I don't get it...
How did this alleged researcher obtain these numbers?
OK there was a security breach, but that wouldn't give access the passwords; **no-one** stores passwords in plaintext.
So what's the deal with the statistics?
Adobe's security breach just got worse for the company and the world, after a security researcher revealed that 1.9 million of the company's customers us the string “123456” as their password. The researcher in question is Jeremi Gosney of the Stricture Group, whose Twitter profile claims The Reg has in the past labelled him a …
This post has been deleted by its author
The passwords were not reversibly encrypted.
When you get hold of a large number of encrypted passwords you do not target an individual and attempt to crack their password.
What you do is encrypt commonly used passwords and compare it to all the accounts. Since he is a "password security expert" he probably has pre-generated rainbow tables of a dictionary (with salts) that would enable a rapid comparison to the passwords.
EDIT: Having just read the linked to post it appears that Adobe didn't use a one way hash, but instead used symmetric key encryption with the same key for every account. This means that once the key is recovered then every password can be decrypted.
"OK there was a security breach, but that wouldn't give access the passwords; **no-one** stores passwords in plaintext."
Friendfinderinc.com do - and they've been hacked several times (including credit card data). The outfits that actually publicly admit they've been breached are few and far between even when there are criminal penalties for nondisclosure.
Whilst maintaining servers I've run across a number of "password protected" areas on websites where the passwords are plaintext in a subdirectory without adequate protection (ie, knowing the URL allows the file to be directly downloadable) and most of the time they're in trivially predictable locations.
There is _zero_ accountability for a "website programmer" (in most cases only 2 steps above "drooling simian") who pulls that kind of stunt. By the time it's discovered he (always a he) has pocketd the cash and is long-gone - and price bears virtually zero relationship to actual quality (A lot of web cowboys charge well over the odds knowing that it fools "management" into thinking they're getting a quality product)
Preusmably adobe weren't quite so stupid, but the bare fact that the password table was obtainable AT ALL in any format is worrying (A well run webserver queries an external box with provided credentials over a fully secured link and the external box says "yay" or "nay". Anything resident on the server itself should be regarded as being written on the back of a postcard.)
Isn't this password just something that allows the user to download stuff from Adobe?
In other words, isn't it that the password does not protect any user data, but just Adobe's ability to restrict access to its products?
If so, no wonder users use crap passwords. Assuming you crack my Adobe account, you already have my email, and therefore my name; what more information would you get from Adobe? (Assuming I even gave Adobe my real name)
I think you're giving a lot of people too much credit... said adobe password and registered email may very well get you into many other accounts owned by the same person.
I've been guilty of that in the past, I had the same password on pretty much every site I registered on. Then, one site got hacked and I realised how silly I'd been and had to spend a whole evening frantically inventing unique passwords. I can't be the only silly person out there!
It's not that much of a problem, IMHO. By no means do I have unique passwords for every site I have a login for (it would be nice though but I'm only human) - however, I use the same 2-3 passwords and 3-4 usernames for all my forum-level activities, two different ones for those handful (<5) major money-related sites like Paypal etc. and a globally unique, fairly hard one for my mail account (which can be used to retrieve most other IDs and it's tied to way to many things to afford to lose it, in general). AC, obviously, because why tempt fate unnecessarily... :P
It's a fair point, but I still use a single password for unimportant crap like this, and better unique ones for email/paypal etc. If the reg ever gets hacked you may use my details to log into all manner of other online forums and post whatever you wish.
As an aside, it would be interesting for the reg to aggregate all the passwords used for this site to see how may are 1337 or similar.
I use a standard password combined with a simple system for generating extra letters from the site I'm accessing. For instance, something along the lines of
first 5 letters of password + last 3 letters of domain name + number of letters in domain name + last 3 letters of password
Unique per site and a piece of piss to remember. Why doesn't everyone do this? (I really mean that. This being El Reg, I bet there's a security expert here who can tell me why this is actually a bad idea.)
Easily? My core password is made up of the initials of a memorable sentence. So something more like "IttsLOter11wtb". Would it really be that obvious?
Besides, we're comparing this to loads of other people on here who are saying they have, say, one password for unimportant sites and another for high-security stuff. My system is surely better than that?
(Sod's Law, I'm bound to get hacked now.)
Unique per site and a piece of piss to remember. Why doesn't everyone do this? (I really mean that. This being El Reg, I bet there's a security expert here who can tell me why this is actually a bad idea.)
Actually, that technique is recommended by some experts. (I know one of my IT-security books describes something like it, but I'm not inclined to skim them looking for the reference, so you'll have to take my word for it.) Like any security measure, it's a trade-off: you reduce the entropy of your passwords a bit, but make them much easier to remember, which narrows or prunes other branches of the attack tree. (Hard-to-remember passwords are a loss-of-service threat, and are often recorded, which creates another vulnerability, etc.)
So under a reasonable threat model you could very plausibly evaluate your scheme as an overall improvement in your security.
This post has been deleted by its author
Indeed I often used to hear from my other half "Oh christ Adobe wants my user password to download and it wont take the last one again! Better setup yet another account!"
I think at last count she had 6 or more.
Even I have three (maybe) and I don't use any of their stuff. Don't ask me what the passwords are, but nothing amazing. The details in them are all bogus...mail @mail.com anyone?
So if Adobe says they have for example 50 million accounts that's possibly only 5 million actual users.
This post has been deleted by its author
But, how may users use the same password for multiple accounts. A lot of those users probably have the same password for their email, which than allows the hackers a view into a whole lot more, perhaps which bank they deal with, credit cards, and all other sorts of valuable personal information.
