Flaws found in Ashley Madison password protection

The BBC news website reports that More than 11 million passwords stolen in the Ashley Madison website hack have been decoded by a password cracking group.

Initially, it was thought that the hacked passwords were unbreakable because hashing with bcrypt had been employed which effectively scrambles the password. However, an amateur password cracking group called Cynosure Prime has discovered that the site had at some point changed the way passwords were stored, which reduced the strength of the bcrypt protection. As a result the group have been able to crack 11 million passwords scrambled since the changes were made.

Exactly, why Ashley Madison changed the way passwords were stored is not known, but it is speculated that it was done to make accessing the site easier.

In a previous Newsblog post it has been highlighted that it is often the case that the reputational and financial impact on companies from customer data loss is often of limited significance. A situation which probably explains why security failures such as the weakness in the Ashley Madison passwords are often not addressed.