Adobe’s Latest Screw-Up

So Adobe has a password breach back in October.  Being security super-geniuses, the wise people at Adobe decided to encrypt their passwords instead of hashing them.

Why is this stupid?  Put simply, a good hash is a one-way function:  you can go from password to hash but never the other way around.  Encryption is a two-way function:  one party encrypts the data, and a later party decrypts the data.  Encryption implies decryption, and if you find the algorithm used to encrypt the data originally, you can retrieve all of the plaintext passwords quite easily.  With a good hashing algorithm, however, you have to build and populate a rainbow table.  If you do a really good job—using per-user salts—you essentially require the attacker to build a rainbow table for each user account, something that your average attacker simply won’t do.

Advertisements

One thought on “Adobe’s Latest Screw-Up

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s