Last month Adobe announced hackers had nabbed the account information of 2.9 million users—customer IDs, encrypted passwords, and other data. Then, a few weeks later, they jumped that estimate up to 38 million people. To top it off, 10 gigabytes of said data has been making its away around public forums, as Al Jazeera reports.
The software giant's response?
"Our investigation is ongoing," says Adobe spokesperson Heather Edell.
What's being invesitagated is heady stuff for anyone who spends their days wading through logins: turns out that people are often loonily lackadaisical with their passwords.
Al Jazeera America obtained a copy of that aforementioned data set. According to reporter Joanna S. Kao, the data set has 130 million encrypted passwords and more than 43 million password hints.
While decrypting passwords is hard for hackers, you make it easier on them if you're lazy with your password hints—which could lead to your data getting taking advantage of. For instance, users in the Adobe data set sometimes had their password hint the same as the password itself—which is ridiculous. Additionally, you shouldn't have a hint that's anything a potential identity thief could easily search for. Unfortunately, the data set that Al Jazeera found had hints like these:
- "high school"
- "kids birthplace"
- "1st dog"
Which are all pretty easy to ferret out with some deep Googling and a Facebook or LinkedIn search or two.
Additionally, some Adobe users had the gumption to use sensitive information as their password or hint. This is terrifying because if you use your social security number in your password, should you get hacked, you'll not only be jeopardizing your interactions with Adobe, but across platforms. If you use the same password for your bank account, you can get nabbed there. And if you use your social security number—as those users above did—you enable the hacker in question to apply for credit cards or loans on your not-behalf.
So please don't use the sorts of hints that these Adobe users had:
- "BIRTHDATE PLUS SOCIAL"
- "social security number"
- "what is my social security number"
- "social security plus two"
Al Jazeera talked to private investigator Jimmie Mesis, who said that using something like your favorite food as your password, since that's harder to guess than your parent's names (unless you're an Instagram junkie). As well, don't use the same password for all your logins—that could create a cascade of insecurity.
Finally, we ought not to be so predictable: security researcher Markus Jakobsson
has found that people fall into readily hackable patterns. As he writes at PCWorld:
If we demand upper case characters in passwords, almost everybody will capitalize the first letter. If we demand a numeral, the number "1" is almost three times more likely than the number "9", and "3456" is more than ten times as common as "4321". Similarly, the "special" characters people use are far from special when you look at which ones are used and where they are placed in the password.
So in passwords, as in creativity, we can get a lot of value by breaking out of our habits.
[Image: Flickr user Alpha]