
 Adobe credentials and the serious insecurity of password hints  - watermel0n
http://www.troyhunt.com/2013/11/adobe-credentials-and-serious.html
======
chalst
It was smart of Facebook to look for reused passwords.

Troy wondered if there might be a security risk to announcing having found
these matches (I suppose the reasoning is that if passwords are reused once,
they are probably reused more than once, and so looking for such notices might
help crackers track down easily compromised accounts), but decides there is
not. Given the low-key way FB have gone about this, I guess this is right, and
maybe this should be best practice for future password leaks. I wonder if
anyone else has done this?

For convenience, the announcement by Chris Long, of FB (from his comment on
Brian Krebs' blog, at [http://krebsonsecurity.com/2013/11/facebook-warns-
users-afte...](http://krebsonsecurity.com/2013/11/facebook-warns-users-after-
adobe-breach/comment-page-1/#comment-208063)):

> I work at Facebook on the security team that helped protect the accounts
> affected by the Adobe breach. Brian’s comment above is essentially spot on.
> We used the plaintext passwords that had already been worked out by
> researchers. We took those recovered plaintext passwords and ran them
> through the same code that we use to check your password at login time.

> Like Brian’s story indicates, we’re proactive about finding sources of
> compromised passwords on the Internet. Through practice, we’ve become more
> efficient and effective at protecting accounts with credentials that have
> been leaked, and we use an automated process for securing those accounts.

------
patio11
I don't have the resources of a Facebook, but I'd pay a few hundred bucks a
year for a HTTPS secured REST API which let me post an email address and
receive a list of candidate passwords. Bonus for a callback if someone I've
queried gets added. The service would maintain that list in a fashion similar
to whitehat security researchers.

Use case is to implement the FB-style security escalation for high-value
accounts at my businesses, without requiring an on-call security team. If a
dentist loses their client database because they reused the password on a
PHPBB somewhere I'm likely in for a lot of headaches even if eventually found
to not be at fault.

~~~
mdpopescu
The noise you hear is five hundred patio11 followers writing that app...
myself included :)

~~~
recuter
The app part is trivial, the hard part would be maintaining good up to date
datasets to make this actuallly useful. You'd also need quite a few more
costumers than one patio11 to make it worth your while, and ironically, the
need for this service in the first place suggests the potential market is
still small.

I.e. lots of organizations don't quite realize they have a need for this and
would have a hard time understanding why its useful.

------
ohwp
I got Ghostery installed, the page loads and then suddenly the text of the
article is removed.

I know I know, I just shouldn't use Ghostery but I like to have a little
privacy online.

Sorry I won't return to your site again...

~~~
cdman
Don't use Ghostery because they're tracking you:
[http://en.wikipedia.org/wiki/Ghostery#Criticism](http://en.wikipedia.org/wiki/Ghostery#Criticism)

Try disconnect.me or blacklisting the sites directly from the hosts file.

~~~
marios
I kept using ghostery because I didn't know of any alternative and sometimes I
can't install adsuck. (which is is better than a huge hosts file. An oversized
hosts file can have a negative impact on DNS and overall network
responsiveness).

Thanks for disconnect.me, I'll give it a shot :)

~~~
smcnally
> An oversized hosts file can have a negative impact on DNS and overall
> network responsiveness

how many hosts entries would you say it is before the negative impact is
significant? 20? 100?

------
ballard
0\. Password hints, the horror. As a user, the wisest thing is to just put
something misleading and use good password hygiene.

1\. This reminds me of a funny thing I did at big name university that shall
remain nameless. On the CS network which used NIS, I ran getent passwd as a
regular user and received everyone's hashed passwords! Then, I piped that
through john the ripper.... Say hello to 50 user's passwords in 30 seconds
with nothing more than the standard English dictionary. (In an era just before
shmoo, et. al. rainbowtables.). Dept chair, ~20 profs and some students. Drop
a cron to start xeyes every 30 minutes anyone? }:)

------
cdjk
How is Facebook getting the plaintext passwords to compare to their hashed
user passwords? Since the passwords are 3DES encrypted, only adobe should be
able to do that.

They could just be using email addresses, but that seems rather blunt.

I'm not a huge fan of Facebook, but what they're doing does seem like an
excellent idea.

