Security researchers have successfully reversed the cryptographic algorithm Bcrypt used to encode millions of hashes for email and password details of leaked Ashley Madison users.
Although this is not a new leak of data, the research and application of novel techniques by the researches has demonstrated that traditional hashing (a mathematical technique to encode a piece of information typically into a shorter representation of the data, obscuring the original) could be vulnerable to a range of security compromises. On this occasion the data had even been "salted", where a random or non relevant portion of data is combined with the source data to make reverse engineering even harder.
The 11 million leaked records were reverse engineered and analysed for password complexity. Although the majority of passwords were 7 to 10 characters long, some were even 400 characters in length!
Organisations should be wary about the encryption standards they use to hold customer and client data. In the UK the Information Commissioners Office advises that
"Personal data should be stored in an encrypted form to protect against unauthorised access or processing, especially if the loss of the personal data is reasonably likely to occur and would cause damage or distress to individuals."
The longest password we found was 400 characters, while the shortest was only 3 characters long.” reads the post published by the CryptoSure Prime group. “About 0.06% of passwords were 50 characters or longer with 96.67% of passwords being 16 characters or less.