[Lamplighter]

NY Times
By NICK BILTON
11/12/13

Adobe Breach Inadvertently Tied to Other Accounts

Quote:

This week, Ammon Bartram, a software engineer and co-founder of SocialCam,
was talking to a friend about a recent security breach at Adobe in which hackers
were able to gain access to tens of millions of encrypted passwords and email addresses.
The friend, Mr. Bartram said, did not think anyone would be able
to find out his pass code from the stolen data.
”I’ll bet you $10 you can’t figure it out,” the friend said confidently.

Mr. Bartram went to a file-sharing website, downloaded a nearly 9-gigabyte file
the Adobe hackers had posted online that is said to contain 150 million emails
and encrypted passwords for Adobe user accounts, and began searching.
Soon after, Mr. Bartram said in a phone interview, he informed his friend:

“Your password is ‘dinosaur.’”

While Adobe “hashed” its passwords
— which involves mashing up users’ passwords with a mathematical algorithm —
the company did not apply this level of security to people’s e-mail addresses
or the hints they use when they forget their passwords.

So Mr. Bartram was able to search for his friend’s email address, then copy
the “hashed” version of the password and search for other people
who used that same string of letters and numbers.
He found 500 people with the same password as his friend, and then searched the
nonencrypted hints that people had written if they forgot their password on the Adobe website.

“The best advice is for people not to recycle the same password in multiple places,” Mr. Krebs said.
“It’s prohibitively complex for hackers to crack passwords that are over 13 characters long;
people have to think pass phrases instead of passwords.”