An early lesson for CISOs from the Ashley Madison breach

It will be a while before all of the lessons for CISOs from the Ashley Madison hack will emerge, in part because we don’t know yet all of the defence mechanisms parent company Avid Life Media had in place.

But one discovery has emerged from the exposure of the company’s source code for application security: It used the MD5 cryptographic hashing algorithm that uses 128-bit hash values to protect passwords. Good enough? Nope — at least not the way it was implemented. On Thursday a group called CynoSure Prime said it took only a few days to crack 11 million Ashley Madison passwords found in the data dump that were entered before June 14, 2012, which is when Avid’s IT team apparently increased security.

Briefly, they cracked the MD5 token and then case-corrected it against its bcrypt counterpart. In case your encryption skills aren’t up to it, Ars Technica has a more detailed explanation here.

MD5 dates back to 1991, but according to Wikipedia flaws were discovered only five years later, followed by more in 2004. As far back as 2008 the Carnegie Mellon Software Engineering Institute warned software developers, certification authorities and website owners to avoid using the MD5 algorithm in any capacity. “As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.”

“MD5 hashes create a cryptographic identifier for files,” noted security analyst Jon Oltsik in an email.  “If any character in a file changes that the hash value changes as well.”

Still, he says, the replacement for MD5 is SHA-2.  “Security professionals should make sure that any application that uses file hashing uses SHA-2 and not MD5.”

“CISOs should use these revelations to make certain that MD5 hashes are not being used in any business critical way,” adds John Kindervag, enterprise security analyst at Forrester Research.

As for end users, think about changing passwords on any system you haven’t used in a while (old email, hobby sites, technical support sites etc.) where they might have been using MD5. And, of course, use strong passwords and don’t use the same password on more than one site.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web