Improper security measures: Millions of Adobe passwords stolen

Researchers revealed that Adobe had confirmed that millions of passwords had been stolen in the October data breach, which were initially not saved as the best example in the industry. The password encryption method is easily cracked.

In a statement issued by CSO, Adobe confirmed some details disclosed by Ars Technica last Friday. Adobe said that the password stolen in January was not encrypted by hash, but by common encryption, this means that Adobe engineers did not follow the best practices in the industry in terms of password protection.

In terms of password storage and protection, the common best example is to use the design of the password protection algorithm, the preferred algorithms are bcrypt, scrypt, PBKDF2 or SHA-2. This algorithm is used to protect passwords because, after such a rule is deployed, brute force password cracking is almost impossible. Based on these algorithms, the difficulty of cracking is further increased by adding salt to the hash algorithm. In fact, when the password is not properly hashed, any organization may encounter the "sensitive data exposure" (ranking sixth among the top ten security risks of OWASP.

Adobe says they have been using the SHA-256 salt-adding method to protect customers' passwords after verification system upgrades, so they have been using the best instance for Password Storage and protection for a year. However, the upgraded system is not attacked by hackers.

"This system is not the target of the October 3, 2013 attack. The backup system to be decommissioned by the attacked verification system. The attacked system uses Triple DES encryption to protect all stored password information, "Adobe spokesman Heather Edell told CSO.

Using Triple DES to protect the password is contrary to the traditional best instance because the password can be restored if hackers guess the key based on its encryption method. However, direct attacks to 3DES are not easy. Therefore, Adobe's method creates obstacles for those who attempt to crack the stolen password list. They have not yet cracked the list.

This list contains 0.13 billion Adobe accounts, which reflect some interesting data based on negative detection of the list. Jeremi Gosney of Stricture Consulting Group can compile the first one hundred common passwords based on some data.

"The Last leak affected 130,324,429 users. We have not yet mastered the keys encrypted by Adobe for their passwords. However, because Adobe chooses symmetric key encryption based on hash, select ECB mode, and each password uses the same key. Combined with a large amount of known plain text and generous information provided by users in the password prompt, it is not difficult for us to summarize the passwords most commonly used by these one hundred Adobe users ."

According to the "One hundred common passwords" list, nearly 1.9 million users use "123456" as the password, and more than 0.44 million users choose to use "123456789" as the password. "Password", "adobe123", and "12345678 ". These five passwords are the most commonly used.

Many of the accounts leaked in this incident use very random passwords. It can be seen that their Adobe accounts are not important to them. However, everyone has their own habits, so repeating the same password may expose the e-mail addresses of these people.

If you want to see if your email address has leaked data from Adobe On the Internet, you can get to know it (http://adobe.cynic.al /). If your mailbox has been exposed, change your password as soon as possible and keep an eye on any contact information related to the Adobe leak.