One Down, Your Dumb Password: Adobe Crossword

By Graham Smith on November 25th, 2013 at 1:00 pm.

All my password hints are 'john with a horn'.

Hackers recently got hold of details for 153 million Adobe accounts (including mine – thanks Adobe!), including user emails, password hints, and encrypted passwords. This means that, if you have a password hint that points obviously to your password, then you should check whether your details were leaked and change your password immediately.

Once you’ve done that, you should play Adobe Crossword. Inspired by this XKCD comic, it uses password hints and password lengths for the 1000 most popular passwords to generate crossword puzzles. They’re unexpectedly brilliant.

I enjoy regular crossword puzzles, but I actually prefer these strange puzzles. Instead of being given a single, sideways hint for each line, you’re given a collection of different hints. Here’s seven across:

1234; 1q; same; usual; 123; 1; qwer; keyboard; ????; qwer1234; ??; qwerty; easy; 12; rewq4321; 14qr; standard; 12qw; ???; normal; numbers; none; always; 1r; top left; password; 4×4; ??????; la de siempre; ?????; the usual; lol; ???????; dog; asdfzxcv; asdf; ; work; simple; numbers and letters; no; key; first four; a; 8; 1q2w3e4r; 123qwe; you know; wie immer; teclado

This is a pretty easy one, but there’s a neat trick in separating those people who used the actual password as their hint, to people who used slight variations on it. With each letter you slot into place, it feels like you’re getting a glimpse into human psychology. Idiot human psychology.

As you tick down the list, from a crossword based on the top 100 most popular passwords, to the 900-1000 most popular, the puzzles never become that hard. As the words become more varied – “password” begins to disappear – the hints become no less explicit. 4 down, “horse with a horn”, is pretty self-explanatory. (The answer is of course “sexyhorse”).

The site’s FAQ aims to put fears to rest about whether the game poses a security risk, but if anything, I think the game is educational. Don’t use “mickey” as your password and “mouse” as your hint, friends. If you’re anything like me, fifteen years of internet messageboards means that you’re passwords are being leaked every other month, and that’s going to continue until we get rid of the stupid things.

__________________

« | »

, , .

88 Comments »

  1. Gap Gen says:

    The worst thing is that if you didn’t put a dumb hint up, if someone happens to have the same password, then their dumb hint will also work on yours. Although apparently my Adobe password was Level “I really don’t care if you hack this” on my password-strength meter.

    • bill says:

      It’s the dumb thing about having to make passwords for every darn site that we’ll only use once or twice.
      My adobe password was also ‘I dont’ care if you hack this’ because I think I only signed up to their forums to ask about a bug I was getting.

      I’m now wondering if I can be bothered to change it…

      My RPS one isn’t much better, mind you…

    • Kitsunin says:

      If your password is something someone could figure out based on a hint, then it probably isn’t secure enough. Although I guess I wouldn’t care much if my accounts were hacked pretty much anywhere, just as long as it’s not my email, facebook, or steam…so, carry on…

      • Gap Gen says:

        Well, if the hint it “[PASSWORD] blah blah”, and if Adobe allowed people to hunt for people with the same password, then it’s perhaps not your fault, unless you feel that passwords should look like 128-bit WEP keys.

        • DeVadder says:

          Just think of a sentence and then use only the first letters. You can be pretty clear in your hint without risking any guessing.
          Like:
          No need for 128-b encryption, bro.
          Nnf1-be,b.
          Hint: Unneeded encryption.
          And noone will have the same password with a shitty hint.

          • The Random One says:

            “OK, I don’t remember the password to this site. Let me see the hint, Unneeded Encryption? Oh, OK, I remember. It was the first letters to the sentence “I don’t need 128-b encryption, mate.” So, Idn1-be,m… nope, didn’t work. Maybe I typed it wrong. Idn1-be,m… nope, it’s something else. I don’t think it was mate, what was it? Buddy? Friend? Idn1-be,b nope, Idn1be,f nope. Maybe I put the apostrophe? Id’tn1-be,m nope, unless it was actually friend Id’tn1-be,f nope, wait, I don’t think it was I don’t need, maybe it was I never need? Inn1-be,f nope. One shouldn’t need? But I wrote that as Osn or Os’nn? I may have written that as 1sn too, oh God, have I tried all those with buddy and mate instead of friend? I’m pretty sure it wasn’t friend. OK, I should write these down and tick them off as I try to…”

    • LionsPhil says:

      if someone happens to have the same password, then their dumb hint will also work on yours

      You can only tell someone has the same password as you if the passwords are not salted.

