Monday, November 11, 2013

The Adobe Password Leak

Like most everyone I have taken a look at the leaked Adobe passwords. Being based in Sweden, I took an interest in the .se domains. Surprisingly, there are 405 978 accounts with a .se email address. Considering how common for example hotmail.com is in Sweden, the number of Swedish users who had their passwords leaked is probably much higher

I write that passwords have been leaked since that is how it is reported. Really the passwords haven't been leaked, of even a password hash. What has been leaked is most likely 3DES encrypted passwords. But to simplify things I'm calling the encrypted passwords hashes, since that's usually what you are dealing with then analyzing a password leak like this.

The top 10 .se domains are:
Users     Domain
63870     live.se
23732     yahoo.se
22833     hotmail.se
18537     spray.se
14277     comhem.se
8677       home.se
7254       tele2.se
5599       swipnet.se
2370       passagen.se
2231       kth.se

Interesting .se domains include:
Users     Domain
242        svt.se
172        riksdagen.se
142        sr.se
110        posten.se
110        handelsbanken.se
106        foi.se
81          swedbank.s
71          mil.s
51          lansstyrelsen.se
45          polisen.se
36          dom.se
30          sosalarm.se
30          fmv.se
26          tullverket.se
3            sakerhetspolisen.se
1            regeringen.se
I considered not listing these, but there really isn't any damage that can be done with this information. I just really hope that these organizations have a process in place to deal with events like this. A process such as the one used by Facebook. Or even diapers.com.

Top 10 passwords with a .se domain.
UsersHashHash in hexCharacters
2338EQ7fIpT7i/Q=110edf2294fb8bf41-7
5945djv7ZCI2ws=e5d8efed9088db0b1-7
412bxdBgvc+vf4=6f174182f73ebdfe1-7
364AMa2wiULxwQ=00c6b6c2250bc7041-7
332BB4e6X+b2xLioxG6CatHBw==041e1ee97f9bdb12 e2a311ba09ab47078
326j9p+HwtWWT86aMjgZFLzYg==8fda7e1f0b56593f 3a68c8e06452f3629-15
283WXloyVACcHY=597968c9500270761-7
272L8qbAD3jl3jioxG6CatHBw==2fca9b003de39778 e2a311ba09ab47078
216kCcUSCmonEA=9027144829a89c401-7
1914hq+QcwrYkfioxG6CatHBw==e21abe41cc2b6247e2a311ba09ab47078
Some, if not all, of these hashes have been solved already, but I won't be listing that here.

As you can see above, a majority of the top passwords consists of 1-7 characters. The list is actually incorrect since the most common .se password was actually no password at all. 57 172 .se accounts didn't have a password in the file. Good for them. That means that there are only 348 806 .se accounts who had their passwords leaked. That's about 50 000 less then what has been reported in Swedish media (their analyst might not have noticed that some entries are lacking a password), but still quite a lot.

Number of password hints for the top 10 .se passwords
UsersHashHints
2338EQ7fIpT7i/Q=593
5945djv7ZCI2ws=128
412bxdBgvc+vf4=106
364AMa2wiULxwQ=92
332BB4e6X+b2xLioxG6CatHBw==24
326j9p+HwtWWT86aMjgZFLzYg==73
283WXloyVACcHY=95
272L8qbAD3jl3jioxG6CatHBw==71
216kCcUSCmonEA=42
1914hq+QcwrYkfioxG6CatHBw==54
This is the same top 10 list as the one directly above it, but with the number of hints listed for that particular password. You might be able to guess a password based on the hint alone, but with this many hints, guessing becomes very easy. And there is also the odd user that ruins it for everyone by using his password as his password hint. There are 220 072 unique .se passwords in the file. Those users won't have the problem of someone else's hint giving their password away. Of the users with unique passwords, only 70 518 of them had a password hint.

Though not having a password hint and having a unique password sadly doesn't put you in the clear from this leak. Thanks to Adobe's use of 3DES ECB mode, we can in certain cases (if the password length is a multiple of 8) know the exact length of the password. Of the 149 554 .se users with unique passwords and no hint, we can tell the exact length of 41 125 of them. That means that 108 429 of the .se passwords are actually pretty safe. We can still tell the general length of the passwords (e.g. 1-7 or 9-15 characters long), but not much more.

UsersPassword lengthPercent
1426641-740.9%
92403826.5%
1135339-1532.5%
64160.01%
13217-230.03%
925-310.002%
1400.0002%
I had to use some rounding, so these numbers of course don't add up to 100%.
It's interesting to see how many people use a password of exactly 8 characters, and how dramatically the number of users drops after the 9-15 character length. 99.9 percent of all passwords are of length 1-15.

In summary, 405 978 .se accounts were leaked. But 57 172 of those account didn't have a password. That leaves vulnerable 348 806 accounts. Of those accounts 108 429 of them have a unique password, no password hint, and we can't tell the exact length of the password. That leaves 243 377 .se accounts that are vulnerable. It's smaller then 400 000, but still way to many.

This is all assuming that the key Adobe used to encrypt the passwords haven't been stolen or discovered. If that key leaks, all passwords can be decrypted, and everyone's exact password will be revealed in clear text.

Comments and corrections are of course welcome in the comment section below, or any other way that you can get in contact with me.

No comments: