A-DOH!-BE hack: Facebook warns users whose logins were spilled Facebook is using a list of hacked Adobe accounts posted by the miscreants themselves to warn its own customers about password reuse. The social network mined data leaked as the result of the recent breach at Adobe in an effort to provide timely warnings and prompt its users to secure their accounts. Facebook users who used …
Coincidentally, I did get a spam purporting to be from FaecesBook to the address I use for Adobe today - but it wasn't of that sort - it was just a bog standard phish to get log-in details:
"You haven't been to Facebook for a few days, and a lot happened while you were away.
Your messages will be deleted soon"
We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time.
Why go through all that effort? Why not implement a simple filter to enforce some minimum strength requirements and force a password reset? It's a bit of a hassle for their product account holders, but it will let them all know they are all being protected while being a lot easier to implement and understand than their current plan. Better yet, develop a secure password-free system. Facebookers would really appreciate it and it could be resold externally.
That won't catch password reuse.
You could have a really good password that meets all the relevant criteria* imposed by IT overlords to secure the system, but if it is reused across other systems, and they get compromised, its game over.
Its something they will probably do with any hacked lists of passwords that come out.
*Passwords must contain a lower case letter, an upper case letter, a number, a symbol, a hieroglyphic a haiku, an odour, a directional force, a gang symbol, a heart warming story and the blood of a virgin**
**used to be blood of a unicorn, but this is harder to come by ***
***except among WoW players
That won't catch password reuse.
Well, yes this is true, but for those that it does not catch, it is likely to be irrelevant. From the description given of the original hack, adding passwords to a rainbow table is likely to be profitable only up to a point. Those people with the most commonly used passwords are both most likely to re-use their passwords and to use very weak passwords. As I mentioned above, adding a simple set of rules (to include occasionaly mandatory resets) will eliminate the vast majority of these without having to go through the process described as needed to avoid duplicates. It will also raise awareness of the issue and increase the overall security of all FB accounts. Simply matching a single user's passwords across accounts will not prevent that user from switching between equally weak but unique passwords.
Yes, password re-use can be a problem, but it is not the problem. It might sound as though it is, and it is a contributing factor in this case, but the underlying issues are lack of education and motivation at the user level and the treatment of security as an afterthought at the admin level.
The problem is password management. Let's face it, we have dozens, if not hundreds of passwords now. Every product site, forum, *aaS, desktop, server, social network, game, &c all require passwords. And aside from centralized models like AD, NDS or others where once is for all they -should- all be unique. There have bee books and articles by the truckload for years going on about how passwords are bad security. And they are. However, nobody has really come up with a practical (ie: cost effective, standards based, implementable on every device ever) alternative. The only alternatives that seem viable are all in distopian, 1984-esque, future movies. Massive globe spanning mega-corps that hold everything and people simply consume. It's headed that way, but we've got some competition to crush before someone comes out on top.
Get chipped early.
I had an Adobe account to post a problem in their forum.
False personal details tendered. Throwaway email address with a random user name (used once for that account only). Random password of 12 characters blindly typed on my keyboard and then copied and pasted.
Do I care that it's been compromised?! NO!
Have I done the same with this account!? I work for a company with over 200000 employees!!
And today (November 20) Adobe sent me a mail notification that my password had been reset, complete with "click here" links and the invitation to enter my new password.
I know that phishing email can look exactly like real email from your bank. This is the first time I've seen real email from a supplier that looks exactly like phishing mail.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
