Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stolen Adobe Passwords Were Encrypted, Not Hashed

Posted by timothy on from the getting-around-to-it dept.

rjmarvin writes "The hits keep coming in the massive Adobe breach. It turns out the millions of passwords stolen in the hack reported last month that compromised over 38 million users and source code of many Adobe products were protected using outdated encryption security instead of the best practice of hashing. Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking."

9 of 230 comments (clear)

  1. Am I imagining it? by cpicon92 · · Score: 5, Insightful

    Why is it that every single time some big entity's password database is breached, it turns out that they're not following best practices for password storage? Maybe I just don't remember the times when it hasn't been this way...

    1. Re:Am I imagining it? by the_B0fh · · Score: 5, Insightful

      Are you blaming the users now? In any normal distribution of users, there will be some with good password policies, and some who don't have good password policies.

      However, the company is entrusted with the password, and need to maintain good stewardship of it.

      This is not good stewardship no matter how much you are trying to shift the blame to the users.

    2. Re:Am I imagining it? by khasim · · Score: 5, Insightful

      It wouldn't matter if users just followed best practices for password selection.

      In this case, which would be easier?

      1. Getting 38 million people to follow best practices?

      2. Getting Adobe to follow best practices?

      It's a question of scalability.

    3. Re:Am I imagining it? by Anonymous Coward · · Score: 5, Funny

      Well, there's your problem. Everybody knows Adobe doesn't scale well.

    4. Re:Am I imagining it? by Charliemopps · · Score: 5, Insightful

      Security team says such and such isn't secure.
      Management says "Oh no! We have to do something"
      Security provides a quote for the upgrade project.
      Management asks "Um... what? Really? That's our entire 2013 development budget! What kind of fines are we looking at if there's a breach?"
      Security: "Well... None..."
      Management "So why is it you're in my office?"

  2. Obligatory by stewsters · · Score: 5, Funny

    http://xkcd.com/1286/

  3. Dear Adobe by Picass0 · · Score: 5, Interesting

    Online security (or lack thereof) is one of the reasons it's a bad move to turn your Adobe Creative Suite into a cloud based subscription service.

  4. Phishing going on too by perpenso · · Score: 5, Interesting

    It wouldn't matter if users just followed best practices for password selection.

    True, but that is only part of the story. There is also the email address used with Adobe. Users also need to exercise caution with links and attachments.

    Last week I started to receive phishing emails on the unique email address that I had used with Adobe.

  5. Bad passwords on purpose by GlobalEcho · · Score: 5, Interesting

    I haven't checked, but I assume my own Adobe account was part of this leak. And I don't care.

    Along with a large portion of the increasingly savvy population, I have more than one "level" of password in use. My account used the lowest of these, basically something like adobe_123. Learning that is not going to help anyone form useful heuristics on how I create my banking passwords -- it might even poison them.

    On the whole, I believe the breach will probably help crackers (if decryption can be achieved). But, I think it is foolish to automatically assume that accounts with "weak" passwords are contributors to the problem. As with me, they might be poor indicators of how humans choose more important passwords.