[cryptography] Adobe confirms customer data breach
iang at iang.org
Mon Nov 19 05:24:06 EST 2012
On 19/11/12 18:19 PM, Jeffrey Walton wrote:
> An Adobe break in does not surprise me.
> Has anyone come across a paper on how to migrate an existing database
> with, for example, unsalted MD5 hashes, to something more appropriate
> for 2012? Naively, I don't see why MD5(password) cannot be an input to
> an improved system. That is, MD5(password) is just a pre-processing
> step to a system built with cryptographic legos.
> I'm trying to figure out why folks like Adobe (who know better and
> have the resources) are still using unsalted MD5. I suspect the answer
> has something to do with "its cost effective to be grossly negligent,"
> but I want to give offenders the benefit of the doubt.
Part of the issue is that in the world today, they aren't grossly
negligent. This has specific meanings, which are found in court. Until
a court case comes that finds such an act as grossly negligent, then
Which then speaks to the incentives. The corporations have internalised
the benefits of the model, and externalised the risks. Punters have to
take the costs of the risk of failure, so everyone on the supply side is
happy. Until a corporation has some skin in the risk game, they aren't
going to do more than punt all the risk to the consumer.
In which case, spending more when MD5 does a fine job is pointless;
even if it breaks there is less point in spending money. At the moment,
when a breach happens, companies are responsible for the direct internal
losses, short term reputation hit, and maybe the cost of a breach
notification service (which latter is either a bad joke that customers
don't understand or an insult).
What's worse perhaps is that the first response of companies is to
bolster their defences with "best practices." This works well in court.
"We do what NIST said" and we're done and dusted. But as we know the
risks are far too complicated for some dry government inspired committee
We end up with a world in which there are companies that do real
security and risk work, and those that do "best practices." The latter
group is far larger, far louder, and unfortunately often more
So, this incentives view will clearly change when a wave of class-action
suits declare companies grossly negligent (or some other legal theory).
And, they have to pay for it through external forces. We are starting
to see that now, with the first rulings coming out that find the banks &
suppliers responsible. But it is slow work - the legal cycle is at
least as slow as the cycle for systemic security improvements.
> Update 15-11-12 14:55: According to security firm Sophos, the
> passwords were stored as unsalted MD5 hashes, which can easily be
> cracked quickly using modern CPU and GPU hardware. If the database
> extract turns out to be genuine, Adobe should have invested a little
> more effort in protecting the passwords of its users.
> cryptography mailing list
> cryptography at randombit.net
More information about the cryptography