back to article Adobe users' purloined passwords were PATHETIC

Adobe's security breach just got worse for the company and the world, after a security researcher revealed that 1.9 million of the company's customers us the string “123456” as their password. The researcher in question is Jeremi Gosney of the Stricture Group, whose Twitter profile claims The Reg has in the past labelled him a “ …

COMMENTS

This topic is closed for new posts.

Page:

This post has been deleted by its author

I don't get it...

How did this alleged researcher obtain these numbers?

OK there was a security breach, but that wouldn't give access the passwords; **no-one** stores passwords in plaintext.

So what's the deal with the statistics?

0
10
Bronze badge

Re: I don't get it...

Actually some people do....Adobe didn't but they did store their user passwords in a reversably encrypted way along with password hints.

Please see the relevant xkcd strip and its explain page.

http://xkcd.com/1286/

http://www.explainxkcd.com/wiki/index.php?title=1286

7
0
Anonymous Coward

Re: I don't get it...

The passwords were not reversibly encrypted.

When you get hold of a large number of encrypted passwords you do not target an individual and attempt to crack their password.

What you do is encrypt commonly used passwords and compare it to all the accounts. Since he is a "password security expert" he probably has pre-generated rainbow tables of a dictionary (with salts) that would enable a rapid comparison to the passwords.

EDIT: Having just read the linked to post it appears that Adobe didn't use a one way hash, but instead used symmetric key encryption with the same key for every account. This means that once the key is recovered then every password can be decrypted.

6
0
Bronze badge

Re: I don't get it...

"OK there was a security breach, but that wouldn't give access the passwords; **no-one** stores passwords in plaintext."

Sony did.

http://www.theregister.co.uk/2011/06/08/password_re_use_survey/

4
0

Re: I don't get it...

*facepalm*

2
0
FAIL

Re: I don't get it...

Well it they were hashed without salt, it's not hard to have a lookup table of most common password hashes...

0
0
Bronze badge

Re: I don't get it...

> What you do is encrypt commonly used passwords and compare it to all the accounts.

If properly salted, a rainbow table won't help because the same password will have different hashes for different people. Fail for Adobe there.

0
0
Silver badge

Re: I don't get it...

"OK there was a security breach, but that wouldn't give access the passwords; **no-one** stores passwords in plaintext."

Friendfinderinc.com do - and they've been hacked several times (including credit card data). The outfits that actually publicly admit they've been breached are few and far between even when there are criminal penalties for nondisclosure.

Whilst maintaining servers I've run across a number of "password protected" areas on websites where the passwords are plaintext in a subdirectory without adequate protection (ie, knowing the URL allows the file to be directly downloadable) and most of the time they're in trivially predictable locations.

There is _zero_ accountability for a "website programmer" (in most cases only 2 steps above "drooling simian") who pulls that kind of stunt. By the time it's discovered he (always a he) has pocketd the cash and is long-gone - and price bears virtually zero relationship to actual quality (A lot of web cowboys charge well over the odds knowing that it fools "management" into thinking they're getting a quality product)

Preusmably adobe weren't quite so stupid, but the bare fact that the password table was obtainable AT ALL in any format is worrying (A well run webserver queries an external box with provided credentials over a fully secured link and the external box says "yay" or "nay". Anything resident on the server itself should be regarded as being written on the back of a postcard.)

1
0
Silver badge

Re: I don't get it...

I think you should have saved that facepalm for this little gem (from the notes on the top 100 list):

generosity of users who flat-out gave us their password in their password hint

Obviously not an account they care about.

0
0
Anonymous Coward

Re: I don't get it...

Their software is shit, overpriced and over-rated. It's about time they were exposed.

Hopefully the dent to their reputation will mean they don't charge over £1000 for their software.

0
0
Anonymous Coward

Hang on

Isn't this password just something that allows the user to download stuff from Adobe?

In other words, isn't it that the password does not protect any user data, but just Adobe's ability to restrict access to its products?

If so, no wonder users use crap passwords. Assuming you crack my Adobe account, you already have my email, and therefore my name; what more information would you get from Adobe? (Assuming I even gave Adobe my real name)

17
1

Re: Hang on

Exactly. They force you to have an account even if you're just downloading a demo/trial. Most people couldn't give two hoots if someone logged into their Adobe account.

18
0

Re: Hang on

Agree, having to create an account to download trials is what Slopsbox(RIP), along with a who cares pa55words, was invented for.

1
0

Re: Hang on

I think you're giving a lot of people too much credit... said adobe password and registered email may very well get you into many other accounts owned by the same person.

I've been guilty of that in the past, I had the same password on pretty much every site I registered on. Then, one site got hacked and I realised how silly I'd been and had to spend a whole evening frantically inventing unique passwords. I can't be the only silly person out there!

8
0
Silver badge

Re: Hang on

Indeed I often used to hear from my other half "Oh christ Adobe wants my user password to download and it wont take the last one again! Better setup yet another account!"

