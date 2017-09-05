CynoSure Prime reports that it has cracked the hashes of virtually all 320 million passwords which security researcher Troy Hunt had put on his 'HaveIBeenPwned' website by early August.

Out of the 320 million plaintext passwords, compiled from various non-hashed data breaches, primarily in the form of SHA-1 hashes, CynoSure Prime says that, “We were able to recover all but 116 of the SHA-1 hashes, a roughly 99.9999% success rate.” The group says that in collaboration with @m33x and @tychotithonus it decided to make an attempt to crack/recover as many of the hashes as possible, and succeeded with pretty much all of them.

It explains online how this was achieved.

Different sources make up Hunt's total tally, and using the MDXfind tool some 15 different hashing algorithms found to have been used, but most were SHA-1, which was demonstrated to have been compromised in February this year, and most of the actual passwords are between seven and 10 characters long.

It was also shown that among the hashes was junk data, in some cases including usernames, but Hunt was reported as telling The Register that he's working with CryptoSure Prime data to purge it from the hashed lists hosted at HaveIBeenPwned.

