5

This is a fascinating document: top 100 passwords from adobe breach

I have a question about one part of it:

However, thanks to Adobe choosing symmetric key encryption over hashing, selecting ECB mode, and using the same key for every password, combined with a large number of known plaintexts and the generosity of users who flat-out gave us their password in their password hint, this is not preventing us from presenting you with this list of the top 100 passwords selected by Adobe users.

So, because in the past we have allowed developers to use symmetric key encryption instead of password hashing, and here they view "using the same key for every password" as a separate problem, what is the big deal with using symmetric key encryption to store passwords? I understand there could be a performance hit because hashing was designed with speed in mind.

San Jacinto
  • 73
  • 1
  • 6

3 Answers3

5

What's so important about passwords? There's no way around it. Users reuse passwords. Accept it. As a responsible service provider you must understand that and handle your customer passwords with care.

Why not store passwords in plaintext? Because passwords are used for authentication, and password-based authentication doesn't need the plaintext password. Passwords are sensitive information and needs to be kept secret.

Why not store passwords in a non-plaintext reversible format? If an attacker compromises your system, he will have access to your password storage logic and he will reverse the password mangling you're using. This renders the passwords plaintext.

Why not encrypt passwords with a symmetric key? Because the login logic of your application needs to have access to that key, which creates key management issues. In case of a breach, it's very likely that the attacker will have access to the key. This renders the passwords reversible.

Why not use MD5/SHA1? Because they're super fast. Super fast for you means super fast for the attacker to crack.

So, now what? Securely hash your passwords using a strong, non-reversible, and slow scheme like bcrypt. There's no alternative for this. Period.

Adobe went with the symmetric encryption option, not only that, they implemented it incorrectly by using ECB. So they took something bad, and made it even worse.

Adi
  • 43,953
  • 16
  • 137
  • 168
4

Technically, if hashing is fast, that's really worse (or at least as bad) as storing the passwords reversibly in the DB (so long as proper key management is followed).

The problem with using encryption rather than secure (computationally expensive) hashes is that they can be reversed. Sometimes this can be necessary, such as if the password needs to be used to access a third party system that can't support a system specific access token. The problem however, is that if the encryption key is compromised, it is then possible to decode all the passwords in one go.

Alternately, a password derived key can be used as the key for the symmetric encryption of a value that can be validated and since this doesn't use a master key that can decode the passwords (and most likely the password isn't stored at all in this case) it is an ok use of symmetric encryption for password validation.

Similarly, with a secure hash that is properly salted, there is no good way to attack the offline values to try and determine the passwords and no single point of failure results in all the passwords becoming accessible.

Adobe's system on the other hand not only used the same key for all passwords (which means that if that key was compromised, all the passwords are immediately available) but it also doesn't cause there to be any difference between different instances of the same password being encoded, so you can tell all users that have the same password. It's made even worse because they have password hints that give away what some of those repeated passwords are.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
2

There is nothing wrong with storing passwords using symmetric encryption. However I can't think of any reason why Adobe would need to recover your password at any point.

The biggest problem is key management. What Adobe did was use 3DES with ECB mode AND using the same key. ECB is a problem as it will generate the same ciphertext when two users use the same password. When hashing a password or when using CBC for symmetric encryption, you will either use a salt/IV which will make sure that every resulting ciphertext is different. This means that you will never get the same ciphertext for the same encrypted password. It's the same problem as when people use a plain hashing algorithm without a salt.

Another problem with ECB is that, when you have enough plain text you could potentially crack the encryption key by performing analysis using plaintext vs ciphertext (theoretically).

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196