In October it was widely reported that a large number of Adobe customer accounts had data stolen after the company's systems were hacked. While previous reports indicated that around 38 million accounts were exposed, that number increased after password security firm LastPass , Reuters reported.

LastPass found the email addresses, passwords and password hints of 152 million accounts on an undisclosed website reportedly frequented by cybercriminals.

In the company's report were two important security revelations: Not only did Adobe fail to use best practices to secure passwords, but many users failed to protect themselves by choosing inadequate passwords.

Inadequate Password Protection
While Adobe did keep passwords encrypted on its database, it appears that they used , PC Magazine reported. This means that if someone were to figure out the key, they could have access to every password. Furthermore, Adobe chose to encrypt in Electronic Code Book (ECB) mode, which is a weaker defense method. ECB, PC Magazine explained, is known to cause security loopholes surrounding its key.

The best practice for encryption would have been to apply a unique encryption code to every password before it enters to database, according to LastPass. The technique, known as "salting," adds an extra layer of security.

Poor User Practices
The discovery also raised a red flag for how consumers handle data privacy and security. Many users choose common words or phrases as passwords that make accounts easily accessible to infiltrators. Of the accounts recovered by LastPass, nearly 2 million users had "123456" as their passwords. Other common choices included "password," "adobe123," "qwerty," "111111," and "photoshop."

By using such passwords, customers not only put their Adobe accounts at risk but every other account that uses the same credentials. Email accounts, banking services and other personal information could be accessed if the same passwords were used.

PC Magazine noted that a similar security breach of the website Gawker yielded many of the same passwords. The top five from those accounts included "123456," "password," "12345678," "lifehack," and "qwerty."

Despite the fact that the Gawker hack occurred three years ago, many of the same weak passwords were discovered. What this illustrates is that in lieu of increased media attention surrounding cyberattacks, consumers have yet to improve their Web security habits. Furthermore, the growing prevalence of apps and cloud storage containing personal and financial information means that users could have more to lose now than in the past.

Consumers should avoid any common words in passwords and instead opt for a mixture of letters and numbers. Also, a different password should be applied to every major account a Web-user creates.

Eduard Goodman is chief privacy officer at IDentity Theft 911.

Leave a Reply