Just how bad are the top 100 passwords from the Adobe hack? (Hint: think really, really bad)

Just how bad are the top 100 passwords from the Adobe hack? (Hint: think really, really bad)

Summary: A new analysis of Adobe user passwords leaked after its hack last month reveals yet again that most people prefer avoid complexity when it comes to passwords.

SHARE:
TOPICS: Security
40

It’s well-known that people often pick easy to remember but easy to crack passwords to protect their accounts. Thanks to the work of one password expert, it's now thought that millions of Adobe customers were among those with a taste for terrible passwords too.

Adobe recently revealed that the security breach which affected the company last month turned out to have involved at least 38 million Adobe IDs and encrypted passwords, rather than the 2.9 million the company originally reported

But the 38 million figure only related to active accounts. Along with the source code for products such as ColdFusion, the hackers made off with and published a file that contained over more than million user records for inactive as well as active accounts, which included more than 130 million encrypted passwords.

Although Adobe has said the passwords were encrypted, it appears the way Adobe did that was not enough to prevent passwords expert and founder of the security firm Stricture Consulting Group, Jeremi Gosney, from deriving them to reveal the most commonly used passwords, which he published over the weekend, spanning around six million or just under five percent of the 130 million password list. (How he derived them is explained below.) 

The most popular password, used by nearly two million Adobe customers, is "123456". There aren't any surprises there though; the Yahoo leak of 450,000 passwords last year, and other similar breaches, have also revealed the same password as a user favourite.

The others in the Adobe top 10 are equally poor. The second most popular was "123456789", used for 446,162 accounts, followed by "password" common to 345,843 accounts, "adobe123" used in 211,659 accounts, "12345678" used for 201,580 accounts, followed by "qwerty", "1234567", "111111", "photoshop" and "123123".

Gosney notes that since he doesn't have the key Adobe used to encrypt the passwords of 130,324,429 users — and since Adobe is still blocking access to its services until owners reset their passwords — it's impossible to say with certainty that the list is entirely accurate, but he says he's nonetheless "fairly confident" of its accuracy.

Gosney confirmed the source of the analysis was a file containing the passwords was leaked on Anonnews last week. So how was it all possible? Here's what he told ZDNet:

See, the passwords in this leak are were all encrypted with the same key. Without that key, we cannot crack a single password. But as soon as we have that key, we can instantly crack all of them. So for this particular leak, we're not trying to crack individual passwords — we're trying to crack the encryption key.

Adobe encrypted the passwords with 3DES in ECB mode. 3DES itself isn't a terrible cipher, depending on which key option was used. But ECB mode is really bad, because it leaks information about what was encrypted. Basically, ECB mode works by dividing a message into blocks, and then encrypting each block individually. This means that the same plaintext block will always result in the same ciphertext block when encrypted with the same key.

Analysing patters in the ciphertext along with known plaintext-ciphertext pairs allows you to learn quite a bit of information about the encrypted data. In this case, we had lots of known plaintext-ciphertext pairs because a lot of people were affected by this breach, myself included.

The top 100 list we published was based solely on manual analysis of the ciphertexts, combined with manual analysis of the user-supplied password hints for each password. This enabled us to make highly educated guesses at what each of the passwords might be, but we won't know for sure until the encryption key is recovered.

The password hints were the most telling. An overwhelming number of people took the concept of a password hint too literally, and flat-out provided the password itself as the hint. By analysing thousands of password hints per ciphertext, and matching that information with what we know about the ciphertext thanks to ECB mode, we are able to determine a number of passwords with a reasonable degree of certainty. It took about three hours to determine what the top 100 passwords were with this method.

Some will conclude that ECB mode was obviously Adobe's downfall here, but the real point is that the passwords never should have been encrypted in the first place. They should have been hashed, using a proper password hashing function. It sounds like Adobe is in the process of remedying this, however, as they state that their new solution uses over one thousand iterations of salted SHA-256.

For its part, Adobe said the authentication system affected by the breach was an older one, and due for retirement.

