lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Sep 2015 20:26:41 +1000
From: Ben Harris <mail@...rr.is>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] CynoPrime finds AM src.code flaws, AND YOU KNOW WHAT
 HAPPENS NEXT

Did I read it would be 90-95% of the 15 million weakened accounts? Several
million (22M total accounts?) didn't have the weak hash available.

On 11 September 2015 at 19:20, Per Thorsheim <per@...rsheim.net> wrote:

> Well, my post still holds, on the fact that having an account with AM
> doesn't prove anything "illegal" by itself. Unless of course having an
> unverififed account with a dating service by itself is morally wrong.
> Legally its not afaik.
>
> The amount of passwords cracked by @CynoPrime however, and their current
> estimates says they will crack 90-95% of all the passwords - for all
> accounts, I have no doubt AM have completely FUBAR their password
> storage implementation.
>
> .per
>
>
>
> Den 11.09.2015 10:41, skrev Christian Heinrich:
> > Per,
> >
> > To be fair MD5AM and MD5AM2 were deprecated as legacy.
> >
> > Would it be reasonable to assume that this sample of accounts are
> > within the scope of your post at
> > https://grahamcluley.com/2015/07/ashley-madison-fake/ ?
> >
> >
> > On Thu, Sep 10, 2015 at 8:51 PM, Per Thorsheim <per@...rsheim.net>
> wrote:
> >> Clickbait subject and perhaps way off-topic for this list, but the work
> >> done by @CynoPrime in this case is impressive to me, and serves as a
> >> very important reminder on who should, and who should not be allowed to
> >> implement crypto & password storage into any systems.
> >>
> >>
> http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
> >>
> >> BR,
> >> Per Thorsheim
> >> PasswordsCon.org
> >
> >
> >
>
>

Content of type "text/html" skipped

Powered by blists - more mailing lists