Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Stolen Adobe Passwords Were Encrypted, Not Hashed

timothy posted about a year ago | from the getting-around-to-it dept.

Encryption 230

rjmarvin writes "The hits keep coming in the massive Adobe breach. It turns out the millions of passwords stolen in the hack reported last month that compromised over 38 million users and source code of many Adobe products were protected using outdated encryption security instead of the best practice of hashing. Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking."

Sorry! There are no comments related to the filter you selected.

Am I imagining it? (5, Insightful)

cpicon92 (1157705) | about a year ago | (#45337053)

Why is it that every single time some big entity's password database is breached, it turns out that they're not following best practices for password storage? Maybe I just don't remember the times when it hasn't been this way...

Re:Am I imagining it? (0, Troll)

vidnet (580068) | about a year ago | (#45337141)

It wouldn't matter if users just followed best practices for password selection.

Re:Am I imagining it? (1)

CastrTroy (595695) | about a year ago | (#45337193)

Well, it would matter somewhat, because if they weren't aware of a breach, then some hacker could be using your account without your knowledge. Of course, if you are using best practices for password selection, then at least all your accounts on all the other sites you visit are safe.

Re:Am I imagining it? (5, Insightful)

the_B0fh (208483) | about a year ago | (#45337203)

Are you blaming the users now? In any normal distribution of users, there will be some with good password policies, and some who don't have good password policies.

However, the company is entrusted with the password, and need to maintain good stewardship of it.

This is not good stewardship no matter how much you are trying to shift the blame to the users.

Re:Am I imagining it? (2)

Pope (17780) | about a year ago | (#45337667)

Are you blaming the users now? In any normal distribution of users, there will be some with good password policies, and some who don't have good password policies.

However, the company is entrusted with the password, and need to maintain good stewardship of it.

This is not good stewardship no matter how much you are trying to shift the blame to the users.

People were putting their actual passwords in the "Password Hint" field. I can certainly blame a user for doing that, as well as the developers for allowing it.

Re:Am I imagining it? (4, Insightful)

Russ1642 (1087959) | about a year ago | (#45338043)

There shouldn't be a Password Hint field.

Re:Am I imagining it? (4, Interesting)

Kongming (448396) | about a year ago | (#45338579)

I agree. I could do without "security questions", as well. Some sites allow you to reset your password using just the security questions, which is ridiculously insecure if credulously answered, given how easily available some of the information is. I used to put long strings of garbage as the answers, knowing that I would never lose my password. I can't do that anymore, because a lot of companies seem to have decided that it is a good idea to require answers to the security questions to do relatively routine things like log in from a different IP address. Now it is essentially one more password that I have to keep for each such site, which if you are choosing strong, unique passwords, is pretty much a waste of time.

Re:Am I imagining it? (1)

Anonymous Coward | about a year ago | (#45338419)

I think it's fair to put some blame on the users. Sure it's not their fault that this breach occurred, but if they followed best practices this would have no effects on all their other accounts. Instead, I think we all know that the majority of the username/password combinations obtained will work with numerous other sites and services. Don't reuse passwords and it will never matter if a site gets owned like this.
 
People need to realize that any system they can't personally audit is not secure. Do not risk compromising other accounts by trusting the same password to multiple places. If you do, that password is only as secure as the least secure of those sites.

Re:Am I imagining it? (5, Insightful)

khasim (1285) | about a year ago | (#45337211)

It wouldn't matter if users just followed best practices for password selection.

In this case, which would be easier?

1. Getting 38 million people to follow best practices?

2. Getting Adobe to follow best practices?

It's a question of scalability.

Re:Am I imagining it? (5, Funny)

Anonymous Coward | about a year ago | (#45337327)

Well, there's your problem. Everybody knows Adobe doesn't scale well.

Re:Am I imagining it? (1)

davester666 (731373) | about a year ago | (#45337835)

you had me at "Everybody knows Adobe doesn't"

Re:Am I imagining it? (0)

Anonymous Coward | about a year ago | (#45337881)

But is it web-scale ?
Answering to my own joke. It came to that.

Re:Am I imagining it? (4, Funny)

QuasiSteve (2042606) | about a year ago | (#45338171)

It's funny because bicubic

Re:Am I imagining it? (1)

Mirar (264502) | about a year ago | (#45337815)

Turns out best _user_ practice is not to get a product that forces you to register an email/password tupel...?

