Anatomy of a password disaster – Adobe’s giant-sized cryptographic blunder

Sophos’ deciphering of the unforgivable security methods used by Adobe in one of the largest consumer-facing security breach in human history. Adobe argues that this stolen database was on an obsolete server due to be decommissioned, which still doesn’t explain why 35 year old security methods were being used. Undoubtedly, a large number of passwords and personal details would still be current, not to mention Adobe’s claims contradicting each other.

Adobe claims 38 million accounts were compromised (vs the 150 million as Sophos states, which they gleaned from the actual dump itself), and that all affected accounts have already been notified. Except they haven’t, I’ve received nothing, but yet my (valid) e-mail is one of the accounts that was in the hack. From Adobe, more nonsense – the only accounts not notified were: “many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data“.

I grew up with Adobe products, but things like this are annoying. More so than this guy.

With very little effort, we have already recovered an awful lot of information about the breached passwords, including: identifying the top five passwords precisely, plus the 2.75% of users who chose them; and determining the exact password length of nearly one third of the database.

Read More


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s