Editing 1286: Encryptic
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 12: | Line 12: | ||
Adobe, however, ignored these well-known principles, and instead stored over a hundred million passwords in a reversibly encrypted way, using a terrible choice of encryption methods which exposes a great deal of information about the passwords, and does not involve a salt. This password database was recently obtained by someone and released on the Internet. | Adobe, however, ignored these well-known principles, and instead stored over a hundred million passwords in a reversibly encrypted way, using a terrible choice of encryption methods which exposes a great deal of information about the passwords, and does not involve a salt. This password database was recently obtained by someone and released on the Internet. | ||
− | In particular, Adobe used {{w|Triple DES}}, an older encryption algorithm which can still be relatively secure when properly used, but they | + | In particular, Adobe used {{w|Triple DES}}, an older encryption algorithm which can still be relatively secure when properly used, but they used it improperly. It works on 64-bit (8 character) blocks. Assuming that the passwords are stored in plain ASCII, this means that a sequence of 8 characters in a password which starts on a character position which is a multiple of eight is always encrypted to the same result. Therefore, two passwords starting with "12345678" would start with the same block after being encrypted. Furthermore, this means that you can actually get a very good idea of the length of the password since anything with only one block is a password with length between 1 and 8 characters, and having two blocks implies it has between 9 and 16 characters, etc. |
Adobe also stored hints users created for their passwords. That means that an attacker knows not only if the same 8 characters are used for multiple passwords but also has some hints for guessing them. That means that common password portions should be easy to recover and that any user may be "compromised" by someone else using a part of the same password and providing a good hint. As an example, a password having three hints "Big Apple", "Twin Towers" and "If you can make it there" is probably "New York" or a simple variation on that. The weakness here is that no decryption and therefore no hard cracking has to take place, you just group the passwords by their encrypted blocks and try to solve them like a crossword puzzle. These weaknesses have already been used to presumably identify a password used by {{w|Edward Snowden}}, as discussed at [http://7habitsofhighlyeffectivehackers.blogspot.com/2013/11/can-someone-be-targeted-using-adobe.html 7 Habits of Highly Effective Hackers: Can someone be targeted using the Adobe breach?]. | Adobe also stored hints users created for their passwords. That means that an attacker knows not only if the same 8 characters are used for multiple passwords but also has some hints for guessing them. That means that common password portions should be easy to recover and that any user may be "compromised" by someone else using a part of the same password and providing a good hint. As an example, a password having three hints "Big Apple", "Twin Towers" and "If you can make it there" is probably "New York" or a simple variation on that. The weakness here is that no decryption and therefore no hard cracking has to take place, you just group the passwords by their encrypted blocks and try to solve them like a crossword puzzle. These weaknesses have already been used to presumably identify a password used by {{w|Edward Snowden}}, as discussed at [http://7habitsofhighlyeffectivehackers.blogspot.com/2013/11/can-someone-be-targeted-using-adobe.html 7 Habits of Highly Effective Hackers: Can someone be targeted using the Adobe breach?]. | ||
Line 27: | Line 27: | ||
And yet here we are | And yet here we are | ||
XOXOXO | XOXOXO | ||
− | Lets Live Here In This Tiny Secret Encoded Text World Forever</pre> | + | Lets Live Here In This Tiny Secret Encoded Text World Forever==</pre> |
E.g., with the initial unique hash blocks: <tt>python2 -c "print '4e18acc1ab27a2d6a0a2876eb1ea1fca'.decode('hex_codec').encode('base64')"</tt> | E.g., with the initial unique hash blocks: <tt>python2 -c "print '4e18acc1ab27a2d6a0a2876eb1ea1fca'.decode('hex_codec').encode('base64')"</tt> | ||
Line 38: | Line 38: | ||
Soon after this comic was published, the most common 1000 passwords were actually compiled into [http://zed0.co.uk/crossword/ a set of 10 interactive online crosswords], inspired by the comic. | Soon after this comic was published, the most common 1000 passwords were actually compiled into [http://zed0.co.uk/crossword/ a set of 10 interactive online crosswords], inspired by the comic. | ||
− | The title itself is a reference to {{w|cryptic crossword}}s. | + | The title itself is a reference to {{w|cryptic crossword}}s. |
===Passwords=== | ===Passwords=== | ||
Line 147: | Line 147: | ||
|purloined | |purloined | ||
|<tt>asdfghjk</tt> | |<tt>asdfghjk</tt> | ||
− | |A reference to the {{w|Edgar Allan Poe}} story "{{w|The Purloined Letter}}", this represents all the keys of the home row, or the keyboard mash password, but with one missing (" | + | |A reference to the {{w|Edgar Allan Poe}} story "{{w|The Purloined Letter}}", this represents all the keys of the home row, or the keyboard mash password, but with one missing("purloined") letter. |
|- | |- | ||
|<tt>a8ae5745a2b7af7a 9dca1d79d4dec6d5</tt> | |<tt>a8ae5745a2b7af7a 9dca1d79d4dec6d5</tt> |