As catastrophic as the hack of extramarital affairs site Ashley Madison is, it could have been a lot worse. Although the email addresses of a purported 37 million users were leaked online, at least their passwords were hashed.
But for some that might not be much of a reassurance. One researcher claims to have cracked around 4,000 passwords from the data dump, and it looks like many of them are just terrible. The top two passwords in the sample, perhaps unsurprisingly, were "123456" and "password."
"When the Ashley Madison database first got dumped, there was an interesting contingent of researchers talking about how pointless it would be to crack the passwords, since Ashley Madison was using salted bcrypt with a cost of 12," researcher Dean Pierce wrote on his cryptography and Bitcoin blog. Bcrypt is a hashing function, that, as pointed out by Errata Security's Robert Graham, is stronger than some more common variants.
Other passwords on the list included 'qwerty,' 'ashley,' and, curiously, 'fuckme' and 'fuckyou.'
However, Graham also noted that "Hackers will be able to 'crack' many of these passwords when users chose weak ones."
That is exactly what Pierce found. After firing up a fairly standard cracking rig bought for $1500, he started to grind through the passwords. "After five days and three hours, I hit 4,000 passwords, which I figured was a good time to stop," he writes.
But worryingly, out of those 4,000, only 1,191 passwords were unique, and the 20 most popular were truly abysmal.
Other passwords on the list included "qwerty," "ashley," and, curiously, "fuckme" and "fuckyou." It's worth emphasising that this research only dealt with 4,000 passwords out of 37 million, so cannot be treated as representative of the whole data dump.
It's understandable for users to be frustrated with Ashley Madison for failing to protect their data. But when customers are choosing passwords that could probably just be guessed, they need to take some responsibility for their own security.