[colug-432] 11+ million AM passwords cracked, and counting
Roberto C. Sánchez
roberto at connexer.com
Thu Sep 10 12:07:34 EDT 2015
I am still absolutely blown away that stuff like this happens in 2015.
Based on my experience, it is still an epidemic.
Last year I was involved in a project (for a healthcare related system)
where the development team decided to store user passwords as plain
unsalted MD5 hashes. The irony was that one of the programmers had put
a comment to the effect of "we should probably look at more secure
approaches." The system was already in production when I found that
Over the past year or so I've signed up for some acocunts with different
financial sites and I was shocked when one site limited passwords to no
more than 12 characters and another to 8 characters, letters and numbers
only no special characters allowed. Naturally, trying to call the
support lines was fruitless. In both of those cases, though, I don't
have a choice of provider, so I can only hope that eventually see the
error of their ways and remedy the situation.
On Thu, Sep 10, 2015 at 10:40:14AM -0500, Rick Hornsby wrote:
> I groaned thinking that there was yet another exploit to our dearly held
> encryption schemes, but this time it was bcrypt. I'm glad that isn't the
> Rather, this is a sobering lesson in thinking through what you the
> software engineer/programmer are about to do *very* carefully when making
> decisions. Short version: AM correctly used bcrypt for the user's
> passwords, but then ... used the plaintext password (plus username) to
> create and store a plain md5 hash. The article does a decent job of
> explaining why this was a terrible idea without getting too math-y.
> The takeaway for userland is the same one repeated ad infinitum: a massive
> risk reduction is achieved by not using the same password for multiple
> sites. One massively complex password used everywhere isn't good enough.
> Remembering lots of passwords is impossible. Tools like 1Password (my
> personal choice), LastPass, KeePass, etc help fill this gap and can
> generate+store unique, difficult passwords for you.
> Visible links
> 1. http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
> colug-432 mailing list
> colug-432 at colug.net
Roberto C. Sánchez
More information about the colug-432