      Unfortunately, it seems pretty common that people implementing login systems for web stuff a) don’t know what they’re doing b) don’t know that they don’t know what they’re doing enough to go find out the right way to do it or to find a way to delegate to an implementation by someone who did.

    • Canazza says:

      The problems with the way Adobe stored passwords were many, I will attempt to list and explain as best as I can.

      1) The passwords were stored in a form that let people guess the length of the password, this narrows down the search range for brute forcing

      2) Password hints were stored next to the passwords. This gives a clue as to what the password might be.

      3) Standard practice nowadays is to add a “Salt” to the passwords before Hashing them. So if your password is “Password1″ then the system generates a random series of characters to append to it. So the system would hash “Password1j935u02nt082h30t2″ (or something). Adobe hashed all the Passwords using the same Salt. This means that if user A had the same password as User B, then the Hash of their password would be the same. This compounds #2, as now the password hints for User A would work for User B. (Normally the Salt is per user, and stored next to the hashed password. This is not a security risk, as all it does is let you brute force the password, which is what they’d end up doing anyway.)

      Computerphile did a good video on this recently: http://www.youtube.com/watch?v=8ZtInClXe1Q

      • LionsPhil says:

        If by “nowadays” you mean the 1970s, yes.

        I don’t mean to nitpick you, but I think it’s important to emphasise just how hard Adobe dropped the ball. Salting passwords is something that’s been done since the early versions of UNIX, back when it was all capital-letters and servers, not this newfangled ’90s Linux thing. Back before there was a World Wide Web.

        • Tacroy says:

          From the time before the Nets were Inter.

        • Canazza says:

          It may have been the ‘Best’ way (and still is) but back in those days encryption was still secure enough that using that instead of hashing/salting meant that using that was viable, and that hackers breaking the encryption (without the key) was still lifetime-of-the-universe difficult on 70s hardware; *plus* it gave you the ability to restore that users password if they lost it. Win win right?

          Ofc, I joke. Hindsight is 20-20 after all, and most people learned the hard way. In the early web (which is probably when Adobe created the site) DES was secure enough. It was the standard for encryption (TripleDES in 1999 which is probably when this system dates from). Cracking it was still difficult and, as I said before, being able to email out lost passwords was considered a plus point.

          The problem occurs only when management doesn’t care about ongoing security. DES was cracked 5 years ago. Broken to within an inch of its life. It was pretty slack around ’04 though, which is when they *should* have made the decision to update their system.

          My bet is that they’ll upgrade to SHA-2, and in 5 years that’ll be on the way out, and they still wont fix it. Sure, they’ll have salted and hashed everything, but if SHA-2 gets broken in the same way MD5 has (and with more powerful computers brute forcing it may become viable anyway) they’ll be in (almost) the same boat as they are now.

          Same for every company, every database. Ongoing inspection and upgrades are essential, but often ignored.

          • LionsPhil says:

            Except using a symmetric cipher like DES was already known to be wrong and stupid before the Web even existed. See: that 1978 case study paper saying “hey, one-way hashing with salt, it’s really quite cool, and here it is in practice”.

            If Adobe had “only” been using original UNIX crypt() with its twelve-bit salts and such, maybe, but they chose completely the wrong approach decades after the correct approach was known and accepted.

      • Solidstate89 says:

        Actually – get this – Adobe didn’t even fucking hash their passwords. They used reversible Triple-DES encryption. So of course they didn’t bother to use a salt; because they didn’t even bother to hash their passwords.

        • Canazza says:

          Mmm, using DES was a bad idea. It’s like locking your password in a box, then having to unlock that box every time you want to check the password. You still need the key to the box lying around where it can be stolen. There are perfectly good reasons to use encryption, but storing passwords isn’t one of them. Though not DES. AFAIK DES was broken 5 years ago, to the point it should only take a day to break one.

          Again, Salting and Hashing is standard. That’s like writing your password down and shredding, then pulping it, then comparing the resultant mess to the same thing you pulped earlier and seeing if they’re the same.

      • jalf says:

        You’re missing two important points on that list (SolidState89 mentioned one of them above):

        - use a one-way hashing algorithm, not reversible encryption, and
        - don’t use just any hashing algorithm. The most common hashing algorithms are designed to be fast, and for password storage, you want the opposite. You want an iterative algorithm that you can run an arbitrary number of times, effectively to slow down crackers. If they can compute a few billion hashes per second, then it pretty much doesn’t matter how good your password was. They’ll guess it. With algorithms like bcrypt or pbkdf2, you can control just how expensive you want the hash computation to be, and so you can, for example, make it impossible to compute more than a few hundred hashes per second. That should be fine for your server which just has to handle the normal number of logins, but for the cracker trying to guess all the passwords in your database, this is pretty much going to ruin his day.

