How an epic blunder by Adobe could strengthen hand of password crackers | Ars Technica

Via Dan Goodin on Ars Technica, 2013-11-01

Four weeks ago, Adobe disclosed a sustained hack on its corporate network that threatened to spawn a wave of meaner malware attacks by giving criminals access to the raw source code for the company’s widely used Acrobat and ColdFusion applications. Now, researchers are warning the same breach could significantly strengthen the password crackers’ collective hand by revealing a staggering 130 million passcodes used over the years by Adobe customers, many of them from the FBI, large corporations, and other sensitive organizations.

That’s because Adobe engineers used reversible encryption to scramble the passwords contained in a 9.3-gigabyte file that’s now available online. Surprisingly, they flouted almost universally recognized best practices that call for stored passwords to be protected by bcrypt or another one-way cryptographic hashing algorithm.  …

That’s not at all the way the passwords for the 130 million active and inactive Adobe accounts are protected. They were scrambled using standard symmetric encryption. If crackers are able to figure out the key or keys that encrypt the data, they will have instant access to every single plaintext user password in the list.

How an epic blunder by Adobe could strengthen hand of password crackers | Ars Technica

Even stranger than the passwords being decryptable by Adobe, and now others who can use a variety of exploits against those encryptions, is that the attacked system was a backup designated for decommissioning.   And that presumably idle data, sitting around vulnerable to insider exploits, was not encrypted in total, regardless of the individual records having encryptions of passwords.

This entry was posted in nfoWorks, Privacy and Security, trust. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s