"For more than a year, Adobe's authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than a thousand times. This system was not the subject of the attack we publicly disclosed on 3 October 2013.  The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored. We currently have no indication of unauthorised activity on any Adobe ID account involved in the incident," it said in a statement.

The company did not confirm or deny whether the total amount of encrypted passwords, including those for inactive accounts, was 130 million.

"We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident," the company said.

Having detected the breach, the cleanup campaign is underway — and it's no easy task, according to Gosney.

"I've talked to a lot of people now who said they received the breach notification/password reset email from Adobe, but thought it was a phishing email and ignored it. I had to chuckle a little, because we've conditioned users to never click on links in unsolicited emails. It's good that people are starting to learn about phishing, but it's unfortunate that so many people are ignoring these emails since it means they aren't updating their passwords. It doesn't matter that much for their Adobe account, since they've already locked everyone's account and are forcing people to reset their passwords. But it's a big deal for people who re-use their passwords on other websites, especially their email and bank accounts," he said.

Further reading

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

40 comments
Log in or register to join the discussion
  • What does it matter...

    Anyone afraid they would hack your adobe account ? I always use "passpass" for online passwords... heck my both my bank and Visa card has 1234 as passcode .. It's easy to remember.
    DJK2
    • What does it matter? Is that what you asked!?!?!

      Well, once someone has access to your on-line VISA account, or your on-line back account, forget your password? All you need is your e-mail address. A hacker can find out enough information about you to steal your identity. More likely than not, your FaceBook profile has enough information about you to fill in the blanks. Then all you need is to convince someone at a bank branch that you do not visit that they are you.

      It is a short step from their for them to have stolen your money and your identity. Maybe even your tax records. Now they have everything they need!
      M Wagner
    • Thank you! You're a goodsend!

      I've taken 50% out of your chequing account, and left you the rest.
      Hey, I'm not greedy! Just enough to cover this year's mortgage.
      40% went to me, and the other 10% went a charity of my choice. (I woulda put it in your name, but DJK2 sounds kinda esoteric)
      Claude Balloune
  • Not necessarily bad

    Seems as though just about everything requires a password these days, and often the web site requiring a password is pretty unfriendly about it. For example, our local newspaper limits your access unless you provide a password, and won't allow the browser to remember the password and log you in automatically. They think they are enhancing security by asking you to type it in each time. But the thing is, no one stores any secure information of their own on this newspaper's web site. So why would anyone set up a complex password on such an unfriendly site? The shortest and simplest password it will allow is best. For many people, the Adobe account is the same way. The dumb passwords are just a symptom of the stupidity of Adobe web designers, asking you to secure an account that doesn't contain any important information. So of course there will be a lot of insecure passwords.
    pdth
    • u r right

      I agree !!!
      kaspersky84
    • Everyone has different requirements

      I agree with pdth. Too many passwords to sign into accounts. And each seems to have different rules. Some require upper and lower case letters, some require numbers, some require special characters, others require letters and numbers, but no characters, others numbers and characters, etc. And often not all characters. I really love the sites which say to enter the new password, then reject it and then give you the parameters. Why not post the parameters before asking for the password?
      DonG43
      • Password formation

        What I hate is the sites that ask you for a password, and THEN tell you that yours is no good because they must have at least one capital letter, one lower case letter, and one number, and be at least 8 characters in length. Why not print that above the password request????
        rphunter1242
    • True, but...

      I don't care if my login to "thiswebcarcommunity.com" gets hacked, there's no personal info and all I do is post and chat. OTOH, Adobe does have a web store, and I've never seen it clearly stated whether the hack and/or the passwords stolen applied to the web store, where credit card info MIGHT be located.
      big red one
    • well, there is the fact that most pay for adobe products with credit cards.

      You might rethink your assertion that there's no important information stored and accessible by a ne'er-do-well, but you go ahead and use a simple password for those accounts. After all, whether your credit card is used to make purchases for you, or ones for a hackers, it does stimulate the economy, even if you don't actually receive that nice big 70" HD TV that's on your credit card statement.
      WhatsamattaU
  • No, really?

