The recent disclosures of data following the Ashley Madison hacks, including usernames and bcrypt-hashed passwords, has generated some interest in the security community over the last few weeks. The use of bcrypt had previously been thought to have rendered the passwords practically impossible to completely recover, thanks to it’s much more complex hashing scheme that drastically increases the length of time taken to perform a single hashing function, thus making brute-force attacks far slower to perform. Further research on the leaked data has shown this to simply not be the case at all.
A cracking team by the name of CynoSure Prime has discovered that a $loginkey field containing an MD5 hash of the username concatenated with a couple of colons and a plain text lower-case version of the password. MD5 hashes can be brute-forced at rates exceeding a billion attempts per second with little special effort, so attacking the MD5 hash for the lower-case password then attacking the bcrypt hash with only text case as a variable component drastically shortens the complete password recovery time. 11.2million passwords have already been recovered, helped by the fact that 9 out of 10 had no upper-case characters in them at all.