Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stolen Adobe Passwords Were Encrypted, Not Hashed

Posted by timothy on from the getting-around-to-it dept.

rjmarvin writes "The hits keep coming in the massive Adobe breach. It turns out the millions of passwords stolen in the hack reported last month that compromised over 38 million users and source code of many Adobe products were protected using outdated encryption security instead of the best practice of hashing. Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking."

41 of 230 comments (clear)

  1. Am I imagining it? by cpicon92 · · Score: 5, Insightful

    Why is it that every single time some big entity's password database is breached, it turns out that they're not following best practices for password storage? Maybe I just don't remember the times when it hasn't been this way...

    1. Re:Am I imagining it? by the_B0fh · · Score: 5, Insightful

      Are you blaming the users now? In any normal distribution of users, there will be some with good password policies, and some who don't have good password policies.

      However, the company is entrusted with the password, and need to maintain good stewardship of it.

      This is not good stewardship no matter how much you are trying to shift the blame to the users.

    2. Re:Am I imagining it? by khasim · · Score: 5, Insightful

      It wouldn't matter if users just followed best practices for password selection.

      In this case, which would be easier?

      1. Getting 38 million people to follow best practices?

      2. Getting Adobe to follow best practices?

      It's a question of scalability.

    3. Re:Am I imagining it? by gnasher719 · · Score: 3, Informative

      It wouldn't matter if users just followed best practices for password selection.

      It still matters. First, badly chosen passwords are made _obvious_ to hackers; when two or three or a dozen people choose the same password that's a high probability that the password was bad in the first place. And second, losing 30 million passwords makes brute force worthwhile. If you have an algorithm that would crack one password in 30 years on average, it will find passwords in a set of 30 million at a rate of one every minute.

    4. Re:Am I imagining it? by Anonymous Coward · · Score: 5, Funny

      Well, there's your problem. Everybody knows Adobe doesn't scale well.

    5. Re:Am I imagining it? by B1ackDragon · · Score: 2

      I'm guessing selection bias - entities with the security knowledge to use proper authentication techniques probably are also better at keeping their internal databases out of malicious hands. (Or, more negatively, the contraposition of that statement.) On a related note, this breach has caused me to update all of my own passwords, and my current pet peeve are entities that have an upper limit to password length within the current range of rainbow-table attacks (and what are the chances those guys are properly salting?)

      --
      The snow doesn't give a soft white damn whom it touches. -- ee cummings
    6. Re: Am I imagining it? by Omniver · · Score: 2

      It wouldn't matter. Strong passwords help prevent dictionary attacks against password hashes. In this case, it appears the passwords were encrypted, not hashed. So instead of cracking the users' passwords, the attacker need only attack the encryption key and they would get all the users' passwords regardless of how strong they were.

    7. Re:Am I imagining it? by TheNastyInThePasty · · Score: 3, Informative

      Hashing + Salting = Problem Solved.

      --
      The best thing about UDP jokes is I don't care if you get them or not
    8. Re:Am I imagining it? by Charliemopps · · Score: 5, Insightful

      Security team says such and such isn't secure.
      Management says "Oh no! We have to do something"
      Security provides a quote for the upgrade project.
      Management asks "Um... what? Really? That's our entire 2013 development budget! What kind of fines are we looking at if there's a breach?"
      Security: "Well... None..."
      Management "So why is it you're in my office?"

    9. Re:Am I imagining it? by Pope · · Score: 2

      Are you blaming the users now? In any normal distribution of users, there will be some with good password policies, and some who don't have good password policies.

      However, the company is entrusted with the password, and need to maintain good stewardship of it.

      This is not good stewardship no matter how much you are trying to shift the blame to the users.

      People were putting their actual passwords in the "Password Hint" field. I can certainly blame a user for doing that, as well as the developers for allowing it.

      --
      It doesn't mean much now, it's built for the future.
    10. Re:Am I imagining it? by vadim_t · · Score: 4, Insightful

      Nope, not solved. All it means is that the 100000 morons using "password" as the password won't have the same hash. So the attackers won't be able to find out which accounts share the same password and focus on those, and won't be able to use a pre-computed dictionary.

      It is however trivial to hash "password" 38 million times for each salt, on modern hardware probably in seconds.

      The salting does provide an improvement, but when you have 38 million accounts, breaking even 1% already gives you a huge amount of successes. Salting doesn't do much against checking the list against the 100 best known passwords. 3800 million is a small number for a GPU accelerated password cracker.

    11. Re:Am I imagining it? by gstoddart · · Score: 2

      Why is it that every single time some big entity's password database is breached, it turns out that they're not following best practices for password storage?