        Sadly, while a lot of people are starting to get the message about salting (and about hashing, rather than encrypting), most still don’t know the last part, and inevitably pick hashing algorithms which allow an attacker to perform hundreds of millions of guesses per second, and crack almost every password within a matter of hours.

        • Canazza says:

          Very true. There are still sites out there that use MD5, which has been thoroughly broken – not just brute forced either, mathematically broken to the point that collisions are nearly trivial to find.

          SHA-2 is the current standard, although with the latest conspiracy nonsense it’s looking likely the NSA (who helped design SHA-2) have already cracked it. Though using longer SHA-2 hashes should still be secure enough.

          • jalf says:

            Nooooo! Read what I said again, because that is **exactly** the error I pointed out.

            There is currently no way to “crack” SHA-2, no, but that doesn’t matter. That’s not how you extract passwords form a leaked database. No sane attacker would try to crack the hashing algorithm. Heck, that is technically possible for MD5, but it’s still much more cumbersome and slow than just the obvious approach:

            you simply guess. Come up with a password, hash it with the same algorithm that the website used, and see if the resulting hash matches. Give it a couple of hours on a computer with a fast GPU, and you’ve guessed the majority of the passwords in the database. SHA-2 does nothing to protect you against that, and it is designed to make this process as efficient as possible. It is designed to be fast to compute, because in many other cases, that is a very valuable characteristic.

            But for *storing* passwords, what you want is an algorithm which limits the number of guesses that an attacker can realistically make. You want an algorithm which is so slow that attackers simply cannot generate the millions of guesses required to figure out the passwords.

            I’m sorry to say it, but if you use SHA-2 to store passwords, you are part of the problem.

          • Canazza says:

            SHA2 is perfectly fine for now so long as you use a random salt, per user, and apply key stretching. As in this article: https://crackstation.net/hashing-security.htm#faq

    • Mercykiller101 says:

      “Ireallydontcareifyouhackthis” is literally the password I use on one-time use sites that require registration for service.

    • prian says:

      Is it bad that I use a single gmail account linked to all my ‘throw away’ message board accounts that all have the exact same password although the master gmail account has a slightly different password?

  2. Utsunomiya says:

    >“horse with a horn”
    Stallion? Stud-horse doesn’t fit!

    …I’m sorry, I’ll excuse myself out.

  3. Lars Westergren says:

    A simple explanation of how Adobe got the security wrong, and a solution to the original puzzle in the XKCD strip:

    http://www.explainxkcd.com/wiki/index.php?title=1286:_Encryptic

    On a related note: I’ve been thinking I should stop using my real name in forums. Not because I’m ashamed of what I say (in fact, I do this because it helps me to stay polite. I only post stuff I wouldn’t be ashamed if my employer or my mum saw), but because it makes it easier to attack my security if some nutter takes offense. It’s bound to happen sooner or later.

    • Ich Will says:

      I’ve seen several people compliment you on your posts and how they wish they could be more like you, now we know how you do it!! I tend to use my real name in forums too, and my real picture, it’s never back fired on me but you do hear some toe curling stories!

      • Lars Westergren says:

        > I’ve seen several people compliment you on your posts and how they wish they could be more like you

        Aww. Thanks, you made a dreary Monday much better.

    • Ross Angus says:

      Urp. That’s my policy too (I really do look like this). Now I’ve got the fear. Thanks!

    • TechnicalBen says:

      Not as as bad as those who’s login names are “[Full name]+[full DOB]” or those who’s answer machine message is “oh, and don’t forget the pin is XXXX”.

    • 65 says:

      Also in moving picture format:

    • Rikard Peterson says:

      I too use my real name more everywhere (and where I don’t, I use the same – unique – nickname that’s easily traced back to me). I don’t want to be scared into becoming anonymous, but I do have different passwords everywhere. (Which of course means that I don’t remember any of them, except the password for my computer.)

      One trend that annoys me a bit is that many sites now have their password forms in Flash, or request the password not to be stored. That means that the built-in password storage in OS X won’t work with those sites.

