Clarify Ashley Madison text, fix founding date error

david-a-wheeler · david-a-wheeler · commit f5f9cdb62412 · 2022-11-18T11:43:30.000-05:00
Signed-off-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
diff --git a/secure_software_development_fundamentals.md b/secure_software_development_fundamentals.md
@@ -4506,7 +4506,7 @@ You should allow users to require the use of two-factor authentication (2FA), ei
 Also, beware of implementing these algorithms only on the client side. It is fine to implement them on the client side (because that prevents the server from ever discovering the password the user enters), as long as they are *also* implemented on the server. The danger is doing them *only* on the client; if that happens, then what is stored in the server is no different from storing passwords in the clear. Once attackers get the password database, they can simply create or modify their own client to log into anyone’s account.
 
 > 😱 STORY TIME: Ashley Madison data breach
-> Ashley Madison is a Canadian commercial online dating service founded in 2022 and marketed as enabling cheating on romantic partners. In 2015 attackers stole its customer data. They had correctly used the **bcrypt** routine to store passwords. Unfortunately, they also often stored passwords encoded using the **MD5** hashing algorithm, which is not appropriate for storing passwords (as noted above). Attackers used these unprotected MD5 password hashes to decipher more than 11 million of these accounts' passwords in just 10 days, enabling them to log into those accounts (["Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked" by Dan Goodin, 2015](https://arstechnica.com/information-technology/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/)).
+> Ashley Madison is a Canadian commercial online dating service founded in 2002 and marketed as enabling cheating on romantic partners. In 2015 attackers stole its customer data. Ashley Madison had correctly used the **bcrypt** routine to store user passwords. Unfortunately, they also often stored passwords encoded using the **MD5** hashing algorithm, which is not appropriate for storing passwords (as noted above). Attackers used these unprotected MD5 password hashes to decipher more than 11 million of these accounts' passwords in just 10 days, enabling them to log into those accounts (["Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked" by Dan Goodin, 2015](https://arstechnica.com/information-technology/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/)).
 
 #### Quiz 3.5: Storing Passwords
 
