The breaches in Adobe’s databases, which were exposed by Hold Security and publicized by security journalist Brian Krebs have continued to have significant impacts beyond the company itself. In addition to the public release of extensive amounts of source code for flagship Adobe products such as CloudFlare, the usernames, passwords and password hints of upwards of 150 million users were exposed. This exposure is especially problematic because instead of using a one way hash with individual salts (which is the industry standard method of securing password data within a database), Adobe encrypted the entire password database with Triple DES, and did the entire database with the same key. What this means is that anyone can assemble this database for themselves, and sort by the encrypted password to find groups of users that used the same password, then use the groups of associated password hints to crack the passwords of entire groups of users.
Eventually, once enough of the plaintext password data is known, it may be possible to mount a “known plaintext attack” and recover the Triple-DES key, exposing the rest of the passwords. It is also possible that the original hackers who scooped the database were able to obtain the key, given that they successfully overcame many other security features within Adobe’s network. This would potentially release an unprecedented number of currently used passwords into the public domain, but even if the key is not recovered cryptoanalytically, the addition of password hint data to the database has potentially exposed millions of users to having their passwords found out. In addition to this, the release of so many organically created passwords into the public sphere means that password crackers suddenly have much more information for their attack dictionaries, further improving their position vis-a-vis login security.
Of course, after the breach Adobe required all users of their site and services to change their passwords. However, since so many people reuse password and login credentials across multiple sites, Adobe is not the only provider that has had to deal with the results of their truly epic blunder. Already Facebook, Diapers.com and Soap.com have analyzed the breach and informed users that were using the same login credentials on Adobe that their accounts have been compromised and that they must change their passwords.
This incredible security failure has inspired much-warranted derision within the computing world, with comics luminary XKCD describing it as “The Greatest Crossword Puzzle in the History of the World”
Dan Gifford – MCySec Media Manager