I'm sure Adobe then is more interested in getting customers.

But then again, maybe not.

Re:Am I imagining it? (1)

Algae_94 (2017070) | about a year ago | (#45338481)

Those 38 million people take the heat off me. I don't reuse passwords. A compromise like this will get them my password to an obviously insecure site. That password will not work for anything else. On the other hand they have 38 million other passwords to use. My information will quickly be found to be of little value and they'll move on.

It's like the idea that if a bear starts chasing you and another person. You don't have to outrun the bear, just the other person.

And to be extra paranoid, I have a credit card that allows me to create temporary CC numbers that are only valid at one location for a certain dollar amount. This way Credit Card information can't be reused anywhere else either.

Phishing going on too (5, Interesting)

perpenso (1613749) | about a year ago | (#45337301)

It wouldn't matter if users just followed best practices for password selection.

True, but that is only part of the story. There is also the email address used with Adobe. Users also need to exercise caution with links and attachments.

Last week I started to receive phishing emails on the unique email address that I had used with Adobe.

Re:Phishing going on too (1)

sl4shd0rk (755837) | about a year ago | (#45337723)

Users also need to exercise caution

There will never be a phrase in computing history which has never been more heavily disregarded.

Re:Am I imagining it? (3, Informative)

gnasher719 (869701) | about a year ago | (#45337321)

It wouldn't matter if users just followed best practices for password selection.

It still matters. First, badly chosen passwords are made _obvious_ to hackers; when two or three or a dozen people choose the same password that's a high probability that the password was bad in the first place. And second, losing 30 million passwords makes brute force worthwhile. If you have an algorithm that would crack one password in 30 years on average, it will find passwords in a set of 30 million at a rate of one every minute.

Re:Am I imagining it? (0)

Anonymous Coward | about a year ago | (#45337545)

It wouldn't matter if users just followed best practices for password selection.

It matters a great deal. If the attackers can recover the encryption key, either by brute force attack or as part of the overall data breach, they get ALL the passwords, even the ones that use a strong passphrase selection method like diceware.

Re:Am I imagining it? (3, Insightful)

Algae_94 (2017070) | about a year ago | (#45338517)

You might not know all the best practices then. That strong passphrase should not be used anywhere else. That way it is useless to anyone that cracks it.

Re: Am I imagining it? (2)

Omniver (856159) | about a year ago | (#45337575)

It wouldn't matter. Strong passwords help prevent dictionary attacks against password hashes. In this case, it appears the passwords were encrypted, not hashed. So instead of cracking the users' passwords, the attacker need only attack the encryption key and they would get all the users' passwords regardless of how strong they were.

You Mean Using Post It Notes (4, Interesting)

theshowmecanuck (703852) | about a year ago | (#45337825)

People who use "best practices for passwords" have passwords that are so brutally hard to remember for a human being that they end up having to 'save' it on a Post-It note stuck to the side of their monitor or "hidden" under a pile of papers that others can look at. Or relegate the 'remembering' of their passwords to another piece of software like a system wallet/keychain, which is just offloading responsibility to another system that itself is an unknown quantity with respect to being well written. But even if a user uses a wallet/keychain, that doesn't remove the Post-It note vector if they need to use the password on more than one piece of hardware. It or a text file on a thumb drive are the common ways to transfer these kinds of passwords between devices.

The reality of how the average person uses a computer often does not reflect the theories that many so called computer security experts have. That is because the latter forget that they are not in the center of the human standard normal curve. Most people don't think like programmers or so called security experts. Better to make the system secure than rely on people to follow so called password best practices. If it isn't easy for the average user, they won't use it.

Re:You Mean Using Post It Notes (1)

Anonymous Coward | about a year ago | (#45338069)

Correct Horse Battery Staple

That wasn't so hard.

http://xkcd.com/936/

Re:You Mean Using Post It Notes (2)

oobayly (1056050) | about a year ago | (#45338325)

I have a single password (8 mixed case alphanumeric characters) that I use as the base password. I then use a very simple algorithm (if you can call it that) that adds [certain] letters from the website's domain to the beginning and end of the base password. That way I have a different password for every site, but only have to remember a single password.

I've suggested it to quite a few people, and most of those people say they now use a method like that. Of course, it always comes with a warning not to use something like "password" as your base password - UK reg numbers aren't bad.

I also use KeePass for saving our company's passwords (as well as a printed copy in the safe), but that's more in case I get run over by a bus.

Re:Am I imagining it? (0)

Anonymous Coward | about a year ago | (#45337157)

Because their entire infrastructure is crafted by interns? The executives need to get their pay after all, can't afford qualified staff.

Re:Am I imagining it? (0)

Anonymous Coward | about a year ago | (#45337195)

Because they can sell them to the NSA for more $$$?

Re:Am I imagining it? (1)

AmiMoJo (196126) | about a year ago | (#45337285)

Why do they always lie about it as well, even once found out? They say the backup was using an older and less secure system, but if the primary copy was hashed there would be no way to reverse it and then encrypt the original password anyway. Therefore we know that the primary password storage is always encrypted, and just as weak.

Re:Am I imagining it? (1)

Charliemopps (1157495) | about a year ago | (#45337679)

I believe what they are saying is that they did upgrade to hashes, but they had an old Dev environment from before the upgrade and that's what they hacked. I'd say that's pretty typical of big IT shops. Bunches of old Dev environments that go back years because people are afraid to erase them "just in case" Most companies have the false impression that the only part of their data that's at risk is the publicly facing stuff. They never think of "What if they get inside?"

It means it USED to be "encrypted", a year ago (2)

raymorris (2726007) | about a year ago | (#45337981)

According to Adobe, until a year ago, they were doing it wrong, using the wrong encryption in the wrong way.
The bad guys got a year-old backup, so it was encrypted using the old (wrong) method.

Since the old backup is done wrong, that tells us only that the primary USED TO be done wrong, which is exactly what Adobe is saying. It tells us nothing about the current database.

Re:Am I imagining it? (1)

vadim_t (324782) | about a year ago | (#45337295)

Hashing doesn't help that much with a database this large.

Simply check the 38 million for "password", "secret", and the username. Guaranteed to have an enormous amount of successful hits that way.

I wouldn't be surprised if a million were trivially breakable in this manner, in just a few minutes if not less. If you can make $1 from each, that's a nice chunk of cash you just got.

Re:Am I imagining it? (3, Informative)

TheNastyInThePasty (2382648) | about a year ago | (#45337593)

Hashing + Salting = Problem Solved.

Re:Am I imagining it? (4, Insightful)

vadim_t (324782) | about a year ago | (#45337709)

Nope, not solved. All it means is that the 100000 morons using "password" as the password won't have the same hash. So the attackers won't be able to find out which accounts share the same password and focus on those, and won't be able to use a pre-computed dictionary.

It is however trivial to hash "password" 38 million times for each salt, on modern hardware probably in seconds.

The salting does provide an improvement, but when you have 38 million accounts, breaking even 1% already gives you a huge amount of successes. Salting doesn't do much against checking the list against the 100 best known passwords. 3800 million is a small number for a GPU accelerated password cracker.

Wouldnt they hash the username and password? (1)

Marrow (195242) | about a year ago | (#45338445)

Or even the username, customer number, and password? I mean you want as much in the stew as possible right? Then add a little salt to taste.

Re:Am I imagining it? (1)

GuldKalle (1065310) | about a year ago | (#45337797)

Not really. You could still test all users against the top 100 passwords in a reasonable amount of time. After that, test if their mail accounts have the same password.
It won't get you all user passwords, but the low hanging fruit / naive / non-tech-savvy users are probably a better target anyway

Re:Am I imagining it? (1)

ron_ivi (607351) | about a year ago | (#45337915)

Simply check the 38 million for "password", "secret", and the username

If I have a password on file at Adobe (and I think I do), it's probably "password". And that's not a bad thing.

My email there is probably some variation of dontSpamMe@spam.la (that was such a wonderful service while it lasted); or some throwaway like adobespam@[my-own-domain].com.

And there's no way I ever gave them a credit card (or real name, etc).

TL/DR: password=password doesn't neccessarily imply insecure

Re:Am I imagining it? (1)

Pope (17780) | about a year ago | (#45338393)

Not for YOU. But it sure helps decrypt everyone else's password once you can analyze a know good value. Which is exactly what happened with Adobe's database.

Re:Am I imagining it? (2)

B1ackDragon (543470) | about a year ago | (#45337395)

I'm guessing selection bias - entities with the security knowledge to use proper authentication techniques probably are also better at keeping their internal databases out of malicious hands. (Or, more negatively, the contraposition of that statement.) On a related note, this breach has caused me to update all of my own passwords, and my current pet peeve are entities that have an upper limit to password length within the current range of rainbow-table attacks (and what are the chances those guys are properly salting?)

Re:Am I imagining it? (1)

Algae_94 (2017070) | about a year ago | (#45338581)

... and my current pet peeve are entities that have an upper limit to password length within the current range of rainbow-table attacks

Do people still use rainbow tables. I was under the impression that they become prohibitively large after a certain length. I've not seen too many sites that don't let you go to at least 10 characters. That should get you out of the realm of rainbow tables.

Re:Am I imagining it? (1)

SuricouRaven (1897204) | about a year ago | (#45337397)

Because if Adobe had no way of decrypting the passwords, they wouldn't be able to provide them to the NSA.

Re:Am I imagining it? (0)

Anonymous Coward | about a year ago | (#45337847)

Fix your tinfoil hat. You're sending them your password over SSL _in clear text every time you log in_, same as with most sites out there.

FFS, if you're gonna fish for karma, at least try making sense - "NSA leaked Adobe's database" would be at least somewhat reasonable (leaving plausibility aside), this is just silly. "Hey, people are sending us their passwords in the clear every day, but if we're gonna give those to NSA, let's make up a complicated, fragile and unnecessary system to do that!"

Re:Am I imagining it? (0)

Anonymous Coward | about a year ago | (#45337491)

Because the companies that follow industry best practices don't get hacked as often in the first place?

This is like asking why all the chicken eggs you collect hatch chickens.

Re:Am I imagining it? (1)

wisnoskij (1206448) | about a year ago | (#45337507)

Because when a company follows best security practices it does not have its data breached in the first place.

Re:Am I imagining it? (0)

Anonymous Coward | about a year ago | (#45337561)

There can still be security issues with your OS, DB, or web server that are outside of your control.

Where are they listed? (2)

Okian Warrior (537106) | about a year ago | (#45337591)

Why is it that every single time some big entity's password database is breached, it turns out that they're not following best practices for password storage? Maybe I just don't remember the times when it hasn't been this way...

I've lost my copy of "The Big Book of Best Practices" and would like to purchase a new copy.

It's not on Amazon or eBay - would you sell me your copy?

(Or alternately, point me to the content for chapter 6: "Best Practices for Security in IT".)

Re:Am I imagining it? (5, Insightful)

Charliemopps (1157495) | about a year ago | (#45337653)

Security team says such and such isn't secure.
Management says "Oh no! We have to do something"
Security provides a quote for the upgrade project.
Management asks "Um... what? Really? That's our entire 2013 development budget! What kind of fines are we looking at if there's a breach?"
Security: "Well... None..."
Management "So why is it you're in my office?"

Re:Am I imagining it? (2)

timeOday (582209) | about a year ago | (#45338241)

Because it really doesn't matter much. You will never find one victim of this Adobe hack who would rather have been in a fender bender.

Re:Am I imagining it? (0)

Anonymous Coward | about a year ago | (#45338521)

Tortious negligence is a thing, and not following best practices can easily open you up for liability. Companies have been sued in the past and lost quite a bit of money over this.

Re:Am I imagining it? (2)

gstoddart (321705) | about a year ago | (#45338033)

Why is it that every single time some big entity's password database is breached, it turns out that they're not following best practices for password storage?

Honest answer? 'Good enough' costs far less than 'really secure', and companies aren't really interested in doing any real security -- just something which looks secure-ish.

Worst case, they'll get a small fine which is less than the cost of making the changes would have been.

There's simply no incentive (because there are no real punishments) for a company to take data security seriously. So they do a half-assed job of it, and leave it there.

You can bet that, at some point, someone said "this is terribly insecure", and got told by management to STFU.

And unless Adobe gets a really stiff penalty for this, nothing at all will change.

90%+ do it wrong - plain text or 3DES from 1972 (2)

raymorris (2726007) | about a year ago | (#45338155)

Of the 12,000 or so sites I've seen, well over 90% do it wrong. I'd estimate 95%. Many store passwords in plain text.
Most use 3DES, which was reasonably secure in 1972. Today, 3DES is cracked in milliseconds.
Sometimes we see an unsalted hash, including MD5.

A few have used MySQL's PASSWORD() and the phpass gimmick scheme which are reasonably secure but non-portable.

I consider "doing it right" to be a salted hash. For new software, bcrypt / blowfish or a SHA primitive.
Preferably, SHA-256 or SHA-512 via crypt($5$salt$, password) for portability and consistency.
For existing code, I consider SALTED MD5 to be acceptable, but the length of the input should certainly be validated.

 

Re:90%+ do it wrong - plain text or 3DES from 1972 (1)

spacefight (577141) | about a year ago | (#45338331)

I use bcrypt - but then again you can pretty much f*ck it up using a work cost which isn't reasonable these days...

Re:90%+ do it wrong - plain text or 3DES from 1972 (0)

Anonymous Coward | about a year ago | (#45338397)

Most use 3DES, which was reasonably secure in 1972. Today, 3DES is cracked in milliseconds.

Right.

First published 1998

The best attack known on keying option 1 requires around 2^32 known plaintexts, 2^113 steps, 2^90 single DES encryptions, and 2^88 memory[18] (the paper presents other tradeoffs between time and memory). This is not currently practical and NIST considers keying option 1 to be appropriate through 2030.[10] If the attacker seeks to discover any one of many cryptographic keys, there is a memory-efficient attack which will discover one of 2^28 keys, given a handful of chosen plaintexts per key and around 2^84 encryption operations.[19]

I don't even know what you really meant, I'd assume MD5, used by most (unsecure) sites, but you mention it right after that...

I meant DES, default for crypt(), htpasswd (1)

raymorris (2726007) | about a year ago | (#45338551)

Thank you for the correction.

I meant DES, not 3DES. Most use crypt(random), htpasswd, or compatible.

* Not to be confused with crypt($5$salt$), which is secure SHA-256.

Re:Am I imagining it? (1)

Palinchron (924876) | about a year ago | (#45338197)

For one thing, for many applications you NEED the plaintext passwords. You can't do cram-md5 authentication without it, for example.

Steam did (0)

Anonymous Coward | about a year ago | (#45338281)

Steam got hit a while back, and all the stolen passwords had been hashed and salted.

You probably don't remember this because people didn't get all upset about it....since best practices had been followed.

Re:Am I imagining it? (1)

tepples (727027) | about a year ago | (#45338283)

it turns out that they're not following best practices for password storage

Because sometimes, these systems have to interoperate with other systems that don't follow best practices. For example, if system A has to interact with system B on the user's behalf without the user's interaction, system A has to store some sort of token to authenticate to system B.

Re:Am I imagining it? (1)

LordLimecat (1103839) | about a year ago | (#45338425)

Encrypting a password doesnt have to be an issue, if you use the password hash + username as the key for encrypting the password. There could be reasons to do it that way, and AFAICT it would be functionally identical to hashing with salt-- in either case a weak password would fall to brute-force, in either case you need to crack the passwords one at a time (due to the "salt").

The benefit of doing so is for instance if you wanted to encrypt user data with a key without giving said key to the vendor (adobe): they would use your password as the data encryption key, and encrypt the password itself with the password hash. You never need to transmit your password plaintext, and noone could decrypt your password without knowing it. It also allows you to change your logon password without having to re-encrypt all of your data.

AFAIK what matters isnt "encryption vs hashing", its "are they salting, and are they using per-user keys".

For those who registered. (1)

Anonymous Coward | about a year ago | (#45337055)

Today is a good day to be a pirate.

Obligatory (5, Funny)

stewsters (1406737) | about a year ago | (#45337065)

Re:Obligatory (1)

CaseCrash (1120869) | about a year ago | (#45337185)

Alright, I'll give you that one.

It's too late (0)

Anonymous Coward | about a year ago | (#45337069)

Nothing they say or do will change the sittuation.

Re:It's too late (1, Funny)

Anonymous Coward | about a year ago | (#45337219)

And nothing you do or say will change the fact you misspelled "situation".

