Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stolen Adobe Passwords Were Encrypted, Not Hashed

Posted by timothy on from the getting-around-to-it dept.

rjmarvin writes "The hits keep coming in the massive Adobe breach. It turns out the millions of passwords stolen in the hack reported last month that compromised over 38 million users and source code of many Adobe products were protected using outdated encryption security instead of the best practice of hashing. Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking."

8 of 230 comments (clear)

  1. Am I imagining it? by cpicon92 · · Score: 5, Insightful

    Why is it that every single time some big entity's password database is breached, it turns out that they're not following best practices for password storage? Maybe I just don't remember the times when it hasn't been this way...

    1. Re:Am I imagining it? by the_B0fh · · Score: 5, Insightful

      Are you blaming the users now? In any normal distribution of users, there will be some with good password policies, and some who don't have good password policies.

      However, the company is entrusted with the password, and need to maintain good stewardship of it.

      This is not good stewardship no matter how much you are trying to shift the blame to the users.

    2. Re:Am I imagining it? by khasim · · Score: 5, Insightful

      It wouldn't matter if users just followed best practices for password selection.

      In this case, which would be easier?

      1. Getting 38 million people to follow best practices?

      2. Getting Adobe to follow best practices?

      It's a question of scalability.

    3. Re:Am I imagining it? by Charliemopps · · Score: 5, Insightful

      Security team says such and such isn't secure.
      Management says "Oh no! We have to do something"
      Security provides a quote for the upgrade project.
      Management asks "Um... what? Really? That's our entire 2013 development budget! What kind of fines are we looking at if there's a breach?"
      Security: "Well... None..."
      Management "So why is it you're in my office?"

    4. Re:Am I imagining it? by vadim_t · · Score: 4, Insightful

      Nope, not solved. All it means is that the 100000 morons using "password" as the password won't have the same hash. So the attackers won't be able to find out which accounts share the same password and focus on those, and won't be able to use a pre-computed dictionary.

      It is however trivial to hash "password" 38 million times for each salt, on modern hardware probably in seconds.

      The salting does provide an improvement, but when you have 38 million accounts, breaking even 1% already gives you a huge amount of successes. Salting doesn't do much against checking the list against the 100 best known passwords. 3800 million is a small number for a GPU accelerated password cracker.

    5. Re:Am I imagining it? by Russ1642 · · Score: 4, Insightful

      There shouldn't be a Password Hint field.

    6. Re:Am I imagining it? by Algae_94 · · Score: 3, Insightful

      You might not know all the best practices then. That strong passphrase should not be used anywhere else. That way it is useless to anyone that cracks it.

  2. Re:Where are they listed? by JLennox · · Score: 4, Insightful

    https://www.owasp.org/index.php/Main_Page