Monday, September 14, 2015

Ashley Madison - Moral of the story- Even the best security tool will not save you if you implement it badly.


All security folks know this.

Secure Product will not work if you configure it wrongly.

Ashley Madison is another sad story that failed to understand this.



From the Article:

The blunders are so monumental that the researchers have already deciphered more than 11 million of the passwords in the past 10 days.

Data that was designed to require decades or at least years to crack was instead recovered in a matter of a week or two.

The bcrypt configuration used by Ashley Madison was set to a "cost" of 12, meaning it put each password through 212, or 4,096, rounds of an extremely taxing hash function. If the setting was a nearly impenetrable vault preventing the wholesale leak of passwords, the programming errors—which both involve an MD5-generated variable the programmers called $loginkey—were the equivalent of stashing the key in a padlock-secured box in plain sight of that vault. 





For more info:

No comments:

Post a Comment