Stored Password Security: The Adobe Guide to Keyless Decryption presented at BSidesAugusta 2014

by Tim “lanmaster53″ Tomes,

Summary : It goes without saying that Adobe has made some mistakes as a software company. Quite possibly their largest was the breach that resulted in 153 million user credentials being disclosed to the Internet. The good news is that Adobe's passwords were encrypted. The bad news is that they were encrypted poorly. The worse news is that Adobe isn't alone. Each day greets us with news of a new breach, threatening to compromise our identities. We must address this growing problem of poor stored password security.
In this talk, I am going to speak briefly about password storage techniques, popular implementations, their problems, and how to fix them, leveraging Recon-ng to demonstrate the risk associated with using each technique. I'll specifically address the fundamental flaws in Adobe's approach to password encryption and dive into the techniques I've used over the past year to crack a large percent of the Adobe passwords without access to the encryption key. Finally, I'll release a Python module I wrote to assist with cracking the encrypted Adobe passwords and use it to conduct a live password cracking demonstration.