At first, Adobe’s best estimates for the number of accounts hacked was in the low millions. Their latest estimate was ten times their original one, with new compromised accounts being discovered every day. However, just a few days ago, the group that stole the information from Adobe claimed the number was closer to 130 million.
The hacking group hasn’t appeared to have done anything with the data they have stolen in the past month they have had it, as Adobe reports that not a single user has said anything to the company about unauthorized usage of their cloud services. However, that doesn’t mean the hacking group has simply let the data sit. In fact, they’ve been working hard to decrypt the passwords.
While the hackers admit they do not “have the keys Adobe used to encrypt the passwords of the 130, 324, 429 users affected by their [Adobe’s] most recent breach,” they have figured out a number of hashed passwords “thanks to Adobe choosing symmetric key encryption over hashing.”
Symmetric key encryption is a class of algorithms used in cryptography that, instead of mixing up the digits and letters of an encrypted password, simply use the same ones in the same order if the password is the same. For example, if a password is symmetrically encrypted and the password is “technology,” then whether your password or someone else’s password is “technology” is irrelevant; the encryption of the word is the same. If a password is hashed instead, however, a master key must be used to decrypt the passwords, as the password values are secret.
Adobe apparently does not use hashing and instead encrypts their passwords symmetrically, meaning that once one password is discovered and the hashed version of it is as well, a hacking group simply has to search an entire document for identical encryption keys to figure out the password to an account.
The following are the top ten passwords discovered by the hacking team, and the number of account that used said password:
- 123456 (used by 1, 911, 938 accounts)
- 123456789 (used by 446,162 accounts)
- password (used by 345,834 accounts)
- adobe123 (used by 211,658 accounts)
- 12345678 (used by 201,580 accounts)
- qwerty (used by 130,832 accounts)
- 1234567 (used by 124,253 accounts)
- 111111 (used by 113,884 accounts)
- photoshop (used by 83,411 accounts)
- 123123 (used by 82,694 accounts)
The rest can be viewed here.
While it may seem obvious that a password should include more than a few letters and numbers, over three million accounts that the hackers have information on used passwords that were not only easy to guess, but easy to type as well. Though Adobe has reset these accounts and not allowed anyone to log in unless they have reset their passwords, the fact is that these passwords were used where critical information, such as addresses, credit card information, and phone numbers were at stake.
Remember, when choosing a password for a sensitive account such as this, keep these tips in mind:
Choose a combination of letters and numbers. Even if someone does steal your encrypted password, it will be more difficult to guess.
Do not give away your password in your password hint. A password hint is meant to be that; a password hint. Don’t include your actual password in the hint. This is one way Adobe’s hackers discovered the passwords above.
Change your password regularly. Many security websites suggest you change your password once every 60 to 90 days.
Don’t use sequential numbers and letters. Passwords that are typed all in a row, such as “qwerty,” are not only easy to figure out when hacked, but easy to figure out if someone walks into your office while you are typing it.
Finally, get creative. Using elements from your life is fine, but try to combine them. Your daughter’s name is easier to guess than your daughter’s name combined with a number and your dog’s name, too.
Password safety is the first combatant against unwanted access to your computer, network, and private information. If you need help designing a strong password, do not hesitate to contact a professional IT company today.