The developers behind Ashley Madison’s infrastructure and users of the extramarital affair website appear to have something in common: poor choices when it comes to use of passwords and other means of authentication.
Gabor Szathmari, a U.K.-based security consultant, wrote in a Monday blog post about how he glanced over the Ashley Madison dump and identified a number of issues such as passwords and other credentials being hard-coded into the source code.
“Their source code contains AWS tokens, database credentials, [SSL] certificate private keys and other secret credentials,” Szathmari wrote, adding that it seems “the developers have hard-coded some Twitter OAuth tokens also into their unit tests.”
The database passwords, Szathmari noted, were between five and eight characters and several contained only two character classes. All of this likely gave the Ashley Madison attackers the ability to move laterally in the network, thus enabling a full breach, he explained.
“One of the security risks of software development is passwords and other credentials hard-coded into the source code,” Szathmari said. “It not only makes password rotation painful, but also exposes the secrets to unwanted people once the code is [committed] into a source code repository.”
Others have noticed how Ashley Madison’s users are not much smarter with their credentials – at least with regard to generating passwords. Hoping to identify user password habits, researchers with Avast took the first million of 36 million passwords and went about cracking them.
Ashley Madison stored all usernames with bcrypt-hashed passwords, meaning cracking the passwords is more challenging and a slow process. To help, Avast used the so-called 500 worst passwords of all-time list and the list of 14 million passwords from the breach of social application site RockYou.
“After about two weeks of runtime, the CPU found 17,217 passwords and the GPU found 9,777, for a total of 26,994; however, 25,393 were unique hashes, meaning that the CPU and GPU redundantly cracked 1,601 hashes,” a Monday post said, going on to add, “Of the 25,393 hashes cracked, there were only 1,064 unique passwords.”
Breaking it down, Avast identified nearly 6,500 uses of ‘123456,’ almost 3,300 uses of ‘password,’ more than 2,000 uses of ‘12345,’ 880 uses of ‘12345678,’ and 768 uses of ‘qwerty.’ For comparison, the top five passwords on the 500 worst passwords list are ‘123456,’ ‘password,’ ‘12345678,’ ‘1234,’ and ‘p*ssy.’
“Everyone’s seen that ‘password’ and ‘123456′ are the most common passwords, but if we extrapolate these results, even though they’re not completely statistically accurate, it means hundreds of thousands – maybe millions – of people used one of those two as their password,” Ross Dickey, senior systems engineer with Avast, told SCMagazine.com in a Tuesday email correspondence.
When it comes to generating credentials, Dickey said that passwords need to be complex, unique and found nowhere in the dictionary, and he added that users should never rely on websites to keep their credentials safe.
“Use a phrase of five or more words that doesn’t make sense, use special characters, and different cases in places that aren’t obvious,” Dickey said, adding that a password manager is also effective. “Another way to make a good random-looking password is to pick words and numbers you can remember, and interleave them.”
Another researcher, Dean Pierce, also took a stab at cracking Ashley Madison user passwords. He cracked 4007 passwords after about five days, only 1,191 of which were unique, he wrote in a blog post. He identified 202 uses of ‘123456,’ 105 uses of ‘password,’ 99 uses of ‘12345,’ 32 uses of ‘qwerty,’ and 31 uses of ‘12345678.’