lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 02 Nov 2013 14:32:19 +0100
From: beloumi <beloumi@...eup.net>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Adobe stored 130 million passwords using 3DES/ECB mode

Am 02.11.2013 11:24, schrieb Per Thorsheim:
> If you haven't got the datadump yet, I've got it.
>
> Best regards,
> Per Thorsheim
> CISA, CISM, CISSP-ISSAP
> http://securitynirvana.blogspot.com/
> +47 90999259
>
>
>> Den 2. nov. 2013 kl. 10:23 skrev Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>:
>>
>> Any link to the database of encrypted passwords?
>>
>> Wondering what padding method they used...
>>
>>> On Fri, Nov 1, 2013 at 8:00 PM, Poul-Henning Kamp <phk@....freebsd.dk> wrote:
>>> In message <CAHOTMVK5CJOTKwO3ijLMz8AF9e7W-hMJsw57YMhktwxrQeLfsQ@...l.gmail.com>
>>> , Tony Arcieri writes:
>>>> --089e010d9730b1266f04ea2205af
>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>>
>>>> On Fri, Nov 1, 2013 at 11:44 AM, Poul-Henning Kamp <phk@....freebsd.dk>wrote:
>>>>
>>>>> Has anybody been able to find out what hash they used ?
>>>> They weren't hashing the passwords. They were using reversible encryption
>>>> with 3DES in ECB mode
>>> ohh...
>>>
>>> I read it as the 3DES was for transfer purposes of the (I assumed)
>>> hashed passwords...
>>>
>>> <facepalm/>
>>>
>>>
>>> --
>>> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
>>> phk@...eBSD.ORG         | TCP/IP since RFC 956
>>> FreeBSD committer       | BSD since 4.3-tahoe
>>> Never attribute to malice what can adequately be explained by incompetence.

This seems to be no negligence or incompetence. That might have been the
case if
the hash function had been forgotten or an insecure one had been selected.
The implementation of Triple-DES is more complex than a hash function
and the performance is much more worse.
There is really only one good reason to dothat:  To use the passwords
elsewhere.
So, Adobe seems to use passwords or make them accessible for others.

Powered by blists - more mailing lists