Agreed. I had an Adobe account with a password relatively high on that list (although not in the top 25 or so). I'll commonly use a rather pathetic password on accounts that don't matter, but use a much more unique one on accounts where things are actually at stake. With virtually every site and service requiring a password these days, it's ridiculous to think people are going to come up with intricate and unique passwords on every one.
Of course, this isn't to excuse Adobe for their negligence with which they stored and secured their customer's information. This is yet another reason I will absolutely not subscribe to their SAS licensing scam... errr... scheme and hand over my financial information to them directly.
Most people only sign up to websites in order to gain access to the trough of free downloadable stuff. The account being the "deal with the devil": you get a 30 day trial of their product, they get to spam you to oblivion with offers, discounts and deals (none of which you ever had any intention of accepting).
Whether or not you have the integrity to supply true and valid log-in details is also debatable. If you simply regard a vendor's attempts to get into your inbox as an annoyance you could well have typed the first thing that came to mind - I expect that a significant number of these stolen accounts list Afghanistan as the country in users' addresses, for that very reason.
You'd hope that the level of security surrounding accounts is a step or several below the security that contains any credit card info (though there should never be any CC data that's not behind industrial strength protection). So the value of all these accounts, probably with multiple accounts for each trough-feeder, should be very small. Apart from having simple passwords - matching the value that individuals place on these accounts - I wonder how many "users" have equally simple names. Maybe most of the 1.9 million "123456" passwords were protecting "Mickey Mouse"'s account.
>Indeed. Like the 95.5% of users who didn't have a password in the top 100. But where's the story in that?
Probably the same place where "123456" was 5% of the passwords on its own. The top 20 is 11.1% alone.
I will reserve judgement until I see a crack list. It would not surprise me if well over 50% are found. Then we can laugh at feeble attempts to make a password 'hard' and yet still crackable.
> that suggests there is a French keyboard for every 3 English ones, which seems unlikely.
On a French keyboard you need the shift key to type numbers on the top row, so people end up using 'azerty' far more often than '123456', hence the apparent over-representation of 'azerty' compared to 'qwerty'.
Though it's true that I bet the majority of those accounts are just crap accounts created to get the trial products as previous OPs have pointed out.. I think the real problem here is that then, Adobe extending their selling model to 'the cloud' using these same crap accounts.
So users who originally had an unwanted adobe account they'd signed up to just get grab an eval of photoshop, 2 years later and now using the same account to control their monthly subscriptions to products with real money, etc.
What Adobe should have done imho is to have forced users to change passwords to meet more stringent password rules when they became 'real' accounts (with a credit card, etc).
I mean lets face it, the fact you have to sign up to same crap account just to get an eval is annoying enough - the last thing you want is to have to then go through 10 hoops of 'sorry it needs to contain letters and number', 'sorry it can't contain username', etc, etc - you are likely to just FO and download GIMP.
Loads of encrypted passwords in the 100 password file end in ioxG6CatHBw==
According to the xkcd explanation (yes I know it's a comic strip) this would signify a common end after the first 8 characters as they are hashed in 8 byte chunks.
However the passwords with that ending don't seem to have anything in common?
While we're at it:
Passwords are a terrible authenticator. Passphrases aren't perfect, but they're much better.
Any modern web application that doesn't permit passphrases is crap, written by lazy fools who can't be bothered to learn their craft.
In fact, when it comes to indesign or acrobat, you can download the trial, hack out the DRM and use it for free or download gimp and inkscape - no DRM to remove.
Guess what ? Apparently, a great number of numpties prefer downloading over-bloated, unstable pieces of junk, hack out the DRM than use sensible free alternatives ... go figure ... then you wonder why they use silly passwords ? I don't ...
In fact, inkscape does a much better job than indesign or acrobat at producing publishing-worthy PDF's or EPS's.
As for registering for a trial ???? WTF ? Has nobody here heard of the FTP protocol ????? Try this in internet explorer (if you are reading these instructions, you must be using that browser):
FTP://FTP.adobe.com
or
ftp://ftp.adobe.com/pub/adobe/cs6/downloads/
Ouch, I know ....
No seriously ... leave the industry ....
maybe it does, but I prefer not to have to use a ancient X11 interface from the 1990s to design them on my mac thanks very much.
You are using a dm from the 80's, how is that any better ?
Windows is a 64 bit hack atop a 32 bit extension and a graphical shell on top of a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor, written by a 2 bit company, that can't stand 1 bit of competition.
Ohhh, sorry .. I forgot, "recent" (as in less than a year old) versions of your favorite dm can be 0wn3d by an an app with specially-crafted "icon" property, how f'ed up is that ? No, you do not even have to open said file, simply display the folder it resides in ... which may be some file share.... ROFL
Gosney's analysis (and Troy Hunt's prior work on the Sony passwords) does give us an insight into something that normally is not seen namely the sorts of passwords the general public are actually using, and hence the extent to which people have been taking note of the various security advisories etc..
One fact I find interesting is that Gosney isn't admitting to using the 130M passwords to try and deduce the keys that Adobe used. I'm sure a botnet operator out there would be willing to provide necessary cpu time...
This post has been deleted by its author
Between having to provide a login/passwd to download free stuff and doing so for something which might actually cost you money personally.
I've long suspected that people use the same login/pass pair for sites they don't really give a rats arse about - which is why corporate security is so lax.
Humans are actually very good at managing access to things they care about(*). The hard part is making therm care.
(*) For example, those funny pieces of paper with the Queens' face on them that are sitting in your wallet.
"Humans are actually very good at managing access to things they care about."
Well some of the things, I suspect that many will not have given too much thought to the value of the virtual "pieces of paper with the queens' face on" that reside on their Nectar card that may also be sitting in the wallet, even though they are good at ensuring points are credited to the card.