    • The Random One says:

      Thanks for that site. I especially like how people are figuring out the passwords in the comic in that page’s comments, and how in the end someone is coming up with insane things that relate to each other like a conspiracy theorist on crack. Patterns everywhere!

  4. Reapy says:

    It is interesting to see how much people collectively think alike when determining passwords. Everyone is sort of in the same mindset when making their password, either they don’t care about it, and so pick something thematic to the site (adobe, macromedia, dreamweaver etc) or just say f it and ‘letmein’, ‘password’, or think they are being clever by mashing left handed qwerty keyboard strings ).

    I find that as companies layer passwords on me, the less and less clever I get about the account passwords depending on how much damage losing the account can do, it just gets frustrating to remember so many variations on long string passwords.

    As usual the best passwords I think are long phrases, either taking the acronym of them or just typing it out, easy to remember, long enough to make brute forcing a headache… though I assume this can be just as dangerous as we’d probably all pick the same popular phrases.

    • Ergates_Antius says:

      At work I have about 100 passwords for numerous different systems, each with it’s own set of password rules.

      Needless to say I don’t even try to memorise them. They don’t provide us with password safe software either.

      Still, it’s not like I work with sensitive data or anything…. oh, wait…

    • Kitsunin says:

      Really though? My passwords are based on XKCD’s idea of using random words. I would be pretty surprised if anyone picked the same as me. But then I suppose if you told other people to do the same they’d pick something like “I am very smart”

      • LionsPhil says:

        Well, the problem with picking the words yourself is that the brain is a terrible random number generator.

        • Gap Gen says:

          import random
          from urllib import urlopen
          web = “http://www.freebsd.org/cgi/cvsweb.cgi/src/share/dict/web2?rev=1.12;content-type=text%2Fplain”
          html = urlopen(web).read().decode(‘utf-8′)
          words = html.split(“n”)
          pwd = “”
          for i in range(0,5):
          ___pwd += random.choice(words)
          print pwd

          (underscores mean tab, btw)

          • harmen says:

            Yej, rock paper unixtrivia:

            sort -R /usr/share/dict/web2 | head -4 | xargs

          • LionsPhil says:

            Hunh, I didn’t know sort had a -R flag.

            However, be careful. The source of that randomness is the source of your password’s entropy and strength. I suspect sort’s -R wasn’t written with crypto in mind.

            (On the other hand, this is protecting forum logins, not nuclear missiles.)

      • Ergates_Antius says:

        The random word method works well for a small number of passwords. But once you pass double figures and keep going, then at some point it becomes impossible – not just to remember the passwords, but to remember which password goes with which thing. This means that sooner or later you’ll start reusing passwords and BANG! unsecure again.

        • Kitsunin says:

          Do you even need more than 5 or so secure passwords though? I use unique passwords for really important places like Steam, my email, Google, and a couple of websites that seem to be heavily targeted (like Battle.net), but for the most part if I get hacked I wouldn’t care. They have email recovery systems anyways if someone did happen to get my unsecure password.

    • Low Life says:

      I’ve been using LastPass for a bit over a year now, randomly generated (and automatically filled) passwords are great. Of course there are a few places where I can’t use them, such as my work computer login and stupid games that don’t have paste functionality in the password field.

      • phuzz says:

        Yup, LastPass is great, I’m now down to having to remember a small handfull of passwords, all the rest are now twenty something characters of random symbols, and more importantly, each site has a different one.

      • Solidstate89 says:

        I’ve actually stopped playing Hawken because their stupid fucking game launcher doesn’t support pasting of passwords. IT USED TO! And then after some update I don’t know when, it no longer does. So, to hell with playing that game.

    • dE says:

      Ugh, yeah. Especially if services try to enforce their weird policies on me. The more idiotic and unusable the policies become, the less useful the password ends up. Especially if it’s some low relevance bullshit like some forum. If the password is not a word found in any dictionaries, no amount of numbers, special characters and other policies is ever going to make it safer.
      All the policies make me do, is come up with utterly idiotic passwords, I positively can’t ever remember, not even if my life depended on it. I’m sorry, it’s hard enough to remember all the different passphrases and codes I need in RL. I won’t pollute it with 200+ passwords for various sites and online services. So in the end, that means I need to keep a list of passwords. How the fuck is that more safe than just having passwords that make sense to me? Yeah in an ideal world, I’d keep all 200+ passwords in my head. Fuck that. During bad hair days, I can’t even remember to put on two identical socks. Although I could tell you about the research I do, in great detail.

