Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stolen Adobe Passwords Were Encrypted, Not Hashed

Posted by timothy on from the getting-around-to-it dept.

rjmarvin writes "The hits keep coming in the massive Adobe breach. It turns out the millions of passwords stolen in the hack reported last month that compromised over 38 million users and source code of many Adobe products were protected using outdated encryption security instead of the best practice of hashing. Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking."

18 of 230 comments (clear)

  1. Am I imagining it? by cpicon92 · · Score: 5, Insightful

    Why is it that every single time some big entity's password database is breached, it turns out that they're not following best practices for password storage? Maybe I just don't remember the times when it hasn't been this way...

    1. Re:Am I imagining it? by the_B0fh · · Score: 5, Insightful

      Are you blaming the users now? In any normal distribution of users, there will be some with good password policies, and some who don't have good password policies.

      However, the company is entrusted with the password, and need to maintain good stewardship of it.

      This is not good stewardship no matter how much you are trying to shift the blame to the users.

    2. Re:Am I imagining it? by khasim · · Score: 5, Insightful

      It wouldn't matter if users just followed best practices for password selection.

      In this case, which would be easier?

      1. Getting 38 million people to follow best practices?

      2. Getting Adobe to follow best practices?

      It's a question of scalability.

    3. Re:Am I imagining it? by Anonymous Coward · · Score: 5, Funny

      Well, there's your problem. Everybody knows Adobe doesn't scale well.

    4. Re:Am I imagining it? by Charliemopps · · Score: 5, Insightful

      Security team says such and such isn't secure.
      Management says "Oh no! We have to do something"
      Security provides a quote for the upgrade project.
      Management asks "Um... what? Really? That's our entire 2013 development budget! What kind of fines are we looking at if there's a breach?"
      Security: "Well... None..."
      Management "So why is it you're in my office?"

    5. Re:Am I imagining it? by vadim_t · · Score: 4, Insightful

      Nope, not solved. All it means is that the 100000 morons using "password" as the password won't have the same hash. So the attackers won't be able to find out which accounts share the same password and focus on those, and won't be able to use a pre-computed dictionary.

      It is however trivial to hash "password" 38 million times for each salt, on modern hardware probably in seconds.

      The salting does provide an improvement, but when you have 38 million accounts, breaking even 1% already gives you a huge amount of successes. Salting doesn't do much against checking the list against the 100 best known passwords. 3800 million is a small number for a GPU accelerated password cracker.

    6. Re:Am I imagining it? by Russ1642 · · Score: 4, Insightful

      There shouldn't be a Password Hint field.

    7. Re:Am I imagining it? by QuasiSteve · · Score: 4, Funny

      It's funny because bicubic

    8. Re:Am I imagining it? by Kongming · · Score: 4, Interesting

      I agree. I could do without "security questions", as well. Some sites allow you to reset your password using just the security questions, which is ridiculously insecure if credulously answered, given how easily available some of the information is. I used to put long strings of garbage as the answers, knowing that I would never lose my password. I can't do that anymore, because a lot of companies seem to have decided that it is a good idea to require answers to the security questions to do relatively routine things like log in from a different IP address. Now it is essentially one more password that I have to keep for each such site, which if you are choosing strong, unique passwords, is pretty much a waste of time.

      --
      (no sig)
    9. Re:Am I imagining it? by blueg3 · · Score: 4, Informative

      There's another major difference, for large password-database leaks. Salted hashes can't be computed for all leaked passwords at the same time, they need to be computed once per salt. That means that cracking the whole password database at once is, computationally, just as hard as cracking each password individually. With unsalted hashes, cracking the whole password database is as hard as cracking a single password. With this password database, that's a difficulty difference of a factor of 30 million, which is pretty substantial.

  2. Obligatory by stewsters · · Score: 5, Funny

    http://xkcd.com/1286/

  3. Dear Adobe by Picass0 · · Score: 5, Interesting

    Online security (or lack thereof) is one of the reasons it's a bad move to turn your Adobe Creative Suite into a cloud based subscription service.

  4. Et tu, Adobe? by CCarrot · · Score: 4, Funny

    Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking.

    Apparently even Adobe has trouble keeping up with updates and patches...what's the matter, get tired of the update server's nagging every couple of weeks?

    I'm sure there's some irony to be found in this situation somewhere...

    --
    "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
  5. Phishing going on too by perpenso · · Score: 5, Interesting

    It wouldn't matter if users just followed best practices for password selection.

    True, but that is only part of the story. There is also the email address used with Adobe. Users also need to exercise caution with links and attachments.

    Last week I started to receive phishing emails on the unique email address that I had used with Adobe.

  6. You Mean Using Post It Notes by theshowmecanuck · · Score: 4, Interesting

    People who use "best practices for passwords" have passwords that are so brutally hard to remember for a human being that they end up having to 'save' it on a Post-It note stuck to the side of their monitor or "hidden" under a pile of papers that others can look at. Or relegate the 'remembering' of their passwords to another piece of software like a system wallet/keychain, which is just offloading responsibility to another system that itself is an unknown quantity with respect to being well written. But even if a user uses a wallet/keychain, that doesn't remove the Post-It note vector if they need to use the password on more than one piece of hardware. It or a text file on a thumb drive are the common ways to transfer these kinds of passwords between devices.

    The reality of how the average person uses a computer often does not reflect the theories that many so called computer security experts have. That is because the latter forget that they are not in the center of the human standard normal curve. Most people don't think like programmers or so called security experts. Better to make the system secure than rely on people to follow so called password best practices. If it isn't easy for the average user, they won't use it.

    --
    -- I ignore anonymous replies to my comments and postings.
  7. Re:Very breakable by Anonymous Coward · · Score: 4, Funny

    Please share with us, this, little, simple stistical analysis method.

  8. Re:Where are they listed? by JLennox · · Score: 4, Insightful

    https://www.owasp.org/index.php/Main_Page

  9. Bad passwords on purpose by GlobalEcho · · Score: 5, Interesting

    I haven't checked, but I assume my own Adobe account was part of this leak. And I don't care.

    Along with a large portion of the increasingly savvy population, I have more than one "level" of password in use. My account used the lowest of these, basically something like adobe_123. Learning that is not going to help anyone form useful heuristics on how I create my banking passwords -- it might even poison them.

    On the whole, I believe the breach will probably help crackers (if decryption can be achieved). But, I think it is foolish to automatically assume that accounts with "weak" passwords are contributors to the problem. As with me, they might be poor indicators of how humans choose more important passwords.