Ashley Madison users warned of password risk

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Ashley madisonLoathe as I am to write the words “Ashley Madison” again, there’s one development which definitely needs to be shared with anyone who created an account on the ill-fated site.

As Ars Technica reports, the hacked adultery website appears to have coughed up a piece of data that was previously felt secure: users’ passwords.

When the Ashley Madison hackers leaked close to 100 gigabytes worth of sensitive documents belonging to the online dating service for people cheating on their romantic partners, there seemed to be one saving grace. User passwords were cryptographically protected using bcrypt, an algorithm so slow and computationally demanding it would literally take centuries to crack all 36 million of them.

Now, a crew of hobbyist crackers has uncovered programming errors that make more than 15 million of the Ashley Madison account passcodes orders of magnitude faster to crack.

You can read full details in the Ars Technica article, which credits the “CynoSure Prime” cracking team with identifying a critical weakness in the code that the Ashley Madison website was using to create password hashes for its database. It’s an interesting read for coders and fans of cryptography.

But the important message for people who had created accounts on the Ashley Madison website is not *how* their password can be extracted from the site’s leaked database, but what that means now.

Sign up to our free newsletter.
Security news, advice, and tips.

And what it means is that if CynoSure Prime has worked out how to extract millions of passwords in a relatively short period of time, so could criminal hacking gangs. Therefore, if you have used the same password anywhere else on the internet, you need to change it immediately.

PasswordIt’s always important to have strong, hard-to-crack, and – crucially – unique passwords for every account you create. You should never re-use passwords, just like you shouldn’t ever re-use loo paper.

Because if you do re-use passwords, hackers can take advantage of the fact. If they have your email address and Ashley Madison account password, what’s to stop them trying to use that password to unlock your web mail account, or other online services?

And, it’s worth remembering, that some of the accounts that tumbled out of the Ashley Madison hack were created long long ago, perhaps years before you started your current relationship. Way back then, maybe you were much more careless with your password choices, and didn’t think twice about using easy-to-guess passwords or using the same password in different places.

Avoid future headaches, have a long hard think about your passwords – and make sure all of them are unique. If, like me and 99.999% of the population, you can’t remember lots of complicated passwords invest in a decent password manager.

Further reading:


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Ashley Madison users warned of password risk”

  1. coyote

    "You should never re-use passwords, just like you shouldn't ever re-use loo paper.

    Because if you do re-use passwords, hackers can take advantage of the fact."

    You might expect this from someone like me, and you probably know I don't actually expect an answer (although I certainly don't mind one way or another), but: what happens if you re-use loo paper?

    1. coyote · in reply to coyote

      Oh, and to those who don't get what I was after, and think I'm rather sordid, it is this:

      You should never re-use passwords.. just like you shouldn't ..

      Because if you do re-use passwords, …

      Logically the analogy isn't quite complete (whether it needs to be complete is another matter entirely – probably not).

    2. Graham CluleyGraham Cluley · in reply to coyote

      Loo paper that has already been used is not effective loo paper.

      Try it sometime. Or not.

  2. Richard Houlihan

    Graham,

    I like the pieces on Ashley Madison, thanks for sharing your thoughts. I personally I think its a huge risk to corporates. The following is an article I put on linked in regarding the corporate dangers: http://tinyurl.com/ozd94nm

    Keep the newsletters coming, some very valuable info in them.

    Regards,

    Richard Houlihan

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.