{"id":3916,"date":"2013-11-06T12:30:12","date_gmt":"2013-11-06T17:30:12","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=3916"},"modified":"2013-11-06T12:30:12","modified_gmt":"2013-11-06T17:30:12","slug":"just-how-bad-are-the-top-100-passwords-from-the-adobe-hack-hint-think-really-really-bad","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/11\/06\/just-how-bad-are-the-top-100-passwords-from-the-adobe-hack-hint-think-really-really-bad\/","title":{"rendered":"Just how bad are the top 100 passwords from the Adobe hack? (Hint: think really, really bad)"},"content":{"rendered":"

\"Just<\/a><\/p>\n

It\u2019s well-known that people often pick easy to remember but easy to crack passwords to protect their accounts. Thanks to the work of one password expert, it’s now thought that millions of Adobe customers were among those with a taste for terrible passwords too.<\/p>\n

Adobe recently revealed that the security breach which affected the company last month turned out to have involved at least 38 million Adobe IDs and encrypted passwords, rather than the 2.9 million the company originally reported.<\/p>\n

But the 38 million figure only related to active accounts. Along with the source code for products such as ColdFusion, the hackers made off with and published a file that contained over more than million user records for inactive as well as active accounts, which included more than 130 million encrypted passwords.<\/p>\n

Read this<\/p>\n

Do unseen passwords really need masking?<\/p>\n

Password\\’s rotten core not complexity but reuse<\/p>\n

Could ‘honeywords’ help stop high-profile password breaches?<\/p>\n

One password cracked and your business is history<\/p>\n

Google unveils 5-year roadmap for strong authentication<\/p>\n

Although Adobe has said the passwords were encrypted, it appears the way Adobe did that was not enough to prevent passwords expert and founder of the security firm Stricture Consulting Group, Jeremi Gosney, from deriving them to reveal the most commonly used passwords, which he published over the weekend, spanning around six million or just under five percent of the 130 million password list. (How he derived them is explained below.)<\/p>\n

The most popular password, used by nearly two million Adobe customers, is “123456”. There aren\\’t any surprises there though; the Yahoo leak of 450,000 passwords last year, and other similar breaches, have also revealed the same password as a user favourite.<\/p>\n

The others in the Adobe top 10 are equally poor. The second most popular was “123456789”, used for 446,162 accounts, followed by “password” common to 345,843 accounts, “adobe123” used in 211,659 accounts, “12345678” used for 201,580 accounts, followed by “qwerty”, “1234567”, “111111”, “photoshop” and “123123”.<\/p>\n

Gosney notes that since he doesn’t have the key Adobe used to encrypt the passwords of 130,324,429 users \u2014 and since Adobe is still blocking access to its services until owners reset their passwords \u2014 it’s impossible to say with certainty that the list is entirely accurate, but he says he’s nonetheless “fairly confident” of its accuracy.<\/p>\n

Gosney confirmed the source of the analysis was a file containing the passwords was leaked on Anonnews last week. So how was it all possible? Here’s what he told ZDNet:<\/p>\n

See, the passwords in this leak are were all encrypted with the same key. Without that key, we cannot crack a single password. But as soon as we have that key, we can instantly crack all of them. So for this particular leak, we’re not trying to crack individual passwords \u2014 we’re trying to crack the encryption key.<\/p>\n

Adobe encrypted the passwords with 3DES in ECB mode. 3DES itself isn’t a terrible cipher, depending on which key option was used. But ECB mode is really bad, because it leaks information about what was encrypted. Basically, ECB mode works by dividing a message into blocks, and then encrypting each block individually. This means that the same plaintext block will always result in the same ciphertext block when encrypted with the same key.<\/p>\n

Analysing patters in the ciphertext along with known plaintext-ciphertext pairs allows you to learn quite a bit of information about the encrypted data. In this case, we had lots of known plaintext-ciphertext pairs because a lot of people were affected by this breach, myself included.<\/p>\n

The top 100 list we published was based solely on manual analysis of the ciphertexts, combined with manual analysis of the user-supplied password hints for each password. This enabled us to make highly educated guesses at what each of the passwords might be, but we won’t know for sure until the encryption key is recovered.<\/p>\n

The password hints were the most telling. An overwhelming number of people took the concept of a password hint too literally, and flat-out provided the password itself as the hint. By analysing thousands of password hints per ciphertext, and matching that information with what we know about the ciphertext thanks to ECB mode, we are able to determine a number of passwords with a reasonable degree of certainty. It took about three hours to determine what the top 100 passwords were with this method.<\/p>\n

Some will conclude that ECB mode was obviously Adobe’s downfall here, but the real point is that the passwords never should have been encrypted in the first place. They should have been hashed, using a proper password hashing function. It sounds like Adobe is in the process of remedying this, however, as they state that their new solution uses over one thousand iterations of salted SHA-256.<\/p>\n

