Rethinking Passwords: the Ashley Madison Hack - Images Licensed via Creative Commons

On August 18, 2015, a group calling itself the Impact Team busted into 33 of the 36 million email addresses from users of AshleyMadison.com.   This lewd and lascivious site designed for married people to meet other married people online and engage in a previously anonymous, adulterous sexcapades, (i.e. affairs), was hacked.  The threat was to release all 36 million users unless its partner sites, “Cougar Life” and “Established Men” were shut down.  And now, as you sit here today, the average American with an internet connection can see if their dear husbands/wives were part of this data dump.

Angela Moscaritolo, writer for PC Mag, unveiled a simple way to find whether your special honey has an Ashley Madison account.  A programmer with the Twitter handle @hilare_belloc created a tool that lets you quickly check if a particular email is on the list. Simply head over to ashley.cynic.al/, enter the email address you want to check, and press the Search button. That covers the first 33 million addresses.

Would you like to know why it was so easy for hackers to get into the email accounts to reveal these philanderers?

Approximately 24 million of the roughly 36 million accounts leaked online had verified email addresses. Although Ashley Madison’s ethical underpinnings and business operations were questioned, the firm allegedly used “robust and respected encryption for its user passwords,”  as Natasha Lomas, form TechCrunch, reported in her article, “Ashley Madison Hack Latest Reminder that Stupid Passwords are Stupid.”

However, one of my favorite sayings is, “you can’t fix stupid.”  This applies in a major aspect of the Ashley Madison hack.

Even high security bcrypt-hashed passwords can be discovered if the user chooses a stupid, obvious password, like for example, the top one: “123456” followed only by “password” as number two choice, and “12345” as number three password choice.  According to Nastasha Lomas, “Avast security firm has been able to crack 25,393 hashes-out of which it says there were only 1,0664 unique passwords.”

The top ranked Ashley Madison passwords are slightly hilarious as an outsider, and beg the question, whether it was nerves, sex drive, or pure stupidity that generated the following list of ridiculously obvious top passwords.  Ms. Lomas, in her TechCrunch article, revealed the top 20, and I’d like to share them with you for your edification regarding password privacy and for your entertainment post Labor Day, after a long weekend.  The top 20 passwords are:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty (this is the top row of letters on a keyboard in typed in order)
  6. pussy
  7. secret (as in “secret password?”
  8. dragon
  9. welcome (to identity theft…)
  10. ginger
  11. sparky (the first adjective used on the list)
  12. helpme (clearly)
  13. blowjob (I was surprised this one ranked so low on the totem pole)
  14. nicole (why not Ashley?)
  15. justin
  16. camaro (average car of the average user?)
  17. johnson (does this indicate a British contingency?)
  18. yamaha (no clue- motorcycle or piano do you think?)
  19. midnight (when the cheating occurred)
  20. chris

Some believe that downloading the Ashley Madison database is a huge no-no.  On August 22, 2015, USA Today’s writer Elizabeth Weise highly cautions against downloading the Ashley Madison database because, “no matter how curious you are, there are two reasons not to download the Ashley Madison database of would-be cheaters: It’s potentially dangerous and it’s stolen property.”

However, as a divorce attorney, and private citizen who is not suspicious of a cheating spouse, I find the earlier mentioned searchable tool most user-friendly for the first 33 million users who were identified.  For the rest of you out there, wondering if your spouse is on this list of the unidentified 3 million, you can be the judge of how important this information is to your marriage.

Even today, as of September 8, 2015, the website boasts now 40,770 users, (increased by roughly 4,000 since the hack), and brags of “100% discreet service” and has an icon reading, “Trusted Security Award.”  I guess you can’t trust everything that you read.