What a flawed, sensationalist headline. So, he looked at all people that used aliases for Gmail accounts (added a +something or . to their address) to register multiple times.
By comparing the hashes for these Gmail users, he then determined that 51% used the same password for duplicate Adobe accounts. He asserts they were "highly technically savvy users" and thus 51% is the lower bound for the population of all Adobe users, thus 51% of the users used the same password somewhere else. Therefore "64 million" user's accounts are compromised on other sites, because they must be using the same password else where.
OK. Here is the problem. You, a savvy user, have multiple accounts, on the same site, why would you use different passwords for your alias accounts? Same password on same site != Same password on all sites.
I don't use the same password on other sites, but do use the same email (not the one on my HN profile) in a lot of other places.
I'm still not "less angry" at Adobe. Probably irrationally so, since data leaks can happen to anyone, but just the idea that my info is in a downloadable archive somewhere for any Joe Shmuck to pickup is driving me up the wall.
Since your lower bound ignores a common case: I use a formula based on the site to create a [unique]+[common] combined password, your premise that it is a lower bound is invalidated.
A better lower bound would be: find password hashes that occur with high frequency. "password1" and "wordpass" are probably each in the data a few thousand times (or rather their hash is in there a few thousand times).
Then use the logic that if a person is using an extremely common, known insecure password, that they're probably using the same lazy password in a lot of places. Use this as a lower bound, as it is a lot more defensible.
I think it's debatable actually - while intersecting the list with another does give you less bias, it also reduces the sample size immensely (as happened in the 2011 analysis I linked to), so there are trade offs in both directions.
I'm not claiming that I know exactly how many accounts reuse passwords - I am suggesting that, based on my estimate, it is more than half.
I don't doubt there is much password reuse. Like the original complaint, I don't think the data point has value because reusing passwords on same site implies nothing on different sites.
I wonder how far back these accounts actually go. "Adobe accounts" have been a thing for at least 4 years -- the first time I needed one was in 2009. I'm sure they probably extend back further than that.
If this is a database that's been growing over a long enough period, the distribution might be very different compared to a system that's only been around for, say, a year.
Is it illegal to possess the dump file? I ask this purely from a self-protection standpoint as, over the years, I'm pretty sure I've signed up for more than one account, and would want to check to see what data is registered in my name.
Is there anyone out there that takes these reports and the reported files and sends an email out to all the people informing them that their password is potentially compromised?
I haven't yet received an email from Adobe, but I would imagine that my email address is likely among the accounts that were leaked in this file.
I tried grep first - at 10-12mg / sec disk io it was taking too long... This scans the file in about 10 - 30 sec depending on whether your email is near the top or bottom... Obviously if the emails where sorted we could do better...
Ironically, if Adobe is truncating their passwords to 12 characters that would be a major positive for me in the case of this leak as they'd only have half of my password. At least one of my accounts account from back when I memorized all of my 20+ character passwords was compromised. I'm sure I still have a few accounts with the same pass that need to be reset just to be safe, but it's at least there's something to chuckle about...
When logging in to Adobe, but that's a password reset away. They won't be able to get into any sites which allow more than 12 characters which, while it probably doesn't help me much in practice, may at least serve to frustrate a couple people who try to mess with my accounts. It's still a major net negative.
So someone decided to host the only copy I can find of users.tar.gz on sourceforge, who has of course taken it down. There’s a torrent, but it seems to be stuck at 75%. Anyone else got something I could use to warn customers in the list to change their password?
I see three of my email addresses in the list 2 are no longer valid - I imagine because of the number of invalid email a addresses in the list any spammer attempting to use the list would pretty quickly be shut down . But surely someone smarter about email delivery could comment
By comparing the hashes for these Gmail users, he then determined that 51% used the same password for duplicate Adobe accounts. He asserts they were "highly technically savvy users" and thus 51% is the lower bound for the population of all Adobe users, thus 51% of the users used the same password somewhere else. Therefore "64 million" user's accounts are compromised on other sites, because they must be using the same password else where.
OK. Here is the problem. You, a savvy user, have multiple accounts, on the same site, why would you use different passwords for your alias accounts? Same password on same site != Same password on all sites.