It will be a while before all of the lessons for CISOs from the Ashley Madison hack will emerge, in part because we don’t know yet all of the defence mechanisms parent company Avid Life Media had in place.
But one discovery has emerged from the exposure of the company’s source code for application security: It used the MD5 cryptographic hashing algorithm that uses 128-bit hash values to protect passwords. Good enough? Nope — at least not the way it was implemented. On Thursday a group called CynoSure Prime said it took only a few days to crack 11 million Ashley Madison passwords found in the data dump that were entered before June 14, 2012, which is when Avid’s IT team apparently increased security.
Briefly, they cracked the MD5 token and then case-corrected it against its bcrypt counterpart. In case your encryption skills aren’t up to it, Ars Technica has a more detailed explanation here.
MD5 dates back to 1991, but according to Wikipedia flaws were discovered only five years later, followed by more in 2004. As far back as 2008 the Carnegie Mellon Software Engineering Institute warned software developers, certification authorities and website owners to avoid using the MD5 algorithm in any capacity. “As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.”
“MD5 hashes create a cryptographic identifier for files,” noted security analyst Jon Oltsik in an email. “If any character in a file changes that the hash value changes as well.”
Still, he says, the replacement for MD5 is SHA-2. “Security professionals should make sure that any application that uses file hashing uses SHA-2 and not MD5.”
“CISOs should use these revelations to make certain that MD5 hashes are not being used in any business critical way,” adds John Kindervag, enterprise security analyst at Forrester Research.
As for end users, think about changing passwords on any system you haven’t used in a while (old email, hobby sites, technical support sites etc.) where they might have been using MD5. And, of course, use strong passwords and don’t use the same password on more than one site.