[colug-432] 11+ million AM passwords cracked, and counting

Roberto C. Sánchez roberto at connexer.com
Thu Sep 10 12:07:34 EDT 2015

I am still absolutely blown away that stuff like this happens in 2015.
Based on my experience, it is still an epidemic.

Last year I was involved in a project (for a healthcare related system)
where the development team decided to store user passwords as plain
unsalted MD5 hashes.  The irony was that one of the programmers had put
a comment to the effect of "we should probably look at more secure
approaches."  The system was already in production when I found that

Over the past year or so I've signed up for some acocunts with different
financial sites and I was shocked when one site limited passwords to no
more than 12 characters and another to 8 characters, letters and numbers
only no special characters allowed.  Naturally, trying to call the
support lines was fruitless.  In both of those cases, though, I don't
have a choice of provider, so I can only hope that eventually see the
error of their ways and remedy the situation.



On Thu, Sep 10, 2015 at 10:40:14AM -0500, Rick Hornsby wrote:
>    I groaned thinking that there was yet another exploit to our dearly held
>    encryption schemes, but this time it was bcrypt.  I'm glad that isn't the
>    case.
>    Rather, this is a sobering lesson in thinking through what you the
>    software engineer/programmer are about to do *very* carefully when making
>    decisions.  Short version: AM correctly used bcrypt for the user's
>    passwords, but then ... used the plaintext password (plus username) to
>    create and store a plain md5 hash.  The article does a decent job of
>    explaining why this was a terrible idea without getting too math-y.
>    [1]http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
>    The takeaway for userland is the same one repeated ad infinitum: a massive
>    risk reduction is achieved by not using the same password for multiple
>    sites.  One massively complex password used everywhere isn't good enough.
>     Remembering lots of passwords is impossible.  Tools like 1Password (my
>    personal choice), LastPass, KeePass, etc help fill this gap and can
>    generate+store unique, difficult passwords for you.
>    -rick
> References
>    Visible links
>    1. http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/

> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432

Roberto C. Sánchez

More information about the colug-432 mailing list