    "Just how bad are the top 100 passwords from the Adobe hack? (Hint: think really, really bad)"

    No, really?

    It's a self-selecting list, Einstein: If they had chosen GOOD passwords, the passwords wouldn't be on the top 100, because one of the attributes of a good password is that it's unique.
    CobraA1
    • Unique?

      A password need not be unique, just not obvious, or common. For instance, choosing the 3rd word from the 7th page of your favorite book, followed by the 5th word from page 100 or your favorite copy of the Bible, would be a very good password, and easy to recover should you forget it.
      rphunter1242
      • Granted, there need ot be universal standards. A good place to start ...

        ... to select a strong password is the Microsoft Password Checker at https://www.microsoft.com/security/pc-security/password-checker.aspx.

        A good rule-of-thumb:

        Letters - upper & lower case
        Numbers - random and interspersed
        Special Characters - (!@#$%^&* _+-=/\|}{[]~`:";'.,>
        M Wagner
        • The website needs to allow those standards

          Some websites won't allow special characters. My bank won't allow more than eight characters, which drives me nuts when my password of choice (a good one) is longer, yet it makes me change the password every 3 months and won't let me use the last three passwords. The idea that a website should force you to less secure passwords is just nuts.
          big red one
          • 8-character passwords...

            Carryover from the mainframe days.
            8-character was the standard.
            Same with requiring a new password and not allowing reuse of the last three.
            radu.m
        • But then you need to write it down....

          Yes they become very good passwords... so good you can't remember them yourself and have to write it down or store it somewhere. Bingo.... not as secure as you'd like, back to square 1.
          johnmckay
      • You still need a format for the inevitable break-in

        Someone will find a password, or see you entering it. You still need a format to differentiate different sites otherwise you are gubbed if its common to everything. We all think we're very clever..... but that belief is a mistake in itself.

        We're all at risk from clever, unscrupulous scumbags !!!!
        johnmckay
      • Okay, so slightly different word choice . . .

        "A password need not be unique, just not obvious, or common."

        Okay, so slightly different word choice - but statistically speaking, there should be as little bias as possible towards any given password, which should make collisions rare. That should be a part of the password creation process.

        Which still makes the "top 100 passwords" still a self-selecting set, as it is biased towards poorly chosen passwords.
        CobraA1
      • Good Password

        Actually if you are serious about a secure password, then you should avoid words in English or any other language as they are vulnerable to brute force dictionary attacks. Same with names. also simply substituting special characters into a word is not much more secure (example password and p@ssw0rd) since a good hacker will have tried these. If you want to use two favorite words, which I agree has the advantage of being easy to remember and retrieve, then apply a standard transformation like embedding one inside the other and embedding both in your birthday. In this case if your two favorite words were "Favorite" and "Word" then "FavoriteWord" is a better than average pasword, but embedding gives "FavoWordrite" (better) and embedding your birthday (lets say 5-june-1982 might result in "05FavoWo06rdorite82" (Better!) add a couple of special characters and you might end up with "@05FavoWo06rdite82#" (Best!) and you have a secure password that has the advantage of being those two words you said could be retrieved easily. No password is impossible to break with enough time and compute power, but this will be difficult enough to deter all but the most sophisticated baddies.

        I know I am pushing a hopeless case as most people would find it difficult to think of the transformation while typing in, but I have used this approach since the 80's.

        Agree with all of the posts which say no need to make super secure an account which has no data, but don't underestimate that every detail retrieved about you, however small is a step toward stealing your identity.
        wjameskirk
        • brute force dictionary attacks?

          I hadn't thought about that angle a lot. I speak 2 different languages. If I use a favorite from English, and a favorite from my original language, along with Upper and Special, will I survive the brute force dictionary attack?
          jayfulton
          • still dictionary words, right?

            So, NO! Just using foreign words might help quite a lot but instead of taking 3 seconds to crack your password it might now take 6 seconds. Is that sufficently more secure?
            Tom6