Ashley Madison users chose passwords like "whyareyoudoingthis"


Originally published at:


Always prepare for the moment when your password is discovered.



So did they crack these passwords using their awesome cracking skills? Or were they stored in plaintext? If you’re able to brute-force a 15-letter password, are you really going to use that against… Ashley Madison? I’d save it for robbing banks and launching missiles.


The linked article provides a lot of clues about that.

  • Clearly not plaintext, or there would be no ‘cracking’ at all.
  • “Note that we crack passwords in gradual increasing complexity” - so that implies a dictionary attack of known passes, followed by brute-force phrase combos I guess. Not 15-character combos (70^15), but 3-4 word combos (200,000^4, but really much less)
  • And chunking through it at a fair clip means the passes are possibly unsalted, but most likely salted with a single known key.

Cracking a few million passes once you’ve got read-access to the whole lot moves at a very different pace from targeting one single pass for one single user - which is the usual described scenario.
The leaked-table brute force attack doesn’t hammer individual accounts one after the other like a mentalist trying to guess a volunteers birthday, instead it makes up a guess and checks to see if anyone in the room has that birthday - which is a much quicker way to get hits up front.

(I’ll now shut up about crypto as that’s probably the most hand-wavy and incorrect way of describing the actual process ever posted)


ArsTechnica has an in-depth technical explanation, but the gist of it is that they were actually cracked. Although all accounts used bcrypt to obfuscate the passwords, some accounts also had an extra field that used an MD5 hashed version of the password. Since MD5 was built for speed, hackers were able to easily brute force these passwords.

This was only possibly because Ashley Madison used a weak algorithm for protecting some (but not all) passwords. Any system with truly important and valuable data would (or at least should) be using better algorithms that are much harder to crack and wouldn’t be vulnerable to the same kinds of cracking methods.


This topic was automatically closed after 5 days. New replies are no longer allowed.