I didn’t really pay much attention when Adobe’s massive data breach was first reported, but now that all of the details have emerged, we know that the scope of the breach is truly spectacular. The Naked Security blog has the details. This episode is particularly sad because the best practices around password storage are well understood. Even though practices like using slow hashing algorithms are pretty new, and I wouldn’t have expected Adobe to have adopted them, the basic approach of storing a salted hash has been in wide use for quite some time.
I hope Adobe conducts a productive investigation of the incident and shares the systemic failures that led to the breach — not just the user database being stolen, but also the decision not to migrate to a more secure method of password storage over time. My guess is that Adobe not only has many Web properties, but also native applications that need to authenticate, and that they probably weren’t abstracted cleanly from the database used to store the encrypted passwords, so migrating to a new system was always deemed to be too low priority to be worth the extensive effort required.