I think at last count she had 6 or more.

Even I have three (maybe) and I don't use any of their stuff. Don't ask me what the passwords are, but nothing amazing. The details in them are all bogus...mail @mail.com anyone?

So if Adobe says they have for example 50 million accounts that's possibly only 5 million actual users.

4
0

This post has been deleted by its author

Anonymous Coward

Re: Hang on

It's not that much of a problem, IMHO. By no means do I have unique passwords for every site I have a login for (it would be nice though but I'm only human) - however, I use the same 2-3 passwords and 3-4 usernames for all my forum-level activities, two different ones for those handful (<5) major money-related sites like Paypal etc. and a globally unique, fairly hard one for my mail account (which can be used to retrieve most other IDs and it's tied to way to many things to afford to lose it, in general). AC, obviously, because why tempt fate unnecessarily... :P

3
0
Bronze badge

Re: Hang on @BigAndos

It's a fair point, but I still use a single password for unimportant crap like this, and better unique ones for email/paypal etc. If the reg ever gets hacked you may use my details to log into all manner of other online forums and post whatever you wish.

As an aside, it would be interesting for the reg to aggregate all the passwords used for this site to see how may are 1337 or similar.

2
0
Anonymous Coward

Re: Hang on

I have 2 password sets. One set for sites that count, like banks, and the second smaller set which I use for these annoying and trivial accounts that so many places insist on setting you up with. My password 'hint' for this sort of site is 'usual insecure'...

1
0
Anonymous Coward

Unique passwords are easy.

I use a standard password combined with a simple system for generating extra letters from the site I'm accessing. For instance, something along the lines of

first 5 letters of password + last 3 letters of domain name + number of letters in domain name + last 3 letters of password

Unique per site and a piece of piss to remember. Why doesn't everyone do this? (I really mean that. This being El Reg, I bet there's a security expert here who can tell me why this is actually a bad idea.)

0
0

Re: Unique passwords are easy.

O.K. So someone hacks El Reg and sees your password is say: passwter11ord they could easily spot your system and know that your paypal password is passwpal6ord

0
0
Anonymous Coward

Re: Unique passwords are easy.

Easily? My core password is made up of the initials of a memorable sentence. So something more like "IttsLOter11wtb". Would it really be that obvious?

Besides, we're comparing this to loads of other people on here who are saying they have, say, one password for unimportant sites and another for high-security stuff. My system is surely better than that?

(Sod's Law, I'm bound to get hacked now.)

0
0

Re: Hang on

But, how may users use the same password for multiple accounts. A lot of those users probably have the same password for their email, which than allows the hackers a view into a whole lot more, perhaps which bank they deal with, credit cards, and all other sorts of valuable personal information.

0
0

Re: Hang on @BigAndos

Yeah I have taken this approach now, I have a handful of "throwaway" passwords for forums and banks etc all have their own unique passwords. Once bitten, twice shy and all that!

0
0
Silver badge

Re: Unique passwords are easy.

Unique per site and a piece of piss to remember. Why doesn't everyone do this? (I really mean that. This being El Reg, I bet there's a security expert here who can tell me why this is actually a bad idea.)

Actually, that technique is recommended by some experts. (I know one of my IT-security books describes something like it, but I'm not inclined to skim them looking for the reference, so you'll have to take my word for it.) Like any security measure, it's a trade-off: you reduce the entropy of your passwords a bit, but make them much easier to remember, which narrows or prunes other branches of the attack tree. (Hard-to-remember passwords are a loss-of-service threat, and are often recorded, which creates another vulnerability, etc.)

So under a reasonable threat model you could very plausibly evaluate your scheme as an overall improvement in your security.

2
0

Re: Hang on

I was thinking exactly the same. These lists of passwords from sites that have been hacked show that people use rubbish passwords for sites which were subsequently hacked ... showing that they've chosen wisely in using a throwaway password for them.

0
0
Anonymous Coward

Re: Hang on

Agreed. I had an Adobe account with a password relatively high on that list (although not in the top 25 or so). I'll commonly use a rather pathetic password on accounts that don't matter, but use a much more unique one on accounts where things are actually at stake. With virtually every site and service requiring a password these days, it's ridiculous to think people are going to come up with intricate and unique passwords on every one.

Of course, this isn't to excuse Adobe for their negligence with which they stored and secured their customer's information. This is yet another reason I will absolutely not subscribe to their SAS licensing scam... errr... scheme and hand over my financial information to them directly.

0
0

This post has been deleted by its author

Its the combination an idiot has on his luggage

That is all.

2
0
Anonymous Coward

Re: Its the combination an idiot has on his luggage

You show me anyone who has 6 digit combination locks on their luggage.

1
0
Silver badge

Re: Its the combination an idiot has on his luggage

An idiot is someone who thinks a lock on his luggage provides some kind of security.