      Honest answer? 'Good enough' costs far less than 'really secure', and companies aren't really interested in doing any real security -- just something which looks secure-ish.

      Worst case, they'll get a small fine which is less than the cost of making the changes would have been.

      There's simply no incentive (because there are no real punishments) for a company to take data security seriously. So they do a half-assed job of it, and leave it there.

      You can bet that, at some point, someone said "this is terribly insecure", and got told by management to STFU.

      And unless Adobe gets a really stiff penalty for this, nothing at all will change.

      --
      Lost at C:>. Found at C.
    12. Re:Am I imagining it? by Russ1642 · · Score: 4, Insightful

      There shouldn't be a Password Hint field.

    13. Re:Am I imagining it? by QuasiSteve · · Score: 4, Funny

      It's funny because bicubic

    14. Re:Am I imagining it? by timeOday · · Score: 2

      Because it really doesn't matter much. You will never find one victim of this Adobe hack who would rather have been in a fender bender.

    15. Re:Am I imagining it? by Algae_94 · · Score: 3, Insightful

      You might not know all the best practices then. That strong passphrase should not be used anywhere else. That way it is useless to anyone that cracks it.

    16. Re:Am I imagining it? by Kongming · · Score: 4, Interesting

      I agree. I could do without "security questions", as well. Some sites allow you to reset your password using just the security questions, which is ridiculously insecure if credulously answered, given how easily available some of the information is. I used to put long strings of garbage as the answers, knowing that I would never lose my password. I can't do that anymore, because a lot of companies seem to have decided that it is a good idea to require answers to the security questions to do relatively routine things like log in from a different IP address. Now it is essentially one more password that I have to keep for each such site, which if you are choosing strong, unique passwords, is pretty much a waste of time.

      --
      (no sig)
    17. Re:Am I imagining it? by blueg3 · · Score: 4, Informative

      There's another major difference, for large password-database leaks. Salted hashes can't be computed for all leaked passwords at the same time, they need to be computed once per salt. That means that cracking the whole password database at once is, computationally, just as hard as cracking each password individually. With unsalted hashes, cracking the whole password database is as hard as cracking a single password. With this password database, that's a difficulty difference of a factor of 30 million, which is pretty substantial.

  2. Obligatory by stewsters · · Score: 5, Funny

    http://xkcd.com/1286/

  3. Dear Adobe by Picass0 · · Score: 5, Interesting

    Online security (or lack thereof) is one of the reasons it's a bad move to turn your Adobe Creative Suite into a cloud based subscription service.

  4. Et tu, Adobe? by CCarrot · · Score: 4, Funny

    Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking.

    Apparently even Adobe has trouble keeping up with updates and patches...what's the matter, get tired of the update server's nagging every couple of weeks?

    I'm sure there's some irony to be found in this situation somewhere...

    --
    "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
  5. Phishing going on too by perpenso · · Score: 5, Interesting

    It wouldn't matter if users just followed best practices for password selection.

    True, but that is only part of the story. There is also the email address used with Adobe. Users also need to exercise caution with links and attachments.

    Last week I started to receive phishing emails on the unique email address that I had used with Adobe.

  6. Re:3DES by queazocotal · · Score: 2

    To expand on this - if the key doesn't leak, then Alice's password is 'safe' even if she reuses it on other sites only if nobody else in the Adobe dump has used her password, and that username is identifiable on other dumps of released passwords.

    So, if Alice and Bob's passwords are identical, Bob's password has been recovered from elsewhere, you now know what Alice's password is, and password reuse becomes risky.

    While poor practice as if the encryption key can be recovered _everyones_ password is now released - for 3DES as I understand it - if a long key has been used, there is no practical attack against it.

    So, yes, if you have another list of passwords, you can go and say 'Bob used password 1223 on these two other releases, if he's used 1223 for Adobe - here are all the other people who've used that same password' - but you can't recover passwords not shared by other people who have not had their passwords leaked already.

    Massive computation buys you nothing here, unless you can crack the key, which for a long random key is impractical.

    In this case, 3DES may have leaked less data that is important.

  7. Re:3DES by OneAhead · · Score: 2

    Close. '123456' tops Adobe password list.
    Also, I know this doesn't need a reference, but just for those who like a good nostalgic laugh.

  8. Where are they listed? by Okian+Warrior · · Score: 2

    Why is it that every single time some big entity's password database is breached, it turns out that they're not following best practices for password storage? Maybe I just don't remember the times when it hasn't been this way...

    I've lost my copy of "The Big Book of Best Practices" and would like to purchase a new copy.

