[cryptography] Adobe confirms customer data breach

Patrick Mylund Nielsen cryptography at patrickmylund.com
Mon Nov 19 03:11:56 EST 2012


There is no good excuse, IMHO, but we also haven't done a good enough job
drawing attention to how to do it properly in a way that's easy for
non-cryptographers to understand. Too many developers think "cryptographic
hash function" means "safe [as-is] for password authentication."


On Mon, Nov 19, 2012 at 8:19 AM, Jeffrey Walton <noloader at gmail.com> wrote:

> An Adobe break in does not surprise me.
>
> Has anyone come across a paper on how to migrate an existing database
> with, for example, unsalted MD5 hashes, to something more appropriate
> for 2012? Naively, I don't see why MD5(password) cannot be an input to
> an improved system. That is, MD5(password) is just a pre-processing
> step to a system built with cryptographic legos.
>
> I'm trying to figure out why folks like Adobe (who know better and
> have the resources) are still using unsalted MD5. I suspect the answer
> has something to do with "its cost effective to be grossly negligent,"
> but I want to give offenders the benefit of the doubt.
>
> Jeff
>
>
> http://www.h-online.com/security/news/item/Adobe-confirms-customer-data-breach-Update-1750344.html
> ...
> Update 15-11-12 14:55: According to security firm Sophos, the
> passwords were stored as unsalted MD5 hashes, which can easily be
> cracked quickly using modern CPU and GPU hardware. If the database
> extract turns out to be genuine, Adobe should have invested a little
> more effort in protecting the passwords of its users.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20121119/002d18ab/attachment.html>


More information about the cryptography mailing list