<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class=""></div><div class="">I groaned thinking that there was yet another exploit to our dearly held encryption schemes, but this time it was bcrypt. I'm glad that isn't the case.</div><div class=""><br class=""></div><div class="">Rather, this is a sobering lesson in thinking through what you the software engineer/programmer are about to do *very* carefully when making decisions. Short version: AM correctly used bcrypt for the user's passwords, but then ... used the plaintext password (plus username) to create and store a plain md5 hash. The article does a decent job of explaining why this was a terrible idea without getting too math-y.</div><div class=""><br class=""></div><div class=""><a href="http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/" class="">http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/</a></div><div class=""><br class=""></div><div class="">The takeaway for userland is the same one repeated ad infinitum: a massive risk reduction is achieved by not using the same password for multiple sites. One massively complex password used everywhere isn't good enough. Remembering lots of passwords is impossible. Tools like 1Password (my personal choice), LastPass, KeePass, etc help fill this gap and can generate+store unique, difficult passwords for you.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">-rick</div></body></html>