Researchers have revealed, and Adobe has confirmed, that the millions passwords stolen during the breach in October were not originally stored according to industry best practices. Instead of being hashed, the passwords were encrypted, which could make things a little easier for those looking to crack them.
In a statement to CSO, confirming details revealed by Ars Technica on Friday, Adobe says that the passwords stolen during the breach in October were not hashed as originally assumed by many, but they were encrypted, meaning that Adobe engineers were (at one time) not following best practices when it comes to passwords.
For password storage and protection, the general best practice is to use an algorithm designed for password protection, the top options being bcrypt, scrypt, PBKDF2, or SHA-2. The reason for using such algorithms for password protection is the fact that, when implemented, they make brute-force cracking attempts nearly impossible. The difficulty is compounded when they are hashed with a long, per-user salt — creating what is commonly known as a salted hash. In fact, when passwords are not properly hashed, any organization being graded against the OWASP Top 10 will immediately run afoul of item A6, Sensitive Data Exposure.
Adobe says that they've followed best practices for password storage and protection for more than a year now, as their authentication systems were upgraded to use SHA-256, with salt, to protect customer passwords. However, this upgraded system was not what the attackers hit.
"This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored," Adobe spokesperson, Heather Edell told CSO.
The use of Triple DES (3DES) to protect passwords goes against traditional best practices, because depending on how the passwords are encrypted, if an attacker can guess the keys, the passwords can and will be recovered. However, attacking 3DES directly isn't easy. So while Adobe's methods haven't made things terribly convenient for those attempting to crack the stolen list of passwords, they haven't made it impossible either.
Already, passive examinations of the list with more than 130 million Adobe accounts has turned out some interesting data. Jeremi Gosney, from Stricture Consulting Group, was able to compile a Top 100 list of common passwords due to several key bits of data.
"We do not (yet) have the keys Adobe used to encrypt the passwords of 130,324,429 users affected by their most recent breach. However, thanks to Adobe choosing symmetric key encryption over hashing, selecting ECB mode, and using the same key for every password, combined with a large number of known plaintexts and the generosity of users who flat-out gave us their password in their password hint, this is not preventing us from presenting you with this list of the top 100 passwords selected by Adobe users," Gosney wrote.
According to the Top 100 list, nearly 1.9 million accounts used '123456' as their password, with more than 440,000 accounts opting to go with '123456789' instead. After that, 'password,' 'adobe123,' and '12345678,' rounded out the top five.
Based on the list, many of the accounts exposed during the breach likely used a throwaway password, on the basis that their Adobe account wasn't important. However, people are creatures of habit, and the fear is that password recycling could be an issue given that email addresses were also exposed.
If you'd like to check and see if your email address is in the list of compromised Adobe data currently circulating online, you can go here to do so. As a rule, if your email was exposed, change your passwords and be skeptical of any communications referencing the Adobe breach.