Now that a hobbyist team has uncovered programming errors that make more than 15 million of the Ashley Madison account passwords orders of magnitude faster to crack, it will be only a matter of time before a large percentage of them are available to hackers everywhere. And given how rampant password reuse is, the tsunami-sized torrent is sure to affect accounts all over the Internet.
As Ars chronicled in a 2012 feature headlined Why passwords have never been weaker—and crackers have never been stronger, it’s not unusual for Twitter, Amazon, and online services to monitor large leaks and require password changes for affected users. As we reported:
In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren’t typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites’ servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too.
The warnings Brooks and millions of other people received that December weren’t fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include Twitter, Amazon, and Yahoo.
“The danger of weak password habits is becoming increasingly well-recognized,” said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The warnings, he told me, “show [that] these companies understand how a security breach outside their systems can create a vulnerability within their networks.”
The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.
Until now, there was good reason to believe the 36 million Ashley Madison user passwords published last month would never be cracked. After all, website developers protected them with bcrypt, a hash function so slow and computationally demanding it would require years or decades of around-the-clock processing with super-expensive computers to decipher even a small percentage of them. That assurance was shattered with the discovery of the programming error disclosed by a group calling itself CynoSure Prime. Members have already exploited the weakness to crack more than 11 million Ashley Madison user passwords, and they hope to tackle another four million in the next week or two.