Last week, motherboard.com reported that 4000 cracked passwords belonging to Ashley Madison customers were “awful,” security-wise. The site went on to conclude that:
It’s understandable for users to be frustrated with Ashley Madison for failing to protect their data. But when customers are choosing passwords that could probably just be guessed, they need to take some responsibility for their own security.
How bad were these passwords? Well, the usual suspects did make an appearance: 12345, password, abc123, etc. – the type of passwords data security professionals worth their salt would cry over. You can see the list by visiting pxdojo.net.
Notice anything unusual about the three passwords I’ve listed?
Password Requirements Like It’s 1999
One of the things that immediately came to my attention was the password length. Over the past five years or so security researchers published papers showing that short passwords are worthless. The last time I checked, an adequate password (in this case, “adequate” is being used in its pejorative sense) was around 15 characters long.
When looking at the cracked Ashley Madison passwords, there is more than a handful of passwords that are only 5 characters long. Plus, many of them were straight up numbers like 12345. No letters, no special characters, etc.
I thought it odd, so I visited the Ashley Madison site to see what type of password requirements they had for wannabe adulterers and adultery-enablers. In essence, they had no requirements. Passwords have to have at least 5 characters. They max out at 28 characters. There appear to be no requirements for mixing numbers, letters, capitalization, and special characters. Just make sure they’re 5 characters long. That’s all.
In light of this, I find it amazing that, of the list of nearly 4000 cracked passwords, only 417 passwords were 5 characters long:
Let’s face it, this doesn’t mean that Ashley Madison clients were, ahem, “security conscious.” The popularity for passwords longer than the bare minimum could be explained by other factors, such as most words being longer than 5 characters (I don’t know if this is factual; I’m just floating it as a possibility).
But I did notice that a subset of the passwords were non-words like 12345. So, I went through the list and fished out the ones that were numbers-only or nonsensical (like zxcvbnm):
As you can see, even when a person is making up a password from scratch, it tends to be longer than 5 characters in length. Why? Some of it is, no doubt, because of the keyboard layout. For example, zxcvbnm represents the lower row for a QWERTY keyboard layout. Likewise, qwertyuiop and 1234567890 represent the upper rows. But, this fails to explain passwords like 1111111111 (that’s 10 ones).
I can only conclude that people are using passwords that are longer than the required minimum because all the chatter about data security and passwords is finally sinking in. This is something we should be happy about.
Still, password length is not the end all, be all of password security. When it comes to passwords, even more important than length is variety. There is a reason why most websites will force a user for a password that is at least 6 characters in length and uses a mix of upper and lower case letters, numbers, and special characters.
Some will even go as far as check that the email handle is not used as part of the password. Which, unsurprisingly, wasn’t part of Ashley Madison’s password requirements. One of the commentators at pxdojo.net was doing his own research on the breached passwords, and he posted 18,000 instances where the passwords were an exact match to the email address.
When you consider all the rudimentary things Ashley Madison did not require of their clients’ passwords, I’m not sure if I can agree with motherboard.com‘s assessment that “customers [who] are choosing passwords that could probably just be guessed…need to take some responsibility for their own security.”
Rightly or wrongly, people are going to opt for the least hassle when it comes to passwords. We know that this is true; this is why websites put up password requirements. The lack of such requirements is enough to make me wonder if Ashley Madison was taking security seriously.
Fault’s on Ashley Madison, Not the Users
Of course, now that we know that the company set up a bunch of bots to lure men into paying for full access to the site; that pass1234 gave the hackers full access to the company’s servers; that the $19 charge for completely deleting a user’s data from their servers was less than effective, and possibly fraudulent; and a bunch of other accusations… well, its obvious that security – or running a legitimate business – was probably not at the top of Ashley Madison’s to-do list.
Indeed, it makes me wonder whether their use of bcrypt to hash passwords was a fluke. Bcrypt is supposedly one of the best methods for hashing passwords because it’s slower than other hashing algorithms (slow is good when it comes to hashes. It means you can’t test and crack encrypted passwords as fast as possible. With bcrypt, you’d find one password when other hashes already gave up 100).
Of course, in this light, the users can be faulted for their own security, as the use of weak passwords means that they’ve also potentially compromised the security at other websites…assuming they’ve been reusing their passwords, which is very highly probable.
Ultimately, though, a data breach is a matter of “when” and not “if.” If you value not being associated with a site like Ashley Madison, the only winning move is not to play.
Related Articles and Sites: