Within a couple of weeks, however, Adobe was forced to acknowledge that a more accurate figure for the number of people who were impacted by the hack was some 38 million active users after a 3.8GB file containing more than 150 million usernames/passwords was dumped on the net.
“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” said Adobe spokesperson Heather Edell.
The truth is that, in a screw-up of colossal proportions, Adobe didn’t protect the password data with a one-way cryptographic hashing algorithm.
Instead, Adobe encrypted its password data with Triple DES (3DES) in ECB mode – an incredibly poor choice because it always produces the same output if you feed it the same input.
In short, if you happened to choose the same password as someone else, Adobe will have been storing the byte-for-byte same encrypted ciphertext version of the password for each user.
Furthermore, the leaked database included users’ plaintext password hints, helping to reveal what the most commonly used passwords were.
For instance, if you saw the following hints from thousands of different users, all associated with the same ciphertext, you would probably be able to guess the actual password that they shared – right?
It’s not going to be aardvark with hints like that, is it?
Jeremi Gosney, of the security firm Stricture Consulting Group, was able to determine the top 100 most commonly used passwords in the Adobe database with ease.
Here are the first 50:
As you can see, the most popular password, chosen by almost two million Adobe users, is 123456. Other password choices are equally poor: password, 123456789, qwerty, etc…
As Gosney told ZDNet, it only took a few hours to determine the top 100 passwords:
The password hints were the most telling. An overwhelming number of people took the concept of a password hint too literally, and flat-out provided the password itself as the hint. By analysing thousands of password hints per ciphertext, and matching that information with what we know about the ciphertext thanks to ECB mode, we are able to determine a number of passwords with a reasonable degree of certainty. It took about three hours to determine what the top 100 passwords were with this method.
Gosney went on to tell me that the release of the Adobe password database could make a significant impact on future password cracking:
If we can recover the encryption key and decrypt the passwords, it will be huge for password crackers. RockYou was the first real glimpse we got at how users select passwords on a massive scale. This leak is nearly 5x the size of RockYou, and will give us amazing statistics for probabilistic password cracking.
The only good news in this sorry mess is that Adobe says that it now protects passwords following best practices, and it has now reset the exposed passwords. But that’s not going to be much help if you’ve used the same password elsewhere on the internet.
In short, you should never use the same password on multiple websites. And you need to stop choosing obvious, easy-to-crack passwords.
If you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place (perhaps via a phishing attack, spyware keyloggers or a data breach) and then hackers using it to unlock your other online accounts.
Meanwhile, if you run a company or website which needs to store users’ passwords, you should be taking much better care than Adobe did in ensuring that they are tricky to crack, using a one-way cryptographic hashing algorithm.
After all, if a hacker does manage to break into your computer systems you want to feel confident that they’re going to find it as hard as possible to crack the passwords your customers have entrusted you with.
And maybe it’s time to implement tougher requirements on your customers in the first place, ensuring that they use passwords that are more complex and harder to guess in future.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.