(H)Ashley Madison Curiosity of the Loginkey
Author(s): Michael Sprecher

Date: December 2015
Publication: 9th International Conference on Passwords (Passwords15 London)
Source 1: https://passwordscon.org/wp-content/uploads/2015/12/Michael_Sprecher.pdf

Abstract or Summary:
A member of the CynoSure Prime group discusses how they cracked some of the leaked Ashley Madison user passwords. Their analysis of site source code disclosed that not only were passwords hashed using the strong Bcrypt algorithm with a high cost, but also a weakened MD5 in the form of a 'loginkey' field. This poor software design decision leftover from before Bcrypt had been implemented on the site allowed people to quickly crack millions of passwords within days instead of the expected few thousand.

PasswordResearch.com Note: Video of presentation: https://www.youtube.com/watch?v=FvTfMNFbhyI


Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index





[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com