Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 20 Aug 2015 11:27:36 -0400
From: Matt Weir <cweir@...edu>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Re: Anyone looked at the Ashley Madison data yet?

What's more interesting to me are the 1324 corporate NT hashes that were
contained in the dump. From a very quick cracking session it looks like
they were created with a password creation policy in place that required
all passwords to be at least seven characters long and contain at least one
uppercase character and one digit. From a research perspective this is very
useful since I don't know of any other publicly available corporate
password set like this.

Matt

On Thu, Aug 20, 2015 at 7:15 AM, François <francois.pesce@...il.com> wrote:

> Hello guys, @JokFP here.
>
> I've got ~300 passwords cracked after 12 hours using single mode cracking.
> It's not great, but I'm really not spending much CPU money on it.
>
> It's not really fast, and passwords found are *really* weak:
> it looks like there was no password requirement at all. Some of them are 5
> letters or very common pass from pass lists like "shadow", others are equal
> to the nickname used.
>
> Based on this preliminary results, I'm afraid that launching a top-500
> passwords attack with no or simple rules (like append 1, append 0-9 etc.)
> might be probably effective (maybe in the order of hundred of thousand to
> million accounts compromised).
>
> Examples of password found by single mode here: 01050105 101196 111223344
> 14789a 42ashley 4444bud 774tsews 8519namor 96onepalajj 987654321reppiz
> aa12358 aaaaaa ABCDEFG alexas Anderson2020 anglesmith1 arzu1299 asd1234
> asdasd Attili69 ax987 barrios bbuckup beast BENJE22 bin2001 bitefor burrell
> capriforlife Carloseduardo12587 chocolatudos CLONE69 colby123 coppy400
> curry daniel DAVID888 DDS0011 dengo87 dennis6792 diogo dkgkd dogbait
> eddieet ENALIAM evair Gabi1919 GATITO gemmer ghj9635 gj4237 gjb0009 goalin
> hg5758 HIANZ hotbabe hothot hulkman johnfix jorgegonzalez2015 k612309
> kanenas krish12 ksj4860 kupal Laurent lebron limaj logan lolilol loyiso
> maddmaxx Marcelo MARK111 masexi mati142 Matyone mikgarcia mimiacy mono071
> monte morenosc nicolay777 nidaerep okim3650 pecas pikachu piropiro pyrek89
> qhdrnTl qwe44444 ram3131 raulromero richarddelk rober roberto roquette
> rrxxpp S7762639 sergvs sexpots shaan stephanie StlefStlef tazman69 Testing
> thalish tjh18 udomsin VE2015N vic7781 vox51 wlswogh www2095 xuxiding xxcvb
> ydw2da yesyouashley z50180 zakizak znlived Zuluboi
>
> Francois Pesce
>
> On Thu, Aug 20, 2015 at 1:10 AM, Rich Rumble <richrumble@...il.com> wrote:
>
> > On Wed, Aug 19, 2015 at 6:33 PM, Solar Designer <solar@...nwall.com>
> > wrote:
> > > On Wed, Aug 19, 2015 at 05:25:22PM -0500, Jerry Kemp wrote:
> > >> Wondering if anyone has looked at the Ashley Madison data dump yet?
> > >>
> > >> According to this article:
> > >>
> > >> <
> >
> http://arstechnica.com/security/2015/08/data-from-hack-of-ashley-madison-cheater-site-purportedly-dumped-online/
> > >
> > >>
> > >> The dump contains 10 Gb of data and passwds are in the bcrypt format.
> > >
> > > I haven't looked at the dump, but I tweeted a summary of other tweets:
> > >
> > > <solardiz> Ashley Madison is 36.1M bcrypt cost 12 salts so 1
> > CPU-week/password, says @jmgosney; dozens already cracked with "john
> > -single", says @JokFP
> > >
> > > In other words: strong hashes, but many weak passwords.  The weak
> > > passwords are slowly, but crackable.  The stronger passwords are only
> > > potentially crackable in a targeted attack (on a specific user), but
> > > won't likely be cracked in typical mass password dump cracking fun that
> > > we've seen for other mass password hash leaks.  This one is different.
> > > It's probably the largest bcrypt hash leak so far.
> > >
> > Small sample appeared in twitter:
> > https://twitter.com/sambowne/status/633754116804620288
> >
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.