Just finished reading News of Adobe hacks yet again worsens
Initial thought – OMG, what a bunch of imbeciles Adobe left in charge of password security.
Second thought – OMG, why is it that soooo many people are soooo clueless when it comes to choosing a secure password?
130 million passwords compromised? – and 200.000 of those is “adobe123”
But hey, it’s all safe because Adobe didn’t store the password, but only a hash of it.
Well, not really.
Sure, they only stored the computed hash of the password. But they didn’t use a one-way hash function.
So all that is needed now is for someone to crack the key used to perform the hash.
And voila…130 million passwords in cleartext.
So, if you’re one of those persons that can’t be bothered to maintain separate passwords for every single online account, then you’ve just opened those other accounts up as well (once the key is cracked).
This ofc means that – even if you changed your password on Adobe after they got hacked -those other account passwords are still wide open for abuse.
Keeping track of passwords and account names is not an issue if you’ve only got a few, but they tend to pile up over time as you register yourself on more and more sites.
(Personally I’ve been using LastPass (the free version) for years to save me from having to choose between weak/short passwords and writing long/secure passwords down)
Raising awareness quickly: A look at basic password hygiene refers to a study which concluded this:
The problem is that simple, easy to remember passwords are also easy to “crack.” Thats probably why a major study found that 76% of network intrusions (aka breaches) in 2012 involved weak or stolen passwords.
So, how are you dealing with passwords? – will one compromised password grant access to a long list of different accounts?
Will having your facebook password hacked suddenly leave your Twitter, GMail, Pinterest, PayPal, bank, forums, medical information etc wide open?
In reality you only need to have your email password compromised to be in for a really bad experience as the bad guys simply requests new passwords for every account that doesn’t utilize a challenge/response system (such as “What’s the name of your first pet” questions).