Ashley Madison's passwords were badly encrypted, 15 million+ passwords headed for the Web

A flaw in the fraudulent dating site's password hashing means that at least 15 million of its users' passwords are liable to decryption.

Since so many people unwisely recycle passwords, many of those will be useful for logging into other sites and making mischief of one kind and another.

Until now, there was good reason to believe the 36 million Ashley Madison user passwords published last month would never be cracked. After all, website developers protected them with bcrypt, a hash function so slow and computationally demanding it would require years or decades of around-the-clock processing with super-expensive computers to decipher even a small percentage of them. That assurance was shattered with the discovery of the programming error disclosed by a group calling itself CynoSure Prime. Members have already exploited the weakness to crack more than 11 million Ashley Madison user passwords, and they hope to tackle another four million in the next week or two.

Ashley Madison password crack could spell trouble across the Internet [Dan Goodin/Ars Technica]

(Image: Clay cracked, L. Shyamal, CC-BY-SA)