A basic salted hash would prevent this sort of thing (not saying that bcrypt/etc. aren't worth using).
As to people using obvious password hints, it depends how much you care about the account - I don't use hints anywhere, but there's plenty of accounts I have where I really wouldn't care if anyone logged into it, so if I was someone who needed hints, then sure why not?
Amazingly, these aren't even password hashes.. they're encrypted versions of the password. Ars wrote an article on this yesterday [1]. Basically if anyone has the encryption key, they'd be able to decrypt ALL passwords in the list.
Actually you maybe don't even need the key. I don't know what algorithm Adobe used to encrypt these passwords, but for most standard ones it holds that if you have two encrypted messages A' and B' corresponding to plain texts A and B, then B = A ^ A' ^ B'. You really only need to find one password of length N to be able to decrypt all passwords with length <= N.
Edit: Of course I mean two messages encrypted with the same key and initialisation vector. Do not reuse IVs kids, you'll get hurt.
That's true of stream ciphers, and if they reuse a nonce.
It looks like they used 3DES which is for all intents and purposes here, immune to a this kind of attack.
EDIT: If they use 3DES in a CTR mode then it could be vulnerable to this, but looking at the base64ed texts in the blog posts, they are multiples of 8 meaning it is almost certainly in a block cipher mode. Would be interesting to see if you can find any block similarities if they used ECB.
This is really neat. Adobe stated the hashes are 3DES/ECB.
So, say I have a two block password with '6aMjgZFLzYg' as the second block... when I just search for that block I see alot of hints that point to '123456789' as a password, implying the plaintext for that block is simply '9'. So now I believe the password is 9 characters long and ends with '9'.
This is a common misconception, but a "global salt" isn't actually a salt. Not sure what a "basic salt" is though.
> A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database.
Ah, I did not know that. And I wrote some password hashing with a global salt myself. So I stand by my comment with "one laughing and one crying eye". I thought salts were mostly against precomputed rainbow tables for specific hash functions, but of course if my hashes are valuable enough, a global salt makes cracking them easier than if I used a random/unique one per hash.
From what I understand rainbow tables are not really used anymore -- they were useful when it took longer to calculate hashes, but nowadays you just need a decent graphics card to calculate a few billion hashes (MD5 or SHA1) PER SECOND.
Per-hash salts don't really slow that down at all, unfortunately.
Short-version: don't use the hash algorithms that are designed to be fast for protecting sensitive data; use something solid with a work factor instead.
True, but if the global salt is secret, it'll at least make it slightly harder for the attacker to figure out the password.
For example, if the password is "a" and an unique salt is available in the database, it'll be trivial to brute force. If the password function is something like this, however: sha256("longsalt" + password + salt) the attacker will first have to figure out longsalt which can be slow if it's long.
If you can steal the password hash database, stealing the shared "salt" is usually going to be trivial. Second, lots of hash functions are vulnerable to length extension attacks, so even if extracting the shared secret directly is hard, you can probably exploit the system to see what an empty password hashes to and then use that as a basis for brute-forcing the rest.
In other words: there is a reason why security experts and cryptographers recommend the password storage mechanisms they do.
The obvious solution is to salt it with something that is unique to that account: The internal account id, a string randomized at account creation or something like that.
An identical password for two different accounts should never encrypt to the same string.
The salt should always be random. If it's based on some account information it's possible that the salt can be regenerated if that account information would become available, in a DB dump like this for example.
If they had used different salts for every account, and that salt was published in this dump it would have been much more difficult to find identical passwords compared to the current situation.
I'm not sure how you can keep the salt random and secret, and still use it when users log in?
Salts aren't secret. The point of salting a password is to prevent the password (like "alskdjfalsdf") from always hashing to the same result (like "j9p+HwtWWT86aMjgZFLzYg=="). That prevents rainbow table attacks (among others) and it doesn't require the salt be secret.
If lots of sites all use user ids as a salt and all count up from 1 then a much weaker version of this attack applies: you can identify all the people who have both the same password and the same user id.
If this were common, someone constructing a lookup table for password hashes could include ones salted with the first N user ids. A N-times bigger table isn't something you'd be excited about as a cracker, but might still be practical.
If your user ids are randomly assigned this should be pretty much the same as generating a random salt. Still, the extra storage of a salt is going to be small compared to whatever else you're storing per-user, so better to do the safe thing and go with what's standard.
"I can't see why a user id could not be used as a salt though" thats exactly how people break crypto implementations, it seems ok but you dont really know. Don't just invent your own way, use the standard one.
The salt is typically stored in the password db, alongside the salted hash.
If Adobe has taken that approach, the intruders would have all the salts, but they would not be able to do this attack of seeing how many people use the same password.
However, Snowden's silly password hint would still have given the game away. If that is in fact him.
If it's random, you need to store it, and it becomes just as available on a leak. The salt still works though, because it makes all hashes different. You need to attack each password individually rather than tackling them all with a rainbow table or something. The approach from this article also stops working. What you use as a salt is fairly irrelevant as far as I can tell.
If you want to get more security on top of that out of your salt, the only thing I can think is to add some security by obscurity on top: If it doesn't matter which field in the DB you use, just pick an unlikely one and keep secret which one it is. Might be id, email, favourite pet, or something else. Just don't forget to update the hash when the user changes that field.
As to people using obvious password hints, it depends how much you care about the account - I don't use hints anywhere, but there's plenty of accounts I have where I really wouldn't care if anyone logged into it, so if I was someone who needed hints, then sure why not?