    It's not on Amazon or eBay - would you sell me your copy?

    (Or alternately, point me to the content for chapter 6: "Best Practices for Security in IT".)

    1. Re:Where are they listed? by JLennox · · Score: 4, Insightful

      https://www.owasp.org/index.php/Main_Page

  9. Very breakable by shellster_dude · · Score: 2, Interesting

    The passwords are very breakable as they used the same IV's and keys for every password. Thus any two same plain texts have the same cipher text. A little, simple statistical analysis will get you the keystream and allow you to get all the plain text passwords.

    1. Re:Very breakable by Anonymous Coward · · Score: 4, Funny

      Please share with us, this, little, simple stistical analysis method.

  10. You Mean Using Post It Notes by theshowmecanuck · · Score: 4, Interesting

    People who use "best practices for passwords" have passwords that are so brutally hard to remember for a human being that they end up having to 'save' it on a Post-It note stuck to the side of their monitor or "hidden" under a pile of papers that others can look at. Or relegate the 'remembering' of their passwords to another piece of software like a system wallet/keychain, which is just offloading responsibility to another system that itself is an unknown quantity with respect to being well written. But even if a user uses a wallet/keychain, that doesn't remove the Post-It note vector if they need to use the password on more than one piece of hardware. It or a text file on a thumb drive are the common ways to transfer these kinds of passwords between devices.

    The reality of how the average person uses a computer often does not reflect the theories that many so called computer security experts have. That is because the latter forget that they are not in the center of the human standard normal curve. Most people don't think like programmers or so called security experts. Better to make the system secure than rely on people to follow so called password best practices. If it isn't easy for the average user, they won't use it.

    --
    -- I ignore anonymous replies to my comments and postings.
    1. Re:You Mean Using Post It Notes by oobayly · · Score: 2

      I have a single password (8 mixed case alphanumeric characters) that I use as the base password. I then use a very simple algorithm (if you can call it that) that adds [certain] letters from the website's domain to the beginning and end of the base password. That way I have a different password for every site, but only have to remember a single password.

      I've suggested it to quite a few people, and most of those people say they now use a method like that. Of course, it always comes with a warning not to use something like "password" as your base password - UK reg numbers aren't bad.

      I also use KeePass for saving our company's passwords (as well as a printed copy in the safe), but that's more in case I get run over by a bus.

    2. Re:You Mean Using Post It Notes by oobayly · · Score: 2

      They won't even think that way. So the average user won't do that. Period. Full stop.

      Well, in my experience, *normal* users do use them (nurses, managers and sales staff included), because if it's explained to them in a sensible manner then they will understand it. I don't use the word algorithm with them, I just used it here as I *hoped* that the average /. user had a clue.

      I suppose it comes down to the ability to explain what you want users to do. As my thermodynamics tutor once said - "if you can't explain it, you don't understand it". Sorry, but your inability to teach password security to *normal* users is a reflection upon yourself, not the user.

  11. It means it USED to be "encrypted", a year ago by raymorris · · Score: 2

    According to Adobe, until a year ago, they were doing it wrong, using the wrong encryption in the wrong way.
    The bad guys got a year-old backup, so it was encrypted using the old (wrong) method.

    Since the old backup is done wrong, that tells us only that the primary USED TO be done wrong, which is exactly what Adobe is saying. It tells us nothing about the current database.

  12. Bad passwords on purpose by GlobalEcho · · Score: 5, Interesting

    I haven't checked, but I assume my own Adobe account was part of this leak. And I don't care.

    Along with a large portion of the increasingly savvy population, I have more than one "level" of password in use. My account used the lowest of these, basically something like adobe_123. Learning that is not going to help anyone form useful heuristics on how I create my banking passwords -- it might even poison them.

    On the whole, I believe the breach will probably help crackers (if decryption can be achieved). But, I think it is foolish to automatically assume that accounts with "weak" passwords are contributors to the problem. As with me, they might be poor indicators of how humans choose more important passwords.

  13. 90%+ do it wrong - plain text or 3DES from 1972 by raymorris · · Score: 2

    Of the 12,000 or so sites I've seen, well over 90% do it wrong. I'd estimate 95%. Many store passwords in plain text.
    Most use 3DES, which was reasonably secure in 1972. Today, 3DES is cracked in milliseconds.
    Sometimes we see an unsalted hash, including MD5.

    A few have used MySQL's PASSWORD() and the phpass gimmick scheme which are reasonably secure but non-portable.

    I consider "doing it right" to be a salted hash. For new software, bcrypt / blowfish or a SHA primitive.
    Preferably, SHA-256 or SHA-512 via crypt($5$salt$, password) for portability and consistency.
    For existing code, I consider SALTED MD5 to be acceptable, but the length of the input should certainly be validated.

