Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMGgT5DAyCjCpQTjUMXNgDLHY2gqj_L3tcDrEnqKDacS0c4QYA@mail.gmail.com>
Date: Thu, 20 Aug 2015 13:15:00 +0200
From: François <francois.pesce@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Anyone looked at the Ashley Madison data yet?

Hello guys, @JokFP here.

I've got ~300 passwords cracked after 12 hours using single mode cracking.
It's not great, but I'm really not spending much CPU money on it.

It's not really fast, and passwords found are *really* weak:
it looks like there was no password requirement at all. Some of them are 5
letters or very common pass from pass lists like "shadow", others are equal
to the nickname used.

Based on this preliminary results, I'm afraid that launching a top-500
passwords attack with no or simple rules (like append 1, append 0-9 etc.)
might be probably effective (maybe in the order of hundred of thousand to
million accounts compromised).

Examples of password found by single mode here: 01050105 101196 111223344
14789a 42ashley 4444bud 774tsews 8519namor 96onepalajj 987654321reppiz
aa12358 aaaaaa ABCDEFG alexas Anderson2020 anglesmith1 arzu1299 asd1234
asdasd Attili69 ax987 barrios bbuckup beast BENJE22 bin2001 bitefor burrell
capriforlife Carloseduardo12587 chocolatudos CLONE69 colby123 coppy400
curry daniel DAVID888 DDS0011 dengo87 dennis6792 diogo dkgkd dogbait
eddieet ENALIAM evair Gabi1919 GATITO gemmer ghj9635 gj4237 gjb0009 goalin
hg5758 HIANZ hotbabe hothot hulkman johnfix jorgegonzalez2015 k612309
kanenas krish12 ksj4860 kupal Laurent lebron limaj logan lolilol loyiso
maddmaxx Marcelo MARK111 masexi mati142 Matyone mikgarcia mimiacy mono071
monte morenosc nicolay777 nidaerep okim3650 pecas pikachu piropiro pyrek89
qhdrnTl qwe44444 ram3131 raulromero richarddelk rober roberto roquette
rrxxpp S7762639 sergvs sexpots shaan stephanie StlefStlef tazman69 Testing
thalish tjh18 udomsin VE2015N vic7781 vox51 wlswogh www2095 xuxiding xxcvb
ydw2da yesyouashley z50180 zakizak znlived Zuluboi

Francois Pesce

On Thu, Aug 20, 2015 at 1:10 AM, Rich Rumble <richrumble@...il.com> wrote:

> On Wed, Aug 19, 2015 at 6:33 PM, Solar Designer <solar@...nwall.com>
> wrote:
> > On Wed, Aug 19, 2015 at 05:25:22PM -0500, Jerry Kemp wrote:
> >> Wondering if anyone has looked at the Ashley Madison data dump yet?
> >>
> >> According to this article:
> >>
> >> <
> http://arstechnica.com/security/2015/08/data-from-hack-of-ashley-madison-cheater-site-purportedly-dumped-online/
> >
> >>
> >> The dump contains 10 Gb of data and passwds are in the bcrypt format.
> >
> > I haven't looked at the dump, but I tweeted a summary of other tweets:
> >
> > <solardiz> Ashley Madison is 36.1M bcrypt cost 12 salts so 1
> CPU-week/password, says @jmgosney; dozens already cracked with "john
> -single", says @JokFP
> >
> > In other words: strong hashes, but many weak passwords.  The weak
> > passwords are slowly, but crackable.  The stronger passwords are only
> > potentially crackable in a targeted attack (on a specific user), but
> > won't likely be cracked in typical mass password dump cracking fun that
> > we've seen for other mass password hash leaks.  This one is different.
> > It's probably the largest bcrypt hash leak so far.
> >
> Small sample appeared in twitter:
> https://twitter.com/sambowne/status/633754116804620288
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.