Facebook and other companies are following Adobe’s recent password breach, and for good reason. Recently, over 130 million encrypted Adobe passwords were made public, and that’s precisely why Facebook and other websites are on high alert and requesting – and even requiring – that their users make changes. Even worse, access to that many passwords could help hackers even more, and these are criminals who use such information for devious purposes. In a word, this sort of password breach won’t go away.
In response to the password breach Facebook’s security team mined users who had the same login information with Adobe and Facebook, and are requiring those users to change their passwords.
As Dan Goodin at Ars Technica wrote, password security expert, Jeremi Gosney, put out a list of the top 100 Adobe passwords. (Yes, if you click on that link, you will find that “123456” and “123456789” are at the top of the list! People, please, please stop using these passwords. Have any of you seen Space Balls?!?).
Goodin also points out that sites that aren’t as common or a household name, like Facebook, are also being hit by the breach. For instance, Diapers.com sent out an email to their subscribers, requesting them to reset their passwords.
As Ars explained last week, Adobe’s storage of the 130 million passcodes was almost a textbook example how not to manage highly sensitive login credentials. It used a single key to encrypt all passwords using the Triple DES encryption algorithm with the ECB mode. The meant that every identical plaintext password generates an identical encrypted string. ECB mode further allowed outsiders to examine the ciphertext to glean important clues about the plaintext, including its length and the type of characters it might contain. Given so many affected Adobe accounts, it hasn’t been hard for outsiders to use their own passwords to help decipher the list. That has led researchers to deduce passwords such as ‘adobe1999’ even though the underlying cryptographic key still hasn’t been broken.
This raises several interesting questions – if Adobe made such a huge blunder, and, as Ars noted, this a textbook example of how NOT to manage highly sensitive login credentials, should they have to pay some sort of price for the breach, i.e., should they be held responsible for this type of blunder? Will there ever be laws implemented that would make companies, like Adobe, pay a price for such an error? On the flip side, is it a matter of personal responsibility, especially when many know that best IT administrator practices dictate that employees should have different passwords for each vendor service their company uses?