It’s well-known that people often pick easy to remember but easy to crack passwords to protect their accounts. Thanks to the work of one password expert, it's now thought that millions of Adobe customers were among those with a taste for terrible passwords too.
Adobe recently revealed that the security breach which affected the company last month turned out to have involved at least 38 million Adobe IDs and encrypted passwords, rather than the 2.9 million the company originally reported.
But the 38 million figure only related to active accounts. Along with the source code for products such as ColdFusion, the hackers made off with and published a file that contained over more than million user records for inactive as well as active accounts, which included more than 130 million encrypted passwords.
Although Adobe has said the passwords were encrypted, it appears the way Adobe did that was not enough to prevent passwords expert and founder of the security firm Stricture Consulting Group, Jeremi Gosney, from deriving them to reveal the most commonly used passwords, which he published over the weekend, spanning around six million or just under five percent of the 130 million password list. (How he derived them is explained below.)
The most popular password, used by nearly two million Adobe customers, is "123456". There aren't any surprises there though; the Yahoo leak of 450,000 passwords last year, and other similar breaches, have also revealed the same password as a user favourite.
The others in the Adobe top 10 are equally poor. The second most popular was "123456789", used for 446,162 accounts, followed by "password" common to 345,843 accounts, "adobe123" used in 211,659 accounts, "12345678" used for 201,580 accounts, followed by "qwerty", "1234567", "111111", "photoshop" and "123123".
Gosney notes that since he doesn't have the key Adobe used to encrypt the passwords of 130,324,429 users — and since Adobe is still blocking access to its services until owners reset their passwords — it's impossible to say with certainty that the list is entirely accurate, but he says he's nonetheless "fairly confident" of its accuracy.
Gosney confirmed the source of the analysis was a file containing the passwords was leaked on Anonnews last week. So how was it all possible? Here's what he told ZDNet:
See, the passwords in this leak are were all encrypted with the same key. Without that key, we cannot crack a single password. But as soon as we have that key, we can instantly crack all of them. So for this particular leak, we're not trying to crack individual passwords — we're trying to crack the encryption key.
Adobe encrypted the passwords with 3DES in ECB mode. 3DES itself isn't a terrible cipher, depending on which key option was used. But ECB mode is really bad, because it leaks information about what was encrypted. Basically, ECB mode works by dividing a message into blocks, and then encrypting each block individually. This means that the same plaintext block will always result in the same ciphertext block when encrypted with the same key.
Analysing patters in the ciphertext along with known plaintext-ciphertext pairs allows you to learn quite a bit of information about the encrypted data. In this case, we had lots of known plaintext-ciphertext pairs because a lot of people were affected by this breach, myself included.
The top 100 list we published was based solely on manual analysis of the ciphertexts, combined with manual analysis of the user-supplied password hints for each password. This enabled us to make highly educated guesses at what each of the passwords might be, but we won't know for sure until the encryption key is recovered.
The password hints were the most telling. An overwhelming number of people took the concept of a password hint too literally, and flat-out provided the password itself as the hint. By analysing thousands of password hints per ciphertext, and matching that information with what we know about the ciphertext thanks to ECB mode, we are able to determine a number of passwords with a reasonable degree of certainty. It took about three hours to determine what the top 100 passwords were with this method.
Some will conclude that ECB mode was obviously Adobe's downfall here, but the real point is that the passwords never should have been encrypted in the first place. They should have been hashed, using a proper password hashing function. It sounds like Adobe is in the process of remedying this, however, as they state that their new solution uses over one thousand iterations of salted SHA-256.
For its part, Adobe said the authentication system affected by the breach was an older one, and due for retirement.
"For more than a year, Adobe's authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than a thousand times. This system was not the subject of the attack we publicly disclosed on 3 October 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored. We currently have no indication of unauthorised activity on any Adobe ID account involved in the incident," it said in a statement.
The company did not confirm or deny whether the total amount of encrypted passwords, including those for inactive accounts, was 130 million.
"We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident," the company said.
Having detected the breach, the cleanup campaign is underway — and it's no easy task, according to Gosney.
"I've talked to a lot of people now who said they received the breach notification/password reset email from Adobe, but thought it was a phishing email and ignored it. I had to chuckle a little, because we've conditioned users to never click on links in unsolicited emails. It's good that people are starting to learn about phishing, but it's unfortunate that so many people are ignoring these emails since it means they aren't updating their passwords. It doesn't matter that much for their Adobe account, since they've already locked everyone's account and are forcing people to reset their passwords. But it's a big deal for people who re-use their passwords on other websites, especially their email and bank accounts," he said.