Updates? (1)

Ralph Michael De Leon (3387837) | about a year ago | (#45337083)

Like me, their "System/Network Admins" must ignore Adobe's requests for "Important Updates"

Encrypting passwords is "outdated?" (1)

JLennox (942693) | about a year ago | (#45337131)

I don't think that was ever considered an acceptable practice...

Re:Encrypting passwords is "outdated?" (0)

Anonymous Coward | about a year ago | (#45337175)

Perhaps it used to be common practice.

Re:Encrypting passwords is "outdated?" (1)

TheCarp (96830) | about a year ago | (#45337415)

This is exactly what I was about to post. I started learning Unix systems in the mid 90s, while the web was still new. Back then, whether to use shadow passwords was still a question asked at install time. Not, should passwords be hashed, that was already long since the standard, but should the hashes be protected.

So at least as far as web services go, encryption vs hashing was NEVER the right or state of the art choice at the time.

Re:Encrypting passwords is "outdated?" (0)

Anonymous Coward | about a year ago | (#45337909)

learning Unix systems in the mid 90s

... oblivious to first 20 years of Unix systems ...

Re:Encrypting passwords is "outdated?" (1)

TheCarp (96830) | about a year ago | (#45338059)

No we simply were not talking about that. How would that possibly be relevant to discussions of web services which, unless there is some secret history that goes beyond 1992, (are we counting gopher as "the web" now?) then I stand by my statement: So at least as far as web services go, encryption vs hashing was NEVER the right or state of the art choice at the time.

Re:Encrypting passwords is "outdated?" (1)

LordLimecat (1103839) | about a year ago | (#45338457)

Whats wrong with encrypting passwords? Are you just objecting to the specific case where no salt (technically nonce) is used and a single encryption key is used for all accounts?

What if they stored it as such--
SHA1(Username) :: AES(password, sha1(password+username))

Id be interested to see why thats fundamentally weaker than hashing; it certainly can be more useful (such as when you want to use the password as a key for other data without ever having to pass it over the wire).

"The system involved in the attack used 3DES" (0)

Anonymous Coward | about a year ago | (#45337139)

So why is this surprising really given what we know of how Adobe has consistently operated now for over a decade?

"I have no clue, but I wanna diss Adobe too!" (0)

Anonymous Coward | about a year ago | (#45337951)

There's nothing wrong with 3DES per se, the way Adobe used it is botched.

Dear Adobe (5, Interesting)

Picass0 (147474) | about a year ago | (#45337165)

Online security (or lack thereof) is one of the reasons it's a bad move to turn your Adobe Creative Suite into a cloud based subscription service.

3DES (1)

Anonymous Coward | about a year ago | (#45337189)

Adobe used 3DES. I've RTFA, so you don't have to.

Now if you don't know, 3DES is reasonably safe. It is a block cypher. So unless they also stored the key to the data, the password is reasonably safe. Of course, identical passwords with straight 3DES will be encrypted to same result, but I'm certain no one uses the same password for one website as anywhere else, right??

Re:3DES (1)

noh8rz10 (2716597) | about a year ago | (#45337239)

I call "12345"! Nobody else can use it. it's the password for my luggage, so it's especially convenient for me.

Re:3DES (2)

OneAhead (1495535) | about a year ago | (#45337503)

Close. '123456' tops Adobe password list [bbc.co.uk] .
Also, I know this doesn't need a reference, but just for those who like a good nostalgic laugh [youtube.com] .

Re:3DES (1)

noh8rz10 (2716597) | about a year ago | (#45337867)

thanks for the good laugh. it's been a while since i've actually seen the movie. it's available to rent from amazon online for $3. maybe i'll splurge a bit (i mean, "work offsite")

Re:3DES (2)

queazocotal (915608) | about a year ago | (#45337311)

To expand on this - if the key doesn't leak, then Alice's password is 'safe' even if she reuses it on other sites only if nobody else in the Adobe dump has used her password, and that username is identifiable on other dumps of released passwords.

So, if Alice and Bob's passwords are identical, Bob's password has been recovered from elsewhere, you now know what Alice's password is, and password reuse becomes risky.

While poor practice as if the encryption key can be recovered _everyones_ password is now released - for 3DES as I understand it - if a long key has been used, there is no practical attack against it.

So, yes, if you have another list of passwords, you can go and say 'Bob used password 1223 on these two other releases, if he's used 1223 for Adobe - here are all the other people who've used that same password' - but you can't recover passwords not shared by other people who have not had their passwords leaked already.

