[anonymous]

Actually you maybe don't even need the key. I don't know what algorithm Adobe used to encrypt these passwords, but for most standard ones it holds that if you have two encrypted messages A' and B' corresponding to plain texts A and B, then B = A ^ A' ^ B'. You really only need to find one password of length N to be able to decrypt all passwords with length <= N.

Edit: Of course I mean two messages encrypted with the same key and initialisation vector. Do not reuse IVs kids, you'll get hurt.

[tcas]

That's true of stream ciphers, and if they reuse a nonce.

It looks like they used 3DES which is for all intents and purposes here, immune to a this kind of attack.

EDIT: If they use 3DES in a CTR mode then it could be vulnerable to this, but looking at the base64ed texts in the blog posts, they are multiples of 8 meaning it is almost certainly in a block cipher mode. Would be interesting to see if you can find any block similarities if they used ECB.

[mischanix]

This is really neat. Adobe stated the hashes are 3DES/ECB.

So, say I have a two block password with '6aMjgZFLzYg' as the second block... when I just search for that block I see alot of hints that point to '123456789' as a password, implying the plaintext for that block is simply '9'. So now I believe the password is 9 characters long and ends with '9'.