Adobe was recently breached and 150,000,000 user accounts were stolen. Adobe was following the one of the worst practices of password storage — reversible encryption (rather than hashing with a salt using a good, slow algorithm like bcrypt). A very, very old throwaway password of mine was among those leaked.
XKCD has referred to this breach as The Greatest Crossword Puzzle in the History of the World!
With the help of LastPass’ Has Adobe Leaked My Password, let me illustrate why:
The following hints have been used by other people that share your password. This information could be used to determine your password as well.
- Life, Universe, Everything
- hitchiker’s guide to the galaxy
- the answer
- the question of life
- meaning of life
- the usual
- life the universe and everything
- the ultimate
- What’s the answer?
- Life the Uni and Every
- life meaning and flower
- douglas adams
- lotr no #
- Adams question
- Hitchhiker’s Guide
- Life Meaning
- life universe everything
- the number
- The Usual
- How many roads must a man walk down?
- Life, the universe, and everything
- What is the meaning of life, the universe and all?
Would you care to guess what password the naive, young me used for Adobe?
On October 22, I’ll be climbing the CN Tower stairs for United Way. Any contribution is appreciated.
I’m teaching a hands-on lab at Information on Demand 2013. I will edit the post to include lab materials closer to the date.
Session: IBD-3475A Crunch Big Data in the Cloud with IBM BigInsights and Hadoop
Time: Thu, 7/Nov, 10:00 AM – 01:00 PM
Location: Mandalay Bay South Convention Center – Shorelines B Lab [Room 15]
Please request a lab environment. We will use a Hadoop environment hosted in the cloud. Each attendee will be provided with a personal environment.
I’ve been really enjoying Rafe Colburn’s technical blog since he made his pledge to post more frequently. It makes a lot of sense for a technical blog to also have linkblogging with brief commentary within the same stream of content. I would argue that the appeal of sites like Reddit and Hacker News relates to people doing the same en masse.
Naturally, I’ve also been doing some techie linkblogging on my Twitter account.
The first rule of security is to, of course, assume everything is compromised. If some code is compromised, everything is compromised. The correct response to a hacked WordPress is to nuke all the code.
My WordPress installation was recently compromised. There’s a limit to how far I can apply the principle because this particular WordPress is currently on shared hosting, but all code I have access to is now nuked. WordPress has been reinstalled from scratch, and all the various hanger-on sites that had accumulated in the same hosting account are now no more.
I’ve also adopted the pertinent steps from My WordPress Site Was Hacked, Hardening WordPress, and the Ultimate Security Checker plugin (guide).
Last line of defense:
The attack’s objective was to inject PHP code into various pages. The code was obfuscated via a double pass through those two functions. The two shell commands above will show any instances of those two functions.
This is the syllabus for the workshop I’m chairing at CASCON 2011 with @mariusbutuc and @bsteinfe. If you’re interested, you can also take the course at your own pace online at BigDataUniversity.
Attendees will be provided with access to machines running Hadoop in a cloud environment. The necessary SSH credentials will be provided in class.