Lessons of the Adobe password breach
November 19, 2013  

Last month I wrote about Adobe’s security breach in which someone gained access to an encrypted file containing customer passwords. There have been some interesting developments since then.

First, the number of accounts compromised was not 2.9 million, as initially reported, but 38 million active accounts. Or maybe 150 million accounts.

I had an Adobe account myself, and I’ve received their “Important Password Reset Information” email. I used a unique password for the account, as I do for all such accounts, so I don’t have to go around changing my password at other sites.

A lot of people aren’t so careful. Brian Krebs reports that Facebook has notified some users that their Facebook passwords were compromised in the Adobe breach. They know this because

Facebook and any other company can take any of the Adobe passwords that have already been guessed or figured out and simply hash those passwords with whatever one-way hashing mechanism(s) they use internally. After that, it’s just a matter of finding any overlapping email addresses that use the same password. Facebook’s Chris Long confirmed that this is more less what the company did.

UMass Amherst seems to have employed the same method.

Wordpress, on the other hand has gone further:

Recently Adobe had a large user account compromise incident and information was accessed including email addresses. As a precaution and proactive security measure, we’ll shortly reset the passwords of those WordPress.com VIP users whose emails matched the Adobe compromised user account list.

It doesn’t seem that Wordpress has actually verified that the passwords were compromised. That is, if you used the same email address for both your Adobe and Wordpress accounts you are having your password reset, even if you used different passwords for the two accounts. This is security voodoo, not an effective security measure.

What we have here is a tragedy of the commons. First, it’s tragic that I can no longer use “abc123” as a password, because the rest of you have made it overly popular, and careless companies have leaked plaintext passwords all over the place. Second, it’s tragic that I can’t use the same email address for two different accounts, because careless companies have leaked email addresses all over the place (or malicious companies, cf. spam), and other knuckleheads are making more work for me as a consequence.

More seriously, what this tells us is that you can’t count on companies to keep your private data safe, not even your email address and password. So, you shouldn’t give them (important) email addresses and passwords. Instead, we need authentication protocols, like SRP, that don’t send passwords to companies, and we should use unique emails per account.