Ashley Madison Exposed
In 2015, a subset of the internet was exposed to millions of passwords for an infidelity site. The platform Ashley Madison fell victim to a cybersecurity attack due to their own coding malpractice. User password data, although securely hashed using Bcrypt, was undermined by using a less secure hashing function from the 90’s called MD5. Aside from exposing 11.2 million passwords, credit card info, and personal emails for a platform where users cheat on their “significant” other, the Ashley Madison attack is notable due to how comically simple the exploit was.
Bcrypt is a computationally expensive one way hashing function widely used to store sensitive data, especially passwords. Bcrypt is slow and salted. Being low is highly sought out for this use case to slow down the hackers time to do a single brute force check. Being salted ensures identical passwords don’t result in a hash collision (same passwords won’t output the same hashed value when using a salt). This prevents a hacking strategy of fast brute force guess and check using a precomputed table of values.
MD5 is a fast cryptographic hash. Its intended use case is for low stakes contexts for things such as checksums / non-security integrity. From its speed, MD5 is a poor choice for hashing sensitive data because a hacker wielding a GPU could quickly brute force their password cracking process. In the case of the Ashley Madison attack, developers used both MD5 and Bcrypt to hash sensitive data. When the hackers got ahold of the MD5 and Bcrypt hash, the choice was simple, hack the hash that’s less secure - MD5.
From a web developer’s perspective, the Ashley Madison attack is an entertaining lesson on how a security system is only as strong as its weakest link. As mentioned earlier, it’s not only essential to securely hash passwords prior to transmitting / storing passwords, but only using slow and strong hashes is a best practice for a secure system.