Massive computation buys you nothing here, unless you can crack the key, which for a long random key is impractical.

In this case, 3DES may have leaked less data that is important.

Re:3DES (0)

Anonymous Coward | about a year ago | (#45337427)

Know plaintext? Preseed the database with usernames/passwords that you know. Maybe a 100? Should give you a hell of a leg up over brute force.

Re:3DES (0)

Anonymous Coward | about a year ago | (#45337683)

Given multiple hints from multiple users for the same password sure shrinks the search space.

Re:3DES (0)

Anonymous Coward | about a year ago | (#45337871)

Given multiple hints from multiple users for the same password sure shrinks the search space.

For what? For the key? Or for the cryptotext?

This is a block cypher. So you can only compere if the blocks are the same, not letters. And that is only if they used straight crypto on each block without something like CBC.

There is tons and tons of ways where you know what the cleartext is and you know the cypher text, but you cannot recover the key. If that wasn't true, then you break 3DES (or DES). DES was only broken by exhaustive search.

Please point to some proof that same or similar cryptotext results in key leak for 3DES (or DES)

Re:3DES (1)

LordLimecat (1103839) | about a year ago | (#45338483)

While poor practice as if the encryption key can be recovered _everyones_ password is now released

That ONLY follows if they are using the same key for everyone. That does not have to be the case.

Re:3DES (1)

kesuki (321456) | about a year ago | (#45338075)

when i read http://xkcd.com/1286/ [xkcd.com] apparently password hints were exposed in the clear. not cool not cool...

Not at all safe in this instance (1)

raymorris (2726007) | about a year ago | (#45338215)

XKCD showed why it's not at all safe in this instance. Here's the table:

email cryptw hint
ac@slash.com 737462 first apostle
dumb@adobe.com 737462 hot neighbor

From the encrypted password, we see that these two users have the same password. Now look at the password hints. What do you suppose is the password they BOTH used?

Re:3DES (0)

Anonymous Coward | about a year ago | (#45338417)

It's worse. They used ECB mode, so identical 64-bit blocks will be encrypted to the same result. So if you have the same first 8 characters as someone else's password, that will be obvious.

Wham wham wham (0)

Anonymous Coward | about a year ago | (#45337233)

The passwords were encrypted, rather than hashed. They were stored on a backup server everyone knew was outdated. What part of this wasn't a terrible, terrible idea from start to finish?

Et tu, Adobe? (4, Funny)

CCarrot (1562079) | about a year ago | (#45337235)

Adobe admitted the hack targeted a backup system that had not been updated, leaving the hacked passwords more vulnerable to brute-force cracking.

Apparently even Adobe has trouble keeping up with updates and patches...what's the matter, get tired of the update server's nagging every couple of weeks?

I'm sure there's some irony to be found in this situation somewhere...

Re:Et tu, Adobe? (1)

Pope (17780) | about a year ago | (#45338409)

Eh, it's their own fault for writing their encryption in Flash!

To be fair... (1)

hey! (33014) | about a year ago | (#45337377)

Storing only hashed, salted passwords has only been common practice since 1970s Unix.

Strange advice (0)

GODISNOWHERE (2741453) | about a year ago | (#45337425)

For password storage and protection, the general best practice is to use an algorithm designed for password protection, the top options being bcrypt, scrypt, PBKDF2, or SHA-2.

SHA-2? Was that sentence edited by an NSA intern?

Re:Strange advice (1, Flamebait)

VortexCortex (1117377) | about a year ago | (#45338245)

SHA-2 is a family of hashes including SHA-256, SHA-512, etc. you dolt. Additionally: Keystretching is fine, so is key stretching and recording the resultant hashes into a chunk of RAM, then hashing that and continuing the process for your keystretching to make it memory hard. SHA-2 can be every bit as effective as any other option you'd go for. You're clearly an ignorant fuck.

Re:Strange advice (2)

Qzukk (229616) | about a year ago | (#45338455)

SHA-2 includes both SHA-256 and SHA-512 [wikipedia.org] . Password hash algorithms generally use repeated iterations to slow brute force attacks. For instance, crypt modular hashes use $5$rounds=....$ and $6$rounds=...$ as the prefix for these hashes (respectively) to indicate which type and the number of iterations.

