As many of you will know, two months ago, Adobe’s servers were hacked into and the user information stolen. At first this was thought to be a major breach, with about 3M records lost. Then the number went to abut ten times that. Now, however, there is talk of it heading for the Guinness Book of Records, as it appears the number may be closer to 150M!
Now, the passwords were encrypted (or, more technically, ‘hashed’), so the bad guys can’t just read them off. But they weren’t encrypted as well as they might be, in particular because if several people use the same password, the system stores the same thing. So if you know one person’s password, perhaps because you got it from a previous hacking incident elsewhere and can tie it to their email address, you can now work out anybody else who uses the same password.
But it’s more fun than that… and there’s a great article on the Sophos site going into more gory detail if you’re interested.
One column that wasn’t encrypted in the database was the one holding the ‘password hints’… you know, the phrases you can put in on some sites to remind you if you forget your password.
Now, the most popular password is “123456”, which encrypts to “110edf2294fb8bf4” in the Adobe database. Hundreds of thousands of people use this one. Another very popular one, believe it or not, is “password”, which becomes “2fca9b003de79778 e2a311ba09ab4707”. (You can see more of the most common choices here.)
If you know the encrypted form, you may not be able to work out the original. But if many thousands of people use it, and just one of them gives it away in the password hint, then things become trivial. And it turns out that there are lots of lovely examples in the Adobe file, where users have put in hints like “Rhymes with assword”, or ‘1-6’…
Anyway, if you’re curious about whether you appear in this list, which you might if, say, you’ve ever downloaded Acrobat, there’s a a very nice service that LastPass have put together at:
where you can type in your email address and it will let you know if you’re in the database. It can also email you a link showing how many other people used the same password as you, and what some of their hints were. Which can be quite sobering.
I’m embarrassed to say that mine, which was mildly obscure, I originally thought, had 40 other users. That’s only 40 in 150 million, but it’s still not good for precisely the above reasons. I’ve had an Adobe account for a very long time, and this password predated my use of 1Password to generate unique and complex passwords for each site. Thankfully, since I’ve been storing my passwords in 1Password for quite a long time, it’s easy now (if somewhat tedious) to find the other elderly accounts on which I’ve used it, and fix them…
How about you?