>>It was bound to happen eventually. This data theft will enable almost limitless [xkcd.com/792]-style password reuse attacks in the coming weeks. There's only one group that comes out of this looking smart: Everyone who pirated Photoshop.<<
He missed a group of people: any designer who did not entrust their entire professional workflow to a single, for-profit company whose best interests are in moving your workflow in ways that benefit the company over the user. Being dependent on something like Photoshop for your only income is a terrible position to be in, yet it is how I'd describe most designers today.
That situation cannot be (or should not be) avoided if a product is significantly better that any other competitor on the market. You can choose between
- depending on the for-profit company
- having disadvantage on the marketplace because of inferior tools
Possibly a kickstarter to code CMYK into gimp would be a good idea? If the gimp team doesn't let you do it, it should be easy enough to fork it with a bit of financial backing from a kickstarter.
Gimp is just one free alternative, i guess you knew about its cmyk troubles and posted because of that. Why limit yourself to Gimp though? Check.out other alternatives. I posted some in another comment in this thread.
As I understand it, Adobe used ECB mode, which means the blocks are encrypted independently. You can look at the encrypted blocks and see that two different passwords share character sequences. This is I assume what Randall is referring to with the 'crossword' bit - as well as having clues in the hints, solving one password may give you part of another. The suffix may also contain only one or two characters (plus padding) which makes it more plausible to mount a brute force attack.
ECB mode is just terrible. As well as these suffix problems, I've seen another example where a company used it to encrypt key-value pair cookies. Of course the keys are always the same...so prefixes were guessable too. And wikipedia has a fantastic example of why its stupid for images:
"Since DES only encrypts in blocks of 64 bits (8 bytes) then encrypting and keeping the length of blocks means that you actually get a very good idea of the length of the password - that is, anything with only one block is a password length between 1 and 8 characters, with two blocks between 9 and 16 characters etc. In addition a password of "1234567812345678" would encrypt into two identical blocks."
The passwords don't have a salt: that extra block that some of them have is the second block of the password (each block of 8 bytes is encrypted separately).
ECB mode encryption is like the kind of cereal box cyphers you probably played with as a kid. For any given key, a fixed block of data goes in, a fixed block of data comes out. It won't usually be the whole of the password, but maybe "password" comes out as "94a012e6de4f1f0e" always. And so if you can guess that, then you're halfway to guessing "password123" and "passwordQWERTY" and so on.
In general, using any mode of encryption (rather than hashing) on passwords is dumb. But this is dumber than usual.
"why do some passwords have a salt(?) and some don't?"
I'm not sure if this is the case, but sometimes this has to do with 'backwards compatibility'. I've seen databases where some passwords where MD5, some SHA1, some Bcrypt and so on.
The login page then will do something like:
Yay for LastPass - my password at adobe is a long string of gobbedlygook that is unique to the site. I changed it just in case...
which makes me think...
Why the hell hasn't Adobe reset everyone's password yet? That would be the FIRST thing I did in that situation. At least prevent the world from being able to log into my own site with the leaked passwords.
I believe they are trying to make sure the system is secure first. No point in having everyone reset their password if the bad guys still have access to the password db.
I feel sorry for the people paying a lot of money to buy these short domain names, and finding huge amounts of spam being delivered to them because people have misused domain names that don't belong to them.
on the other hand, you get a lot of free accounts and private information. I own a domain that was once used as webmail for a couple of hundred people I guess. Looking through the catchall is awkward and invasive...
To make it searchable on your password, someone would have to go through the Adobe set and use the hints to manually figure out the clear text form. Off hand, it's hard to see how posting that on the web could be done responsibly.
But until someone does, you could just Google "most common passwords" and if yours is in the set, you win!
no, you have known plain text, so you just have to encrypt your password using the same algorithm and then search the database for matching ciphertext, there's no need to find the clear text for any of the passwords.
you can't re-encrypt since we don't have the keys. but you can search for your e-mail, pull up the associated hash, and then search for the hash to see who else used that password, and list all of their password hints.
As funny as this comic is, it wasn't so funny when my card was hacked and my personal details were released online. Now anyone who searches for my email (on Google) is displayed a (spammy) link to the dumped file containing my email, along with some jumbled letters, possibly my encrypted password.
One super-good thing I did when I signed up for adobe was:
I created a separate email address (purely by co-incidence) that I used exclusively for Adobe (and for some spammy services like some deal sites, which didn't require my card). As a result, I know for sure that my card was compromised because of the Adobe's breach and no one else.
Lessons and observations:
1) I'm glad I bought the CS6. With the cloud comes great risks too. Not to say that you should avoid cloud products, but when you have a version you can own forever, then you might as well go for it. Imagine if I was on CC and my card was hacked and I decided to stop paying Adobe the next month out of frustration. Do you know what will happen? My company will come to a stand-still because I will no longer have access to Photoshop and a huge portion of my company is basically a Media company.
2) Someone else said we're depending too much on Adobe, and I tend to agree. But there is really no superior equivalent for Adobe's Photoshop at the moment. Please don't cite GIMP - I've tried it and it needs a lot of work to even be on par with Photoshop atm. Another factor is the PSD file format which has painfully spread like a Virus and you can't erase it out of your workflow if you're a Media shop like us (Most printing services accept PSDs/TIFF). I sincerely wish why YC companies who generally want to change the world, don't want to create a Photoshop clone/competitor to kill this stupid Adobe that's ruining all of our lives with the stupid CC bundle.
