Adobe password breach as the world’s greatest crossword puzzle

Adobe was recently breached and 150,000,000 user accounts were stolen. Adobe was following the one of the worst practices of password storage — reversible encryption (rather than hashing with a salt using a good, slow algorithm like bcrypt). A very, very old throwaway password of mine was among those leaked.

XKCD has referred to this breach as The Greatest Crossword Puzzle in the History of the World!

It was bound to happen eventually. This data theft will enable almost limitless []-style password reuse attacks in the coming weeks. There's only one group that comes out of this looking smart: Everyone who pirated Photoshop.

With the help of LastPass’ Has Adobe Leaked My Password, let me illustrate why:

The following hints have been used by other people that share your password. This information could be used to determine your password as well.

  • Life, Universe, Everything
  • life?
  • DA
  • h2g2
  • hitchiker’s guide to the galaxy
  • yes
  • meaningoflife
  • theusual
  • everything
  • hitchhiker
  • dolphins
  • gta
  • a4
  • answer
  • meaning?
  • life
  • the answer
  • the question of life
  • meaning of life
  • the usual
  • life..
  • life the universe and everything
  • a2lae
  • the ultimate
  • Hitchhiker
  • What’s the answer?
  • hitchhikers?
  • Life the Uni and Every
  • life meaning and flower
  • common
  • douglas adams
  • a?
  • maiden
  • lotr no #
  • Adams question
  • Hitchhiker’s Guide
  • answer?
  • question
  • Life Meaning
  • adams
  • life universe everything
  • the number
  • towel
  • typical
  • The Usual
  • How many roads must a man walk down?
  • Life, the universe, and everything
  • What is the meaning of life, the universe and all?

Would you care to guess what password the naive, young me used for Adobe?

Next steps

IBD-3475A Crunch Big Data in the Cloud with IBM BigInsights and Hadoop

I’m teaching a hands-on lab at Information on Demand 2013. I will edit the post to include lab materials closer to the date.

Session: IBD-3475A Crunch Big Data in the Cloud with IBM BigInsights and Hadoop
Time: Thu, 7/Nov, 10:00 AM – 01:00 PM
Location: Mandalay Bay South Convention Center – Shorelines B Lab [Room 15]

First step

Please request a lab environment. We will use a Hadoop environment hosted in the cloud. Each attendee will be provided with a personal environment.

Lab materials

Posting more frequently

I’ve been really enjoying Rafe Colburn’s technical blog since he made his pledge to post more frequently. It makes a lot of sense for a technical blog to also have linkblogging with brief commentary within the same stream of content. I would argue that the appeal of sites like Reddit and Hacker News relates to people doing the same en masse.

Naturally, I’ve also been doing some techie linkblogging on my Twitter account.


On November 6, 2012, I’m teaching a hands-on lab at CASCON together with Bradley Steinfeld and Marius Butuc. The lab is called Crunching Big Data with Hadoop and BigInsights in the Cloud. The lab is based on the Hadoop Fundamentals course at Big Data University.


1.0 Welcome
1.1 What is Big Data?
1.2 Lab Setup
Setup Lab
Setup Lab (PDF Download)
1.3 What is Hadoop?
1.4 Hadoop Architecture – HDFS
Lab (PDF Download)
1.5 Hadoop Architecture – MapReduce
MapReduce Lab
Lab (PDF Download)


1.6 Pig, Hive, and Jaql
Pig, Hive, and Jaql Lab
Lab (PDF Download)
1.8 Working with BigInsights
Web Console Lab
Web Console Lab (PDF Download)
Data Discovery with BigSheets

Module 1.7 covers Flume. It’s available for free on Big Data University.

Dehacking this blog

The first rule of security is to, of course, assume everything is compromised. If some code is compromised, everything is compromised. The correct response to a hacked WordPress is to nuke all the code.

My WordPress installation was recently compromised. There’s a limit to how far I can apply the principle because this particular WordPress is currently on shared hosting, but all code I have access to is now nuked. WordPress has been reinstalled from scratch, and all the various hanger-on sites that had accumulated in the same hosting account are now no more.

I’ve also adopted the pertinent steps from My WordPress Site Was Hacked, Hardening WordPress, and the Ultimate Security Checker plugin (guide).

Last line of defense:

The attack’s objective was to inject PHP code into various pages. The code was obfuscated via a double pass through those two functions. The two shell commands above will show any instances of those two functions.

Materials for the Hadoop workshop at CASCON

This is the syllabus for the workshop I’m chairing at CASCON 2011 with @mariusbutuc and @bsteinfe. If you’re interested, you can also take the course at your own pace online at BigDataUniversity.


Attendees will be provided with access to machines running Hadoop in a cloud environment. The necessary SSH credentials will be provided in class.