[colug-432] 11+ million AM passwords cracked, and counting

[Rick Hornsby]

I groaned thinking that there was yet another exploit to our dearly held encryption schemes, but this time it was bcrypt.  I'm glad that isn't the case.

Rather, this is a sobering lesson in thinking through what you the software engineer/programmer are about to do *very* carefully when making decisions.  Short version: AM correctly used bcrypt for the user's passwords, but then ... used the plaintext password (plus username) to create and store a plain md5 hash.  The article does a decent job of explaining why this was a terrible idea without getting too math-y.

http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/ <http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/>

The takeaway for userland is the same one repeated ad infinitum: a massive risk reduction is achieved by not using the same password for multiple sites.  One massively complex password used everywhere isn't good enough.  Remembering lots of passwords is impossible.  Tools like 1Password (my personal choice), LastPass, KeePass, etc help fill this gap and can generate+store unique, difficult passwords for you.


-rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20150910/2456d25f/attachment.html