System hit was not protected by traditional best practices, used 3DES instead Researchers have revealed, and Adobe has confirmed, that the millions passwords stolen during the breach in October were not originally stored according to industry best practices. Instead of being hashed, the passwords were encrypted, which could make things a little easier for those looking to crack them.[Source code and 2.9 million accounts raided by attackers in Adobe breach]In a statement to CSO, confirming details revealed by Ars Technica on Friday, Adobe says that the passwords stolen during the breach in October were not hashed as originally assumed by many, but they were encrypted, meaning that Adobe engineers were (at one time) not following best practices when it comes to passwords.For password storage and protection, the general best practice is to use an algorithm designed for password protection, the top options being bcrypt, scrypt, PBKDF2, or SHA-2. The reason for using such algorithms for password protection is the fact that, when implemented, they make brute-force cracking attempts nearly impossible. The difficulty is compounded when they are hashed with a long, per-user salt — creating what is commonly known as a salted hash. In fact, when passwords are not properly hashed, any organization being graded against the OWASP Top 10 will immediately run afoul of item A6, Sensitive Data Exposure.Adobe says that they’ve followed best practices for password storage and protection for more than a year now, as their authentication systems were upgraded to use SHA-256, with salt, to protect customer passwords. However, this upgraded system was not what the attackers hit. “This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored,” Adobe spokesperson, Heather Edell told CSO.The use of Triple DES (3DES) to protect passwords goes against traditional best practices, because depending on how the passwords are encrypted, if an attacker can guess the keys, the passwords can and will be recovered. However, attacking 3DES directly isn’t easy. So while Adobe’s methods haven’t made things terribly convenient for those attempting to crack the stolen list of passwords, they haven’t made it impossible either. [Stolen Adobe account data goes public, Photoshop source code breached]Already, passive examinations of the list with more than 130 million Adobe accounts has turned out some interesting data. Jeremi Gosney, from Stricture Consulting Group, was able to compile a Top 100 list of common passwords due to several key bits of data.“We do not (yet) have the keys Adobe used to encrypt the passwords of 130,324,429 users affected by their most recent breach. However, thanks to Adobe choosing symmetric key encryption over hashing, selecting ECB mode, and using the same key for every password, combined with a large number of known plaintexts and the generosity of users who flat-out gave us their password in their password hint, this is not preventing us from presenting you with this list of the top 100 passwords selected by Adobe users,” Gosney wrote.According to the Top 100 list, nearly 1.9 million accounts used ‘123456’ as their password, with more than 440,000 accounts opting to go with ‘123456789’ instead. After that, ‘password,’ ‘adobe123,’ and ‘12345678,’ rounded out the top five.Based on the list, many of the accounts exposed during the breach likely used a throwaway password, on the basis that their Adobe account wasn’t important. However, people are creatures of habit, and the fear is that password recycling could be an issue given that email addresses were also exposed.If you’d like to check and see if your email address is in the list of compromised Adobe data currently circulating online, you can go here to do so. As a rule, if your email was exposed, change your passwords and be skeptical of any communications referencing the Adobe breach. Related content feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security brandpost Sponsored by Microsoft Security How Microsoft and Amazon are expanding the fight against international tech support fraud By partnering with other companies to share vital information and resources, Microsoft is taking the fight to ever-evolving support fraud in 2024…and beyond. By Microsoft Security Dec 05, 2023 1 min Security news analysis Russia's Fancy Bear launches mass credential collection campaigns The campaigns exploit Outlook and WinRAR flaws to target government, defense, and other entities, and they represent a change of tactic for the APT28 group. By Lucian Constantin Dec 05, 2023 5 mins Advanced Persistent Threats Critical Infrastructure Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe