How Not to Store Passwords: Adobe Edition
A quick peek at the Adobe password breach.
Recently, someone broke into Adobe's network, stealing source code and part of their password database. It later turned out to affect at least 38 million people.
I always try to investigate to see if I am personally impacted by these leaks. Usually, that means submitting a carefully hashed password to some online service built to inform you if you were part of the leak. This time, however, the entire file was readily, and easily availible (by which I mean my Twitter feed included a link to it, several times).
So... why not take a peek?
$ grep mikeboers cred 78626857-|--|-adobe@mikeboers.com-|-+8pqoIav87bioxG6CatHBw==-|-Same scheme.|--
While not surprising, I am still dissapointed to be included.
Digging just a little bit deeper, there are some very troubling things in this file.
Adobe stores passwords wrong. Very very wrong.
Researchers have revealed, and Adobe has confirmed, that the millions passwords stolen during the breach in October were not originally stored according to industry best practices. Instead of being hashed, the passwords were encrypted, which could make things a little easier for those looking to crack them.
— CSO Online
With the right keys one could decrypt the passwords. That's not great, but it gets worse: Adobe used DES3 in ECB mode. This means that it is immediately obvious when two users share the same password, even if we don't know what it is.
Lets take a look at a "small" slice of the file, and see what encrypted passwords are common:
$ head -n 100000 cred | cut -d'|' -f 4 | sort | uniq -c | sort -n | tail -n 10 71 -diQ+ie23vAA=- 75 -BB4e6X+b2xLioxG6CatHBw==- 91 -PMDTbP0LZxu03SwrFUvYGA==- 103 -7LqYzKVeq8I=- 104 -5djv7ZCI2ws=- 115 -dQi0asWPYvQ=- 130 -j9p+HwtWWT/ioxG6CatHBw==- 259 -L8qbAD3jl3jioxG6CatHBw==- 260 -j9p+HwtWWT86aMjgZFLzYg==- 1441 -EQ7fIpT7i/Q=-
Of the first 100k users, 1.4% of them use the same password, which encrypts to EQ7fIpT7i/Q=
. I wonder if the password hints, which are stored with the encrypted passwords, could reveal what it could be...
$ grep 'EQ7fIpT7i/Q=' cred | cut -d'|' -f 5 | manually_snip_results_for_interest -first six numbers -Numeros de 1 a 6 -1 thru 6 -123456
Huh. Okay, so we can figure out a few people's passwords. So what?
$ grep 'EQ7fIpT7i/Q=' cred | cut -d'|' -f 5 | grep same | manually_snip_results_for_interest -same at all -same as yahoo -same as email pw -same as bank -same as the rest
Oh dear.
The take away: web admins, please remember to always salt and hash your passwords; web users: please use different passwords everywhere (or at least for your bank).