From the source: http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html
ZDNet's version: http://www.zdnet.com/just-how-bad-are-the-top-100-passwords-from-the-adobe-hack-hint-think-really-really-bad-7000022782/
XKCD's version: http://xkcd.com/1286/
Yet another high-profile case involving a misuse of password protection schemes. As described in ZDNet's article, 3DES was the wrong choice for storing sensitive user information; a one-way function such as a strong hash is necessary, so that decryption isn't possible (attackers will have to rely on collisions or other means) and the cost is minimal (say, a reset password on the customer's end).
On a side note, XKCD knows how to deal with it; maybe better passwords will be chosen if we post these on the New York Times? Probably not, but it'd still be funny. (Apologies to those of you who actually chose something other than "password", "adobe", or a numeric string.) In all seriousness, while the leakage of such a vast amount of sensitive data is a great concern and should not have happened, the contents suggest that so many people need to choose stronger passwords. Even without a leak it's really only a matter of time before your password is cracked, and chances are that if you choose "123456" you're probably pretty close to having 123456 seconds before your account is compromised anyway. (Too bad this guideline doesn't scale; it'd be awesome if everybody could choose a password of form "2^x", where x is replaced with the year your favorite TV show launched. Oh well, I guess exponentiation isn't supported.) Compounded with the extremely likely event that some of these users reused this password across other important sites retaining their PII...I just pray for their sake that they will lock these open doors soon.
No comments:
Post a Comment