Adobe breach has lessons for UC Davis passphrase security
Hackers stole account information for about 150 million Adobe customers this fall. Thousands of people at UC Davis use popular Adobe products like Photoshop and Acrobat, which raises the question: What was the impact of the breach on campus?
Information and Educational Technology security analysts have had a chance to review the data, and their bottom-line advice is this:
If you have an Adobe account registered to your UC Davis email address, you should consider changing your UC Davis account passphrase. If any of the less-than-secure habits described below apply to your account, then you should definitely reset your campus passphrase, if you haven't already.
Best as IET analysts can tell, approximately 7,000 Adobe accounts are registered to UC Davis addresses, and about half of those UC Davis email accounts use password practices that fall well short of secure.
Specifically, some accounts use password-reset questions and hints that are easy to guess. Even worse: Some users probably use the same password for both their UC Davis and Adobe accounts, which means if the hackers have your Adobe password, they can get into your UC Davis account too.
What security analysts found
IET security administrator David Lam wrote a summary of the incident:
Adobe initially said the breach affected 2.9 million Adobe user accounts. Information leaked from hackers subsequently raised the estimate to around 150 million. The disclosures included Adobe ID (the email address tied to an Adobe account), an encrypted version of the password, and the customer's password hint.
Once this information went public, various security researchers reviewed the data. They detected weaknesses in the passwords' encryption that let the researchers learn additional details about the accounts. This means anyone with the right knowledge could easily identify other clues that make a password easier to break, in cluding:
- A password's estimated length
- The relationship between the password and the password hint
- The relationship between the password and other Adobe accounts that have the same password
IET security administrators who analyzed the data discovered 3,480 Adobe accounts with UC Davis email addresses that don't meet UC Davis security standards. Their passphrases are relatively easy to crack. The other 3,500 accounts are either inactive UC Davis email addresses, or appear to meet UC Davis passphrase standards.
If your Adobe account was breached, Adobe has probably emailed you information about remedies and how to proceed.
But the breach is a reminder to everyone that strong passphrases have become a basic requirement of online security. The hack aimed at Adobe's customers won't be the last. Hacks aimed at other services have already occurred since the Adobe breach.
You need to protect your UC Davis passphrase like you would a house key, and not leave a lot of copies lying around.
How to create and protect a strong passphrase
To set a passphrase that meets campus standards, read "How to create a strong passphrase," written by consultants at the campus IT Express Computing Services Help Desk. You can also change reset questions or test your passphrase strength by following directions at the computing accounts page. UC Davis policy PPM 310-22a 4b requires you to protect your UC Davis account with a passphrase that resist "discovery attacks."
If you have questions about the Adobe breach and UC Davis, contact the campus cyber-security team at cybersecurity@ucdavis.edu.
For additional suggestions on how to secure your passphrase, read the "To protect your passphrases/passwords" section on the campus security website.