It’s account-related information that remains at most risk: the metadata of your arrangement with a site that tells them where you live and how to charge your credit card and the like. Companies could potentially put in layers of additional security to segregate that information, but their systems need rapid and automated access to it. When security is breached, that account data is either mostly unencrypted by design or, if it’s protected, crackers can gain access to the same systems that are used to decrypt it for routine use.
While people are chuckling about “cheaters” being exposed, privacy isn’t a movable feast. Snacking on popcorn while searching for one’s neighbors, relatives, and coworkers in one of the databases of Ashley Madison data that have popped up serves only one end: prurience. And there’s really no difference between this data set and dozens of others except that simple fact.
A silver lining
The only bright light of this exposure is that Ashley Madison did a few things right. First, they don’t appear to have disclosed credit-card information that can be used to create new charges, only confirmation details, including the last four digits of a card. (There’s some suspicion that knowing the card type—which defines the first four digits—and the last four digits, plus some available knowledge about how number sequences are used can be used to reconstruct entire card numbers some reasonable percentage of the time, though.)
Second, unlike previous cracks in which passwords were either entirely unprotected or used outdated hashing mechanisms, the company used an encryption algorithm widely recommended for this sort of storage; it’s called bcrypt. It both salts and hashes a password, while also having scalable difficulty, so that as processing power increases, the amount of computational cycles necessary to crack can also be ratcheted higher. (For more on salting, hashing, and proper password protection, see “LastPass was hacked: Here’s what you have to do” from June. LastPass also did the right thing.)
Because of this, any even modestly difficult password will take a substantial amount of time to crack, and each stored password has the same level of difficulty to crack. Even with souped-up systems with piles of GPUs, it could take minutes to hours per account to crack even the simplest passwords. A password with the slightest bit of difference, such as a digit or punctuation mark, might be effectively unrecoverable unless someone focused specific effort over days—or much longer—to break it.
I don’t pretend to make decisions for other people about how they conduct their private relationships, nor do I waggle my finger at folks who want cloud-based access or cloud-based backups and not worry about their stuff being ripped off.
Sign up for Computerworld eNewsletters.