I screwed up. A bunch of years ago I downloaded some software and subscribed to the vendor’s email list with a simple password. The vendor was (and still is) well known and didn’t see any reason to use a complex password. In fact, I used the same one I had used on other vendor sites for email about product updates. I knew it was a bad idea, but I didn’t have any password keeping software and I didn’t think there was much risk – these are major companies and they have good security, right?
Well, last week a company I’d bought a few products from sent me an email telling me they’d found my email address on a list of password hashes from a breach. They told me that they’d reset my password at their site and that I needed to change it.
I had heard about a breach at a major company and didn’t think I had an account there. I tried to log in and I couldn’t get in. I even tried their “Lost password” link and they said I didn’t have an account so I didn’t worry. After the notice from the other company I googled for a list of the accounts compromised from the major company. My email address was indeed on the list.
Normally a website would use a tool such as bcrypt to store the password. bcrypt has two important attributes: 1) it can be configured to be very slow, and 2) it hashes the passwords with salts. Being slow makes it very hard for an attacker to use a brute force attack to discover passwords. If it takes a long time to try each possible password, it makes the passwords harder to discover than if it is quick to test each possible password in a brute force attack.
In my search of the exposed passwords I discovered that over one thousand people had used the same simple password I did (and I thought I was so clever in choosing it; silly me). They discovered that because the data in the password file was the same for me as it was for those other 1000+ users. Had a random string (called a salt) been hashed along with each password, there’d be no way to know that a lot of us chose the same simple – or complex – password. bcrypt does that hashing.
A couple days after discovering my entry in the leaked password database, I was notified by pwnedlist.com that my email address had been discovered in a leaked password database. By clicking on the link I found out which one and what that entry was. I recommend signing up for a free account at pwnedlist.com so you would be notified as well.
Many of you have probably guessed by now that my information appeared in the Adobe leak. One serious aspect of that leak was that the passwords were stored in a way that could be reversed. This is highly unusual and could result in all the passwords being exposed if the key to their encryption were discovered. If you’ve been following this blog for long or have taken Learning Tree Course 468, System and Network Security Introduction you probably already know about password hashing and salts. If not, you can take the course in one of Learning Tree’s Education Centers, AnyWare Centers, from home or office. We can even bring it to your site if you have a lot of folks who want to take it (or we can do the whole class remotely using Learning Tree AnyWare!).
If you discover your login credential info has been leaked, let us know in the comments below. (And for the first time, I hope nobody comments…)