Full Story: Just how bad are the top 100 passwords from the Adobe hack? (Hint: think really, really bad) | ZDNet<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

It\u2019s well-known that people often pick easy to remember but easy to crack passwords to protect their accounts. Thanks to […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7,10],"tags":[43,451,797],"class_list":["post-3916","post","type-post","status-publish","format-standard","hentry","category-security","category-technology","tag-adobe","tag-hacked","tag-passwords"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-11a","jetpack-related-posts":[{"id":9450,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/20\/are-passwords-immortal-security-now-690\/","url_meta":{"origin":3916,"position":0},"title":"Are Passwords Immortal? – Security Now 690","author":"NCCT","date":"November 20, 2018","format":false,"excerpt":"https:\/\/youtu.be\/mOSTtkK7vy0 Pwn2Own, the Future of Passwords. -- All the action at last week's Pwn2Own Mobile hacking contest -- The final word on processor mis-design in the Meltdown\/Spectre era -- A workable solution for unsupported Intel firmware upgrades for hostile environments -- A forthcoming Firefox breach alert feature -- The expected\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/mOSTtkK7vy0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9330,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/04\/03\/security-now-657-protonmail\/","url_meta":{"origin":3916,"position":1},"title":"Security Now 657: ProtonMail","author":"NCCT","date":"April 3, 2018","format":false,"excerpt":"https:\/\/youtu.be\/OeSZg-ph3Ns This week we discuss \"DrupalGeddon2\", Cloudflare's new DNS offering, a reminder about GRC's DNS Benchmark, Microsoft's Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OeSZg-ph3Ns\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9511,"url":"https:\/\/nccomputertech.com\/techtalk\/2019\/01\/22\/millsplain-it-to-me-this-week-in-tech-702\/","url_meta":{"origin":3916,"position":2},"title":"Millsplain It to Me – This Week in Tech 702","author":"NCCT","date":"January 22, 2019","format":false,"excerpt":"https:\/\/youtu.be\/EtTfFJVBZ6s -Apple's Tim Cook Calls for Data Privacy. -773M Passwords Pwned - How to Find Out If Yours Was. -Amazon Tries to Make Alexa Sound \"Newsy.\" -Google Buys Fossil. -74% of Facebook Users are Clueless. -Facebook's 10 Year Challenge. -Atari Founder Making Alexa Board Games. -Stop Using Windows Phone! -Tokyo\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/EtTfFJVBZ6s\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9403,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/10\/01\/older-than-the-mini-jack-this-week-in-tech-686\/","url_meta":{"origin":3916,"position":3},"title":"Older Than the Mini Jack – This Week in Tech 686","author":"NCCT","date":"October 1, 2018","format":false,"excerpt":"https:\/\/youtu.be\/a2BeanU0FsU Facebook breach, Elon\u2019s costly tweet, Google turns 20, and more. --How to tell if your Facebook account is one of the 50 million that were hacked this week --Why the founder of Instagram left Facebook --\"Funding secured\" tweet costs Elon Musk his chairmanship and $40 million --Google turns 20\u2026","rel":"","context":"In "Social Media"","block_context":{"text":"Social Media","link":"https:\/\/nccomputertech.com\/techtalk\/category\/social-media\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/a2BeanU0FsU\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9370,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/06\/24\/this-week-in-tech-672-meme-the-queen\/","url_meta":{"origin":3916,"position":4},"title":"This Week in Tech 672: Meme the Queen","author":"NCCT","date":"June 24, 2018","format":false,"excerpt":"https:\/\/youtu.be\/ZCttWvS1qJw Two HUGE Supreme Court decisions, Apple admits its keyboards suck, Europe's war on memes, and more. -- The US Supreme Court kills warrantless cell phone location fishing and okays state sales taxes on internet purchases. -- Apple offers refunds on MacBook butterfly keyboard repairs and wants to let you\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/ZCttWvS1qJw\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9910,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/02\/11\/slap-and-flop-siri-ios-18-3-update-apple-music\/","url_meta":{"origin":3916,"position":5},"title":"Slap and Flop – Siri, iOS 18.3 Update, Apple Music","author":"NCCT","date":"February 11, 2025","format":false,"excerpt":"https:\/\/youtu.be\/Xwqi58VczQ4 What's going on with Siri? iOS 18.3 update is out now, along with a fix to a zero-day flaw. You can buy iPhones on eBay with TikTok installed on them as TikTok is still not available for download on the App Store. And on January 27th, 2010, Steve Jobs\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/Xwqi58VczQ4\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/3916","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=3916"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/3916\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=3916"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=3916"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=3916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}