Lessons learned from cracking 4,000 Ashley Madison passwords

When hackers released password data for more than 36 million Ashley Madison accounts last week, big-league cracking expert Jeremi Gosney didn't bother running them through one of his massive computer clusters built for the sole purpose of password cracking. The reason: the passwords were protected by bcrypt, a cryptographic hashing algorithm so strong Gosney estimated it would take years using a highly specialized computer cluster just to check the dump for the top 10,000 most commonly used passwords.

So fellow security expert Dean Pierce stepped in to fill the vacuum, and his experience confirms Gosney's assessment. The long-and-short of his project is that after five days of nonstop automated guessing using a moderately fast server specifically designed to carry out compute-intensive cryptographic operations, he deciphered just 4,000 of the underlying plaintext passwords. Not surprisingly, the passwords Pierce extracted from just the first 6 million entries in the Ashley Madison table look as weak as those from just about any data breach. Here are the top 20 and number of users who chose each one:

password	Number of users
123456	202
password	105
12345	99
qwerty	32
12345678	31
ashley	28
baseball	27
abc123	27
696969	23
111111	21
football	20
fuckyou	20
madison	20
asshole	19
superman	19
fuckme	19
hockey	19
123456789	19
hunter	19
harley	18

Most of the lessons gleaned from Pierce's exercise involve the secure storage of passwords at rest. We'll get to that in a moment. But first, a few observations about the top 20 passwords uncovered. First, they come from the beginning six million hashes stored in the Ashley Madison database. Depending on how the list was organized, that may mean they belong to the earliest six million accounts created during the site's 14 years in operation. Passwords from the last million entries—which might have been created in the last few years—could be stronger.