[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMtf1HuxWdNcb9JiOVwXfO9epzOkETErUGLCg_d-F6C75jTTxQ@mail.gmail.com>
Date: Fri, 11 Sep 2015 20:26:41 +1000
From: Ben Harris <mail@...rr.is>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] CynoPrime finds AM src.code flaws, AND YOU KNOW WHAT
HAPPENS NEXT
Did I read it would be 90-95% of the 15 million weakened accounts? Several
million (22M total accounts?) didn't have the weak hash available.
On 11 September 2015 at 19:20, Per Thorsheim <per@...rsheim.net> wrote:
> Well, my post still holds, on the fact that having an account with AM
> doesn't prove anything "illegal" by itself. Unless of course having an
> unverififed account with a dating service by itself is morally wrong.
> Legally its not afaik.
>
> The amount of passwords cracked by @CynoPrime however, and their current
> estimates says they will crack 90-95% of all the passwords - for all
> accounts, I have no doubt AM have completely FUBAR their password
> storage implementation.
>
> .per
>
>
>
> Den 11.09.2015 10:41, skrev Christian Heinrich:
> > Per,
> >
> > To be fair MD5AM and MD5AM2 were deprecated as legacy.
> >
> > Would it be reasonable to assume that this sample of accounts are
> > within the scope of your post at
> > https://grahamcluley.com/2015/07/ashley-madison-fake/ ?
> >
> >
> > On Thu, Sep 10, 2015 at 8:51 PM, Per Thorsheim <per@...rsheim.net>
> wrote:
> >> Clickbait subject and perhaps way off-topic for this list, but the work
> >> done by @CynoPrime in this case is impressive to me, and serves as a
> >> very important reminder on who should, and who should not be allowed to
> >> implement crypto & password storage into any systems.
> >>
> >>
> http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
> >>
> >> BR,
> >> Per Thorsheim
> >> PasswordsCon.org
> >
> >
> >
>
>
Content of type "text/html" skipped
Powered by blists - more mailing lists