     

  14. Re:Strange advice by Qzukk · · Score: 2

    SHA-2 includes both SHA-256 and SHA-512. Password hash algorithms generally use repeated iterations to slow brute force attacks. For instance, crypt modular hashes use $5$rounds=....$ and $6$rounds=...$ as the prefix for these hashes (respectively) to indicate which type and the number of iterations.

    As far as I know, they're currently fairly solid for the purpose of hashing passwords, but CPU/GPU power marches on.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  15. Re:Strange advice by LordLimecat · · Score: 2

    SHA-2, aka SHA256 or SHA512.
    http://en.wikipedia.org/wiki/SHA-2

    The more you know....

  16. Hashing is not better than encryption! by L-One-L-One · · Score: 2

    In practice hashing is often much less secure than encryption for passwords. The devil is in the details.

    Here it seems that Adobe made some poor design choices in the encryption algorithm. Yet, despite these flaws, assuming the encryption key is not compromised they might still be better off with their encryption rather than a poor hash mechanism such as the one used for example by Sony and revealed in the playstation hack by anonymous.

    In general if the encryption key is not compromised, then encryption provides much more security than pure hashing, or even hashing with a salt. The reason for that is that with encryption, the security of the password depends on the strength of the secret key. With hashing, the security depends of the strength of the password. This is a significant difference. So, if your password is 4 characters long, even the best hash algorithm will fail to protect from a brute force attack. However, if that same password is encrypted, you need to brute force the key which would take centuries assuming the key is long enough.

    To be more precise:
    1) Pure hashing (applying SHA1 alone for example) is almost the same as having no security at all.
    2) Hashing with a salt is a bit better but still won't resist long given computational power offered by GPUs and cloud computing.
    3) An iterated hash function with a salt is much better (see PKDF2), and buys you some security but still vulnerable from brute force attacks using GPUs and pooled cloud resources.
    4) A "sequential memory-hard" hash function (with salt and iteration) such as "scrypt" is pretty safe today.

    Unfortunately in reality most companies use either (1) or (2)...

    The drawback of encryption is that you need to make sure that your key is safe. Once the key is compromised you're toast. This means that you should not put the key on the same system that is hosting the password database (it may sound evident, but I've seen it done). It requires putting the key in a HSM (Hardware Security Module) or in a distinct ultra secure server, distinct from the password database.

    Of course, if you have the possibility to keep a key secure, the best option is to use a *keyed* hash function (an iterated salted version of HMAC for example), getting the benefits of both worlds...

  17. It's pretty sad when by Anonymous Coward · · Score: 3, Funny

    even xkcd beats Slashdot to a story.

  18. torrent magnet link by rduke15 · · Score: 2

    Here is the essential part missing from the summary:

    magnet:?xt=urn:btih:441582b9204dad5a26199aa51c7746d641f95b21&dn=users.tar.gz&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp%3A%2F%2Ftracker.istole.it%3A6969&tr=udp%3A%2F%2Ftracker.ccc.de%3A80&tr=udp%3A%2F%2Fopen.demonii.com%3A1337

    The file is called users.atr.gz, and is 4 GB.

    As already shown by http://xkcd.com/1286/ , this looks like a fun project for a lonely rainy week-end...

  19. Re:Encryption *IS* better than hashing by WaffleMonster · · Score: 2

    You could do both: Hash and encrypt.

    No, I explained why when I talked about establishing proof of password knowledge.

    Entering your password into a site which falsely claims to be twitter or facebook or google or whatever should NOT result in compromise of your password. It should instead result in detection of a scam (e.g. failure to connect to site)

    Entering passwords into plaintext web forms on SSL sites obviously does NOT accomplish this.

    Being trained to entering passwords only into browser based login dialogue which mutually authenticates using appropriate zero knowledge proof does.

    All mutual authentication requires guarding of source of trust. You can hash a password and store the hash but this only shifts the burden from protecting the password to protecting the hash. If the hash is compromised trust is also compromised (e.g. "passing the hash"). There is fundamentally no way around it other than to maintain the current ridiculous status quot.

  20. Re:Encryption *IS* better than hashing by scdeimos · · Score: 2

    If you only use hashing then, yes, you are open to Rainbow Table attacks because common passwords can be immediately exposed.

    But hashing is not salted hashing. Best practice uses salted hashing with a unique salt for each user, thus making Rainbow Table attacks useless - you have to generate a whole new set of Rainbow Tables for each known salt which is a whole lot more work for an attacker.