As far as I know, they're currently fairly solid for the purpose of hashing passwords, but CPU/GPU power marches on.

encryption instead of hashing (1)

Skapare (16644) | about a year ago | (#45337617)

When was encryption instead of hashing ever best or right practice? Did someone at Adobe just not understand and everyone else at Adobe accepted that?

Very breakable (2, Interesting)

shellster_dude (1261444) | about a year ago | (#45337671)

The passwords are very breakable as they used the same IV's and keys for every password. Thus any two same plain texts have the same cipher text. A little, simple statistical analysis will get you the keystream and allow you to get all the plain text passwords.

Re:Very breakable (4, Funny)

Anonymous Coward | about a year ago | (#45337853)

Please share with us, this, little, simple stistical analysis method.

Jobs was right, Adobe is pathetic (1)

swschrad (312009) | about a year ago | (#45337705)

gaping holes in the software for black hats, with all the security of a row of shoeboxes on a busy street for their business secrets. there are no grownups there.

NOT correct (0)

Anonymous Coward | about a year ago | (#45338273)

They play an important (should I say "pivotal" ?) role in the business of providing the opposite of security. I think you can guess who wants their $hite to be installed on hundreds of millions of computers.

Bad passwords on purpose (5, Interesting)

GlobalEcho (26240) | about a year ago | (#45338141)

I haven't checked, but I assume my own Adobe account was part of this leak. And I don't care.

Along with a large portion of the increasingly savvy population, I have more than one "level" of password in use. My account used the lowest of these, basically something like adobe_123. Learning that is not going to help anyone form useful heuristics on how I create my banking passwords -- it might even poison them.

On the whole, I believe the breach will probably help crackers (if decryption can be achieved). But, I think it is foolish to automatically assume that accounts with "weak" passwords are contributors to the problem. As with me, they might be poor indicators of how humans choose more important passwords.

Re:Bad passwords on purpose (1)

Shados (741919) | about a year ago | (#45338489)

There's still unfortunately so many people that reuse passwords. Every new MMORPG that comes out now has a huge wave of "hacked" account where the attacker simply used any one of the big password databases that came from these other leaks, and reaps it. The mass, every time, thinks its the game that got hacked. "Omg i have a super strong password....", yet they reuse it, so its irrelevant.

I used to do it the same way you do, with different levels of passwords. I eventually lost track and just started using KeyPass and generate unique passwords. Unfortunately you can't expect most people to do that, so...

Hashing is not better than encryption! (2)

L-One-L-One (173461) | about a year ago | (#45338593)

In practice hashing is often much less secure than encryption for passwords. The devil is in the details.

Here it seems that Adobe made some poor design choices in the encryption algorithm. Yet, despite these flaws, assuming the encryption key is not compromised they might still be better off with their encryption rather than a poor hash mechanism such as the one used for example by Sony and revealed in the playstation hack by anonymous.

In general if the encryption key is not compromised, then encryption provides much more security than pure hashing, or even hashing with a salt. The reason for that is that with encryption, the security of the password depends on the strength of the secret key. With hashing, the security depends of the strength of the password. This is a significant difference. So, if your password is 4 characters long, even the best hash algorithm will fail to protect from a brute force attack. However, if that same password is encrypted, you need to brute force the key which would take centuries assuming the key is long enough.

To be more precise:
1) Pure hashing (applying SHA1 alone for example) is almost the same as having no security at all.
2) Hashing with a salt is a bit better but still won't resist long given computational power offered by GPUs and cloud computing.
3) An iterated hash function with a salt is much better (see PKDF2), and buys you some security but still vulnerable from brute force attacks using GPUs and pooled cloud resources.
4) A "sequential memory-hard" hash function (with salt and iteration) such as "scrypt" is pretty safe today.

Unfortunately in reality most companies use either (1) or (2)...

The drawback of encryption is that you need to make sure that your key is safe. Once the key is compromised you're toast. This means that you should not put the key on the same system that is hosting the password database (it may sound evident, but I've seen it done). It requires putting the key in a HSM (Hardware Security Module) or in a distinct ultra secure server, distinct from the password database.

Of course, if you have the possibility to keep a key secure, the best option is to use a *keyed* hash function (an iterated salted version of HMAC for example), getting the benefits of both worlds...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?