• Week in Cyber: Your Password Hint Should Be 'Ignore'

    November 14th, 2013
In August, Adobe suffered an extensive breach of customer data and its source code, an attack first reported by Brian Krebs in October

More than 38 million customer accounts were effected, along with 40GB of source code taken. And no, not even the company that brings you Photoshop could make the breach look like anything short of a serious problem.

The silver lining, though, is that the incident has sparked a wave of excellent industry commentary and helped raise awareness of cyber security issues which aren't solely a problem at Adobe. 

In the Week in Cyber, we look back at a pair of posts on the subject every cyber security professional should read.

Password Hint: Yeah, Right

Troy Hunt: Adobe Credentials and the Serious Insecurity of Password Hints

Troy Hunt is a Microsoft programmer and software architect who blogs on a range of IT and software security topics. In this post, he utilizes data posted online from the Adobe account breach  This one delves into the often used practice of providing pass phrases for users to be able to unlock their accounts.  Is this practice inherently secure?

By using this voluminous real world data source, he essentially answers that question with a resounding no, nope, never.

Since he had a long list of encrypted passwords and password hints, he was able to categorize the password hints and then ranked them by frequency of usage.  Not surprisingly family and pet names jumped to the top of the list.  With some simple social engineering research work – matching your email address to an account, and your password hint (say, "family dog") to your dog's name Fido the Insecure --  that type of data can usually be readily found in a Facebook post or some other social media posting.

Encryption? Adobe Should've Hashed Out the Vulnerabilities, First

Sophos: Anatomy of a Password Disaster: Adobe's Giant Sized Crytopgraphic Blunder

Sophos makes a range of IT security products targeted at everything from laptops to virtual desktops to servers and mobile devices. Sophos also delved into the Adobe breach, but focused on cryptographic blunders Adobe committed. The breach impacted over 38 million of their users (original reported estimates were on the order of 2.9 million--that number proved grossly underestimated. These were all active accounts at the time of the original breach). Adobe sent out notices to their user base--and those account credentials have all now been changed – because all the passwords were forced to be reset.

The odd thing Adobe reported was that the company had encrypted the passwords and not used a mathematical algorithm called hashing to store the passwords.  This allowed the encrypted passwords to be analyzed by focusing on what stream cipher was used for the encryption purposes.  In simple form, with a consistent cypher, Adobe's data breach was literally the largest crypto-quote puzzle ever published.

Sophos does a nice job of dissecting the algorithms in use and shows clearly that a substantial portion of the entire database was put at risk because of the usage of encryption instead of hashing. Adobe did not do themselves proud from a cyber perspective in this situation.

But there's even more damage done by this process, Sophos notes. Since the passwords could now be cross referenced, Facebook jumped into the fray and sent messages out to their user base indicating that the compromise of an external site showed they were using the same password at Facebook.  So here we have a breach in one realm improving security practices in another.  Without even knowing the passwords of their users, Facebook was able to raise the awareness of the dangers of using the same password at multiple sites.  Moreover, they were able to ‘lock these users in a closet’ and make them change their password.

Using the same passwords across multiple sites is one of the most prevalent users practices because really, who has the time and available brain cells to memorize a unique password for each and every online account they use?  However, this real world case shows how dangerous this practice could be. Once a user account has been compromised in this manner, each and every account using that same password is now at risk as an attacker can simply send the discovered user credentials to that site.

One solution?  Avoid having to memorize any passwords by using password manager software that keeps track of and provides a unique password for each and every user account.

The Takeaway

The preceding discussions all serve to point out how important the concept of ‘defense in depth’ truly is.  In case after case, it is shown that one security mechanism can be breached, but having additional defenses in place can prevent an ultimate data breach. By using real world data, security researchers point out just how dangerous common user practices are, and mitigation techniques can be proposed to close those gaps.

Let’s all be careful out there.