Deciphering Ashley Madison Passwords
A month ago, more than 36 million password hashes of users of the site for adultery Ashley Madison got into open access. You can download the database, for example, from this torrent (also dump number 2 and dump number 3 on the darknet via the gate).
Passwords are processed by bcrypt hash functions. At first glance, such protection seems relatively reliable. But the experts from the CynoSure Prime hacker group decided not to bluntly bcrypt stupidly, but to dig into the source code of the Ashley Madison backend and frontend (the sources are available at the above torrent). They studied the hashing algorithm itself.
Search source code gave the result. As it turned out, the hashes themselves were encrypted with bcrypt, but two insecure methods using MD5 were used to create the
$loginkey variable. Thus, instead of bruteforce hash bcrypt directly, what the whole Internet is doing now, hackers have directed their efforts at bruteforce weak tokens md5(lc($username).”::”.lc($pass)) and md5(lc($username).”::”.lc($pass).”:”.lc($email).”:73@^bhhs&#@&^@8@*$”) .
')
From the code in the
amlib_member_create.function.php file (lines 69, 70), it became clear that the $loginkey variable is generated by MD5 hashing of the user name and password in lower case. Before the code change on June 14, 2012, all the hashes can be opened by simply hacking MD5.
Similarly, another method of generating
$loginkey , which is specified in the AccountProvider.php code.
The hacker group has not laid out the decoded passwords, but anyone can get them on their own, following the published instructions .
Later, CynoSure Prime revealed interesting statistics on Ashley Madison passwords.
First, here are the Top 100 most popular passwords and the number of entries of each of them.
Top 100 most popular passwords
| Password | Number of users |
|---|---|
| 123456 | 120511 |
| 12345 | 48452 |
| password | 39448 |
| DEFAULT | 34275 |
| 123456789 | 26620 |
| qwerty | 20778 |
| 12345678 | 14172 |
| abc123 | 10869 |
| pussy | 10683 |
| 1234567 | 9468 |
| 696969 | 8801 |
| ashley | 8793 |
| fuckme | 7893 |
| football | 7872 |
| baseball | 7710 |
| fuckyou | 7458 |
| 111111 | 7048 |
| 1234567890 | 6572 |
| ashleymadison | 6213 |
| password1 | 5959 |
| madison | 5219 |
| asshole | 5052 |
| superman | 5023 |
| mustang | 4865 |
| harley | 4815 |
| 654321 | 4729 |
| 123123 | 4612 |
| hello | 4425 |
| monkey | 4296 |
| 000000 | 4240 |
| hockey | 4191 |
| letmein | 4140 |
| 11111 | 4077 |
| soccer | 3936 |
| cheater | 3908 |
| kazuga | 3871 |
| hunter | 3869 |
| shadow | 3831 |
| michael | 3743 |
| 121212 | 3713 |
| 666666 | 3704 |
| I love you | 3671 |
| qwertyuiop | 3599 |
| secret | 3522 |
| buster | 3402 |
| horny | 3389 |
| jordan | 3368 |
| hosts | 3295 |
| zxcvbnm | 3280 |
| asdfghjkl | 3174 |
| affair | 3156 |
| dragon | 3152 |
| 987654 | 3123 |
| liverpool | 3087 |
| bigdick | 3058 |
| sunshine | 3058 |
| yankees | 2995 |
| asdfg | 2981 |
| freedom | 2963 |
| batman | 2935 |
| whatever | 2882 |
| charlie | 2860 |
| fuckoff | 2794 |
| money | 2686 |
| pepper | 2656 |
| jessica | 2648 |
| asdfasdf | 2617 |
| 1qaz2wsx | 2609 |
| 987654321 | 2606 |
| andrew | 2549 |
| qazwsx | 2526 |
| dallas | 2516 |
| 55555 | 2501 |
| 131313 | 2498 |
| abcd1234 | 2489 |
| anthony | 2487 |
| steelers | 2470 |
| asdfgh | 2468 |
| jennifer | 2442 |
| killer | 2407 |
| cowboys | 2403 |
| master | 2395 |
| jordan23 | 2390 |
| robert | 2372 |
| maggie | 2357 |
| looking | 2333 |
| thomas | 2331 |
| george | 2330 |
| matthew | 2298 |
| 7777777 | 2294 |
| amanda | 2273 |
| summer | 2263 |
| qwert | 2263 |
| princess | 2258 |
| ranger | 2252 |
| william | 2245 |
| corvette | 2237 |
| jackson | 2227 |
| tigger | 2224 |
| computer | 2212 |
Further - more interesting. The analysis showed that more than 630,000 passwords coincide with the username . That is, even without exploiting weaknesses in the hashing algorithm, these passwords are easy to recover.
But the most interesting passwords. They are not included in the list of Top 100 popular, but show a funny way of thinking of some users. The list is just for fun.
These think that adding a few words makes the password more secure.
mypasswordispassword
superhardpassword
thebestpasswordever
thisisagoodpassword
Doubt their decision to register on the site for adultery
ishouldnotbedoingthis
ithinkilovemywife
thisiswrong
whatthehellamidoing
whyareyoudoingthis
cheatersneverprosper
donteventhinkaboutit
isthisreallyhappening
Cheating without hesitation
likeimreallygoingtocheat
justcheckingitout
justtryingthisout
goodguydoingthewrongthing
Confused the site for cheating from dating sites
lookingfornewlife
friendswithbenefits
Doubt the professionalism of hackers
youwillneverfindout
youwillnevergetthis
secretissafewithme
Passwords from the xkcd comic (https://xkcd.com/936/)
batteryhorsestaple
correcthorsebatterystaple
Someone foresaw the activity of hackers and wants to hide
nothingfound
theywererobots
nobodyhere
Other jokes
everynameitriedwastaken
allthegoodpasswordshavegone
lickemlikeshelikesit
lildickinyourpussyn0w
satisfactionwithlicking
blackfromthewaistdown
smalldickbuthardworker
Source: https://habr.com/ru/post/356856/
All Articles