Stolen Adobe Passwords Were Encrypted, Not Hashed

rjmarvin writes "The hits keep coming in the massive Adobe breach. It turns out the millions of passwords stolen in the hack reported last month that compromised over 38 million users and source code of many Adobe products were protected using outdated encryption security instead of the best practice of hashing. Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking."

Am I imagining it?

[cpicon92]

Why is it that every single time some big entity's password database is breached, it turns out that they're not following best practices for password storage? Maybe I just don't remember the times when it hasn't been this way...

Re:Am I imagining it?

[the_B0fh]

Are you blaming the users now? In any normal distribution of users, there will be some with good password policies, and some who don't have good password policies.

However, the company is entrusted with the password, and need to maintain good stewardship of it.

This is not good stewardship no matter how much you are trying to shift the blame to the users.

Re:Am I imagining it?

[khasim]

It wouldn't matter if users just followed best practices for password selection.

In this case, which would be easier?

1. Getting 38 million people to follow best practices?

2. Getting Adobe to follow best practices?

It's a question of scalability.

Re:Am I imagining it?

[Charliemopps]

Security team says such and such isn't secure.
Management says "Oh no! We have to do something"
Security provides a quote for the upgrade project.
Management asks "Um... what? Really? That's our entire 2013 development budget! What kind of fines are we looking at if there's a breach?"
Security: "Well... None..."
Management "So why is it you're in my office?"