  5. Tei says:

    I remember the day RPS added the need to register to post. That day was a sad day. I know it was needed, but still we lost a lot that day.

    The more places you have to register/give your national id/credit card… the higher the risk to have your Persona stolen, or your money, etc.

    Getting your money or your persona stolen is tiring enough, but on top of all, we have to fullfill these damn register forms, with stupid passwords and stupid rules (one character uppercase and one number? f**** you!). The more places we have to enter our password (a new password in every place, to avoid repeating us) the harder is to manage the whole thing. Some people store all his passwords in one basket (password vault) or use managers to automatically generate new passwords, but is hard…

    Theres other options: complete freedom/anonymous, places where you don’t have to register a identity to post, places like 4chan and others. And places where you use a single login, login with twitter or facebook. But then everything you do is spied by facebook or twitter. Facebook even have a free program for employees that spy on his workers. So I am not jumping with joy after the idea of selling my soul of facebook.

    3 options:
    – anonymous, everyone can post, user moderation (=>hivemind)
    – website based registering (=> 300 passwords that can be leaken)
    – single login/auth (=> your employee, facebook and the NSA know more about you than yourself )

    The other problem is that theres a single universe, and a single human culture. The problem of “what humans choose as passwords” is nearly complete, thanks for all these leaks. Every leak just help to give a more complete image of whatever a human can create as a password. Wen this problem is solved, we will be screwed, because the concept of password AND pass-phrase will be completely broken by crackers. They will be able to reduce a passphrase to 12 bits or something small like that, reducing brute force attacks to a very small subsets of attemps, because humans are very bad at randomness, so the possible passwords than a human generate are living inside a very small subset of what is really possible.

  6. CdrJameson says:

    I didn’t even know I had an Adobe account until they told me it’d been hacked.
    Apparently, I even had two.

    Could be a fun day in politics, as I usually claim to be Nigel Farage whenever a website asks.

  7. soulblur says:

    One of the many frustrating things about Adode is that there is no real way to fully delete your account, even if (like me) you created an account years ago for no apparent purpose. Why do I need an Adobe account? I have no idea, but they won’t let me kill it off.

    But at least the whole debacle has given us this novel crossword game. That’s something, at least.

  8. MayhemMike says:

    wtf, why do I have an Adobe Account?

  9. dangermouse76 says:

    I have used differing passwords for every account. I use one email account for non payment stuff – like here – and I use a separate email for Pay stuff. Using different email services and having both accounts on 2 step verification helps if a say Amazon is compromised. Also all my passwords are something like d41N1@>h&ew5xn[\”*\;dK random generated. It would be handy if more sites offered to lock login to registered devices, like my main PC and phone.

    Secure all this in an offline drive on my comp with an encryption programme. Nothing is full proof but it’s a start. It at least slows stuff up a little and gives you some time to detect an attack. This relies on timely updates from affected web sites and companies though.

  10. Drinking with Skeletons says:

    Would’ve been nice if Adobe had frickin’ notified me of this. I suppose the only silver lining is that I maintain a unique user ID for my banking for this very reason, and still another related to games (my old handle) so Steam should be OK for now. I still need to get a debit reissue, though.

  11. fish99 says:

    My battle.net account got hacked shortly after the D3 release, so I take passwords a bit more seriously these days. Any account that has any financial value attached now has a unique strong password that’s not stored digitally. The rest I don’t care about.

    • TechnicalBen says:

      I thought the official line was “the accounts cannot be hacked”? ;)

      • Hahaha says:

        Not saying they didn’t but I’m still getting the occasional “your account has been hacked” emails from “blizz”….. *cough*phishing*cough*

      • fish99 says:

        This was before I added a mobile authenticator, and I was using the same password on battle.net as every other site on the net connected to that e-mail address, and several of those other sites had been hacked (PSN for instance). My own fault really.

        No issues since I added the authenticator.

  12. Dumdeedum says:

    Aww boo, at first glance I thought RPS had started doing a weekly crossword. I’ve thought for a while that a game-themed crossword every Sunday or something would be a nice addition to the site. Make it a cryptic one just to baffle the Americans, but make it an easy cryptic because we don’t hate ourselves.

  13. Trespasser in the Stereo Field says:

    I started using 1password a few months ago and have never looked back. I also took their advice and started filling out password hint and secret questions with meaningless phrases. “what is your favorite sports team?” BigTeets McKook Hamburger!