3) The people who really won, like someone else said, were the ones who used pirated versions. I mean, I've paid a total of ~$1400 till now to Adobe and what have I received from Adobe? A 'fuck you' from their CEO in the form of their Creative cloud bundle and a hack that leaked my personal details online making me look like a jack ass to anyone who searches for me by my email. Oh also don't forget the uncounted number of "fuck you's" he's sent me while developing for Flash (on mobile) and Flex.
4) Always create a separate email (or an alias) while signing up for cloud services, so you can eliminate guess work during a crisis. So, instead of signing up with [email protected] for Adobe or someone else, use [email protected] (this will redirect to [email protected]) or rather create [email protected] or something (gmail is just an example). This way, you can always trace out the right service responsible for the leakage of your details whenever something goes wrong.
I was lucky enough that my bank blocked my card on observing a fraudulent transaction initiated from another country and thus issued me with a new card. I have no plans to upgrade from CS6 or to something else for the next few years. Hopefully GIMP will get better by then, or some YC company will create a better Photoshop and let us own it forever for a one-time fee.
>4) Always create a separate email (or an alias) while signing up for cloud services, so you can eliminate guess work during a crisis. So, instead of signing up with [email protected] for Adobe or someone else, use [email protected] (this will redirect to [email protected]) or rather create [email protected] or something (gmail is just an example). This way, you can always trace out the right service responsible for the leakage of your details whenever something goes wrong.
Doesn't stop someone just removing the + tag on the email address.
A better way is to set up a catch all on a domain... but then you're likely to get a lot more spam... (to things like mail@, contact@ and a whole bunch of firstnamelastname@ guesses)
> Doesn't stop someone just removing the + tag on the email address.
It won't stop spam but the biggest risk with these leaks is from automated testing of a password found from a leak on one service you use with the same email address on another. As long as you use a separate + address for both you'll be safe as they are unlikely to automate testing of different + addresses since most users don't do that.
> A better way is to set up a catch all on a domain... but then you're likely to get a lot more spam
I forward my catch all domain emails to gmail. I hardly get any spam now except to leaked addresses which I've filtered to add bright red labels so I can ignore them.
Is it too much of a reach to assume that any half-talented identity thief or exposed-user-list-scammer might be smart enough to know about rfc5233, and would write hs scripts/bots to automatically try the obvious variations of an email address of the form [email protected]?
If I were attempting to exploit the Adobe list, every email address I saw like [email protected], I'd try the exposed password using not just [email protected] and [email protected], but also [email protected], where "othertarget" might be something like twitter, facebook, paypal - depending on where I'm attempting to misuse the exposed credential.
Not sure that's a workable solution here - you wouldn't use a trashmail address to sign up for a many hundred dollar a year subscription like Creative Cloud. It works fine for stuff you only care about for the next few hours (like maybe the vpn service you register for so you can bittorrent cs6).
> Now anyone who searches for my email (on Google) is displayed a (spammy) link to the dumped file containing my email, along with some jumbled letters, possibly my encrypted password.
Hmm. I was one of the hacked users, but googling my email doesn't come up with anything.
It is possible that your file wasn't indexed? The whole dump is 3 point something Gigabytes I think, and in the link only a portion was pasted for obvious size limitations. The indexed file was from a (spammy) copy paste service. so chances are good that the part of file which contained your ID wasn't indexed by google or was deleted. I also sent a complaint to Google and the copy-paste service to take down the file immediately for obvious privacy reasons..
I wonder who the chief security officer of Adobe is (should be was) and why they never had sufficient security audits to look at how they did security. Why is it virtually every time there is a leak people did the encryption wrong?
That's too many characters, plus "Favourite of 12 Apostles" doesn't mean Jesus', it could be the users. I'm not convinced that it's St. though as when they say name1 that would suggest St. was part of it :p
I was thinking that St.peter would have to be peter (NAME1) but then that wouldn't be enough to be it's own block. I'm guessing the split boxes [ ][ ][ ] are characters and the long [\t] are for numbers.
I think the eight square boxes mean "exactly 8 characters", and the long rectangles mean "up to 8 characters".
You can tell them apart (sometimes) because "exactly 8 characters" will match if those 8 characters are re-used by someone else with a longer than 8 character password.
And the layout emphasizes the re-use, which is also shown by color coding.
What's the status with figuring out the encryption key and breaking all those passwords? Surely there are known passwords. Is there any distributed brute force attempt that I can help with?
100 bits of entropy takes around 10^26 seconds to crack [1]
Even if you somehow managed to get a botnet of 100 million machines, it would still take longer than the age of the universe to brute force it.
Security of 3DES is effectively 112 bits [2] if random keys are used. Although as I said, this is assuming adobe weren't completely stupid (and reused one or more of the keys, or used non-random keys)
>>It was bound to happen eventually. This data theft will enable almost limitless [xkcd.com/792]-style password reuse attacks in the coming weeks. There's only one group that comes out of this looking smart: Everyone who pirated Photoshop.<<
[xkcd.com/792]: http://xkcd.com/792/