~~~
sp332
The passwords were all encrypted with the same key, and ECB mode still leaks
some patterns. Jeremi Gosney of Stricture Consulting Group was "fairly
confident" of his decoding of many of the passwords.
[http://www.zdnet.com/just-how-bad-are-the-
top-100-passwords-...](http://www.zdnet.com/just-how-bad-are-the-
top-100-passwords-from-the-adobe-hack-hint-think-really-really-
bad-7000022782/)

Edit: oh it's the same guy who has this beast of a cracking cluster!
[http://arstechnica.com/security/2012/12/25-gpu-cluster-
crack...](http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-
standard-windows-password-in-6-hours/)

Edit2: more details about how the decoding works
[http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-
pass...](http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-
disaster-adobes-giant-sized-cryptographic-blunder/)

~~~
taeric
I believe the question was more of how does facebook know it was the same
password? My guess is this was a "lazy" calculation. That is, they had to get
their users to reenter their password so they could check it then. (Make
sense?)

~~~
sp332
They said in the article, they took the plaintext from the Adobe leak and
hashed it using their own login algorithm, then compared hashes. Edit: wait,
must have been a different article. Oh well, I read it somewhere :)

~~~
taeric
Ah, that makes a ton of sense. I was thinking in the case of if a hashed
database of passwords got leaked. If you know the scheme, you could do this
sort of comparison at a login. But, yeah, overly complicated for this
scenario, I believe.

------
GotAnyMegadeth
I like the idea of having to rename your dog after a password breach. Lol

------
ScottWhigham
Great insight/writeup but the last bit gets to me:

 _Ultimately, password hints are evil and they add nothing to an online system
that can’t be achieved with a secure password reset feature._

It's a classic case of someone criticizing one important feature without
suggesting viable alternatives. He might as well have said,

 _Gasoline engines are evil and they add nothing to a world that can 't be
achieved with a more efficient propellant._

Yeah, okay - but _what 's the more efficient propellant?!?!_

Password hints aren't "evil" just because (a) Adobe happened to store theirs
in plain text, and (b) some users do use seriously identifying information in
theirs. Password hints make it fast and easy for an actual user who genuinely
needs to reset their password to be able to do so quickly and efficiently.
What's the _secure password reset feature_ that Troy alludes to? I missed it.

~~~
troyhunt
The viable alternative is in the sentence you quoted:

"Ultimately, password hints are evil and they add nothing to an online system
that can’t be achieved with a secure password reset feature."

Secure password reset.

~~~
ScottWhigham
Oh, pish posh. You could've just as easily said, "The viable alternative is to
make password resets secure" and said the same thing. It's doublespeak. It's
basically an easy way to say, "There are a lot of different things you can do
but I don't feel like taking the time to list each of the options right now."

------
jebus989
Really interesting post and strong argument. Shame about the pie charts for
data viz but hey, nobody's perfect.

~~~
illyism
Here's some of the data in tables:
[http://adobe.breach.il.ly/#/stats](http://adobe.breach.il.ly/#/stats)

------
peterwwillis
> Password hints are an absolutely ridiculous security measure.

Password hints have multiple uses. For identity management and verification
systems, it's used as an additional identity check after the password if the
host seems to have changed. For password recovery, it's a "need to know"
factor you have to pass before you get to the "need to have" of e-mail account
access. Since it's trivial to bruteforce, multiple hints of different
categories are usually deployed.

In the real world, hackers compromise accounts by finding out the personal
details they need to subvert password-recovery steps. Find the last four of
the social, their birth date, address, and phone number, and you can basically
hijack any bank, telephone, utility or government account a person has.
Password hints are (when properly implemented) more secure because they can
leverage other access methods.

Did they need to keep the hint plaintext? No; they can hash it just like any
other password. But as the complexity requirement of the hint is much lower
than that of passwords, it should be required to use another factor (such as
an e-mailed confirmation code, SMS, or many more hints or sensitive
information) to allow the hint to succeed.

~~~
mikeash
I think you've mixed up password hints with security questions.

You seem to be talking about stuff of the form, "What is my mother's maiden
name?"

A password hint is exactly what it says: a hint for what your password was, to
help you avoid forgetting it. If your password is "lassie", then your password
hint might be something like, "That dog you like from TV." The problem, of
course, is that just about any hint that helps you remember your password also
helps an attacker guess it.

~~~
peterwwillis
Ah, you're right, got the two confused

------
Aldo_MX
I changed my password to "photoshop", because I was expecting an advice from
adobe telling me to pick something more secure, nothing happened :/

------
fibbery
in other news, 93,000 people still have a juno.com email address.

~~~
aestra
These were both for active and inactive accounts.

