lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5274FEE3.3080905@riseup.net> Date: Sat, 02 Nov 2013 14:32:19 +0100 From: beloumi <beloumi@...eup.net> To: discussions@...sword-hashing.net Subject: Re: [PHC] Adobe stored 130 million passwords using 3DES/ECB mode Am 02.11.2013 11:24, schrieb Per Thorsheim: > If you haven't got the datadump yet, I've got it. > > Best regards, > Per Thorsheim > CISA, CISM, CISSP-ISSAP > http://securitynirvana.blogspot.com/ > +47 90999259 > > >> Den 2. nov. 2013 kl. 10:23 skrev Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>: >> >> Any link to the database of encrypted passwords? >> >> Wondering what padding method they used... >> >>> On Fri, Nov 1, 2013 at 8:00 PM, Poul-Henning Kamp <phk@....freebsd.dk> wrote: >>> In message <CAHOTMVK5CJOTKwO3ijLMz8AF9e7W-hMJsw57YMhktwxrQeLfsQ@...l.gmail.com> >>> , Tony Arcieri writes: >>>> --089e010d9730b1266f04ea2205af >>>> Content-Type: text/plain; charset=ISO-8859-1 >>>> >>>> On Fri, Nov 1, 2013 at 11:44 AM, Poul-Henning Kamp <phk@....freebsd.dk>wrote: >>>> >>>>> Has anybody been able to find out what hash they used ? >>>> They weren't hashing the passwords. They were using reversible encryption >>>> with 3DES in ECB mode >>> ohh... >>> >>> I read it as the 3DES was for transfer purposes of the (I assumed) >>> hashed passwords... >>> >>> <facepalm/> >>> >>> >>> -- >>> Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 >>> phk@...eBSD.ORG | TCP/IP since RFC 956 >>> FreeBSD committer | BSD since 4.3-tahoe >>> Never attribute to malice what can adequately be explained by incompetence. This seems to be no negligence or incompetence. That might have been the case if the hash function had been forgotten or an insecure one had been selected. The implementation of Triple-DES is more complex than a hash function and the performance is much more worse. There is really only one good reason to dothat: To use the passwords elsewhere. So, Adobe seems to use passwords or make them accessible for others.
Powered by blists - more mailing lists