Parallel Passwords Cracked Faster

Dan Goodin writes in Ars Technica about how there appear to be parallel sets of passwords in Ashley Madison’s data dump.  One encrypted with bcrypt, a slower method that takes longer to crack, and the other MD5, which is faster.  The second appears to have been for user convenience.

I’d been re-reading Clifford Stoll’s The Cuckoo’s Egg, which has an excellent, non-technical explanation on how you undo a one-way encryption of a password (spoiler: you don’t.  You just match the encrypted ends after running known words through the encryption; the ends will match, indicating the starting point).  I was reminded of this because the Ashley Madison passwords hashed with MD5 were then compared with the bcrypt versions.

Goodin’s piece is particularly interesting as it walks through how the cracking team tests the uncovered MD5 version of the password against bcrypt if it’s not a perfect match.  If it isn’t already on your law firm’s list of questions for companies providing security around your data (in the cloud or elsewhere), it looks like knowing how they’re salting and hashing passwords should probably be on it.

Originally posted on LinkedIn.

David Whelan

I improve information access and lead information teams. My books on finding information and managing it and practicing law using cloud computing reflect my interest in information management, technology, law practice, and legal research. I've been a library director in Canada and the US, as well as directing the American Bar Association's Legal Technology Resource Center. I speak and write frequently on information, technology, law library, and law practice issues.