  14. sophof says:

    Some of my findings:
    Justin Bieber is truly popular, a lot pets have very standard names, people tell themselves they are beautiful and every Marketeer uses ‘marketing’ as their password :D

  15. Hahaha says:

    Password hint that relates to password :s

    It’s like the people who answer security questions correctly.

    “what school did you go to = My school name” not good
    “what school did you go to = xF&2zscguJHCV476nvD”&£ ” good

    • Koozer says:

      My hints and answers are always quite tangential and esoteric to avoid this, but the problem is I am just as likely to forget which ridiculous riddle of an answer I gave as I am my actual bloody password.

      • Hahaha says:

        Any important site that needs them (bank) gets a spot on a real life notepad with a single character notation to remind me what the hell they are for, that is then locked away. Not the safest way to go but I’m more worried about it getting destroyed by water or fire than someone stealing it.

  16. kickme22 says:

    (Note: I already changed my password) My old one was apparently leaked…..lessee if anyone can guess it based off my hint: book movie videogame

    answer: sɹɐʍɹɐʇs

    Yes….that was my password….that is my super crappy “use because this stinking site wanted a password” password….

    • Gap Gen says:

      The thing is that you can use all the hints for all same encrypted passwords (or all ones that share 8-character chunks), so you have not only your hint but hints like “luke skywalker movie” or “star wars no space all lowercase”, or any other hints for passwords beginning with “starwars”.

  17. Piecewise says:

    Better turn the comments off on this article too, otherwise someone might bring up the fact that anita is a massive fucking fraud who doesn’t play the games she whines about and just steals footage from LP’ers. And that her research involves 10 minutes on TVtropes and another 10 furiously skewing the information to her own desires.

    • Baines says:

      Better to just treat the article the same way she treats opposing opinion, to block it off. It is how I read RPS these days. 98% of the articles are fine, but the remaining 2% at their best are misguided social justice pieces that quickly devolve into comment bashing. (At worst, the remaining 2% are hypocrisy, sometimes with full on distortions of truth to serve their higher purpose, and most definitely do much more harm than good. And is why even the more innocent articles devolve into comment bashing.)

      You cannot have a reasonable discussion with a side that neither uses reason nor wishes to have a discussion. So just ignore it yourself.

    • OscarWilde1854 says:

      Yeah, it is extremely irritating when they disable comments… I guess I see the point.. but if you don’t want that kind of “comment section” then stop posting videos/ articles like that… Was the point NOT to stir conversation and opinion?

  18. exce56 says:

    ..Google is paying 75$/hour! Just work for few hours & spend more time with friends and family. On sunday I bought themselves a Alfa Romeo from having made $5637 this month. its the best-job Ive ever had.It sounds unbelievable but you wont forgive yourself if you don’t check it out http://x.co/2pwze

  19. Syphus says:

    Apparently my email is on the list. I don’t have a password hint though and I can’t for the life of me ever remember creating an account.

    My Password hints and answers are always various non-sequiturs.

  20. OscarWilde1854 says:

    Has anyone actually typed in an email on that linked website and it said you WEREN’T hacked? Because I just typed in 3 old email accounts of mine (that I am 100% sure were NEVER linked to adobe) and it said they we’re all compromised.

    Humorous side note: I had to create an account with Adobe (on my current email) to find help for a problem I was having with a product and I wasn’t happy about it so my password is essentially “fuck you adobe”. According to the linked website there are 54 other people with the same password as me! So apparently I’m not the only one they pissed off!

    • Rikard Peterson says:

      Prompted by your comment, I tried a few made up, but likely addresses, as well as a valid address that I don’t use, and all of those were reported as not hacked. So if you’re 100% about those addresses, maybe someone else fed them to Adobe for you.

      • Nathan says:

        I suspect I used most of my old email addresses after installing Flash Player or Adobe Reader one time in an attempt to get it to stop bugging me to register for updates.

    • Moonracer says:

      It said my email was on the list but Adobe couldn’t find an account with that email used. not sure how that works.

  21. Lambchops says:

    I’ll just post the appropriate clip from Spaceballs shall I?

  22. Don Reba says:

    All my passwords are unique random sequences generated in KeyPass. The hints are meaningless rhetoric. My secret questions tend to be simple, easily answerable after a bit of Googling, but the actual answers are again randomly generated sequences.

  23. Yaksha says:

    How very nice of Adobe of not informing me of this happening even though i was among the ones that got hacked. If i didn’t read this article i would never had known this had happened. Thanks RPS, at least now i can reset my pw for all my adobe products.

Comment on this story

XHTML: Allowed code: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>