3
0
Silver badge

Busted accounts - does it really matter?

Most people only sign up to websites in order to gain access to the trough of free downloadable stuff. The account being the "deal with the devil": you get a 30 day trial of their product, they get to spam you to oblivion with offers, discounts and deals (none of which you ever had any intention of accepting).

Whether or not you have the integrity to supply true and valid log-in details is also debatable. If you simply regard a vendor's attempts to get into your inbox as an annoyance you could well have typed the first thing that came to mind - I expect that a significant number of these stolen accounts list Afghanistan as the country in users' addresses, for that very reason.

You'd hope that the level of security surrounding accounts is a step or several below the security that contains any credit card info (though there should never be any CC data that's not behind industrial strength protection). So the value of all these accounts, probably with multiple accounts for each trough-feeder, should be very small. Apart from having simple passwords - matching the value that individuals place on these accounts - I wonder how many "users" have equally simple names. Maybe most of the 1.9 million "123456" passwords were protecting "Mickey Mouse"'s account.

5
0
Silver badge

Re: Busted accounts - does it really matter?

Exactly. For sites that I want to use that need a login for no real reason, I lie and use crap passwords. For sites that store real information about me, I use secure passwords generated by a password manager.

8
0

eff off at real.com

Same happens at any site that forces you to create an account just to download an eval or to install.

Real Player used to need a username just to install.

0
0
Silver badge

Uh, hang on ...

Is Adobe trying to blame it's users on Adobe's security issues?

That doesn't work, Adobe. Some of us have clues ...

0
0
Silver badge

Re: Uh, hang on ...

> Some of us have clues

Indeed. Like the 95.5% of users who didn't have a password in the top 100. But where's the story in that?

0
0

Re: Uh, hang on ...

>Indeed. Like the 95.5% of users who didn't have a password in the top 100. But where's the story in that?

Probably the same place where "123456" was 5% of the passwords on its own. The top 20 is 11.1% alone.

I will reserve judgement until I see a crack list. It would not surprise me if well over 50% are found. Then we can laugh at feeble attempts to make a password 'hard' and yet still crackable.

0
0
Silver badge

Azerty

I'm surprised Azerty is so high, that suggests there is a French keyboard for every 3 English ones, which seems unlikely.

3
0
Silver badge

Re: Azerty

> that suggests there is a French keyboard for every 3 English ones, which seems unlikely.

On a French keyboard you need the shift key to type numbers on the top row, so people end up using 'azerty' far more often than '123456', hence the apparent over-representation of 'azerty' compared to 'qwerty'.

5
0
Silver badge

Re: Azerty

I learned something today, thank you :)

Here, have a +1

0
0
Bronze badge

the trial products, etc

Though it's true that I bet the majority of those accounts are just crap accounts created to get the trial products as previous OPs have pointed out.. I think the real problem here is that then, Adobe extending their selling model to 'the cloud' using these same crap accounts.

So users who originally had an unwanted adobe account they'd signed up to just get grab an eval of photoshop, 2 years later and now using the same account to control their monthly subscriptions to products with real money, etc.

What Adobe should have done imho is to have forced users to change passwords to meet more stringent password rules when they became 'real' accounts (with a credit card, etc).

I mean lets face it, the fact you have to sign up to same crap account just to get an eval is annoying enough - the last thing you want is to have to then go through 10 hoops of 'sorry it needs to contain letters and number', 'sorry it can't contain username', etc, etc - you are likely to just FO and download GIMP.

4
0
Bronze badge

Just why would I be expected to take more care in crafting a password than Adobe exhibited in looking after it?

2
0

Perhaps you should take care crafting a password BECAUSE of the care that Adobe exhibited in looking after it.

3
1
Bronze badge

No special characters in the first 100 passwords?

Surprising, but maybe the highly-sophisticated Adobe password mechanism didn't allow them.

Good to see that liverpool came in at #73!

0
0
Silver badge

Re: No special characters in the first 100 passwords?

Is that up from last year?

1
0
Anonymous Coward

ioxG6CatHBw==

Loads of encrypted passwords in the 100 password file end in ioxG6CatHBw==

According to the xkcd explanation (yes I know it's a comic strip) this would signify a common end after the first 8 characters as they are hashed in 8 byte chunks.

However the passwords with that ending don't seem to have anything in common?

0
0
Anonymous Coward

Re: ioxG6CatHBw==

In fact, they do. Look at the length of the plain text.

ioxG6CatHBw== is telling you that the plaintext is exactly 8 characters and (literally) nothing more :-)

0
0
Silver badge

Re: ioxG6CatHBw==

Oh blimey, that's even less secure than I thought (not that I looked at it previously)

It means that the entire crackspace is only about 4Gbytes in total.

0
0

No Tad Williams fans?

There's a distinct lack of custard in there.

0
0

Page:

This topic is closed for new posts.

Forums