Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150819223317.GA21184@openwall.com>
Date: Thu, 20 Aug 2015 01:33:17 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Anyone looked at the Ashley Madison data yet?

On Wed, Aug 19, 2015 at 05:25:22PM -0500, Jerry Kemp wrote:
> Wondering if anyone has looked at the Ashley Madison data dump yet?
> 
> According to this article:
> 
> <http://arstechnica.com/security/2015/08/data-from-hack-of-ashley-madison-cheater-site-purportedly-dumped-online/>
> 
> The dump contains 10 Gb of data and passwds are in the bcrypt format.

I haven't looked at the dump, but I tweeted a summary of other tweets:

<solardiz> Ashley Madison is 36.1M bcrypt cost 12 salts so 1 CPU-week/password, says @jmgosney; dozens already cracked with "john -single", says @JokFP

In other words: strong hashes, but many weak passwords.  The weak
passwords are slowly, but crackable.  The stronger passwords are only
potentially crackable in a targeted attack (on a specific user), but
won't likely be cracked in typical mass password dump cracking fun that
we've seen for other mass password hash leaks.  This one is different.
It's probably the largest bcrypt hash leak so far.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.