The Ashley-Madison story just got more interesting with the news that it has been possible to crack the supposedly well encrypted users’ password. As Ars Technica (among others) reports, the account passwords have been managed with bcrypt, and this makes it practically impossible to decrypt.
But the account passwords have also been used to create tokens related to the user’s sessions. In this case the password has been hashed with the broken algorithm MD5. From the token it is then easy to recover a lowercase version of the password, and with just a few tries, in some cases even as few as 256 iterations, it is possible to recover the exact password from the bcrypt encrypted value.
This is again another confirmation that security is not a feature to add somewhere in our IT systems, but a fundamental component of each part of it. Everyone doing IT must at least be security aware . In this case it would have been enough to use the SHA2 hash algorithm instead of MD5 to prevent the cracking of the passwords.