[cryptography] Adobe confirms customer data breach
noloader at gmail.com
Mon Nov 19 02:19:22 EST 2012
An Adobe break in does not surprise me.
Has anyone come across a paper on how to migrate an existing database
with, for example, unsalted MD5 hashes, to something more appropriate
for 2012? Naively, I don't see why MD5(password) cannot be an input to
an improved system. That is, MD5(password) is just a pre-processing
step to a system built with cryptographic legos.
I'm trying to figure out why folks like Adobe (who know better and
have the resources) are still using unsalted MD5. I suspect the answer
has something to do with "its cost effective to be grossly negligent,"
but I want to give offenders the benefit of the doubt.
Update 15-11-12 14:55: According to security firm Sophos, the
passwords were stored as unsalted MD5 hashes, which can easily be
cracked quickly using modern CPU and GPU hardware. If the database
extract turns out to be genuine, Adobe should have invested a little
more effort in protecting the passwords of its users.
More information about the cryptography