an hmac scheme.

~~~
felixhandte
They have the db dumps, so yes, they know the usernames. And they used a
rainbow table[1] to break the md5 hashes, which is a lot cheaper than brute-
forcing.

[1]
([https://en.wikipedia.org/wiki/Rainbow_table](https://en.wikipedia.org/wiki/Rainbow_table))

~~~
aruggirello
Then would replacing md5() with hash_hmac('sha256' [= or whatever ],
strtolower($username) [= data ], strtolower($password) [= key ] ) help against
such an attack? If I understand correctly, this would have ruled out rainbow
tables.

Edit: clarified. BTW hash_hmac is built-in with PHP >= 5.1.2.

~~~
sbov
The problem isn't just rainbow tables. Md5 is a fast algorithm. Sha256 isn't
much slower than md5. You want anything auth related hashed using a slow
algorithm - speed is your enemy.

That's why bcrypt and the like are popular, because you can adjust how long it
will take to calculate.

------
wbhart
The domain name appears to be an anagram of Sony Pure Crime.

~~~
nathanasmith
Could be. Cynosure is also a noun denoting something that attracts attention
through brilliance.

------
sparkystacey
It would be awesome if some data scientist took the list of passwords and
figured out the top 100 for cheaters.

------
amelius
The article assumes that the reader knows what MDXfind is. Can somebody
explain? Is it a brute force tool?

~~~
icebraining
From searching a little, it seems it's a hash cracker that can crack many
types of hashes (MD5, SHA, etc) from the same file.

~~~
amelius
Ok, so it is a brute force tool, with some dictionary-based heuristics, I
suppose.

------
anc84
Creepy.

