On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Wednesday, 27 April 2011

Stored-up bad will and storing passwords in plain text - Sony Playstation privacy woes

UPDATE 2-May: Sony have released a press statement effectively claiming now that passwords were indeed hashed and therefore your password might not have been lost to hackers.

When talking about data leaks there's a couple of important points to remember. (1) people who live and work in the glass house of data management really shouldn't throw stones (so I hope this doesn't come back to haunt me) and (2) one can never condone criminal actions of alleged hackers...

That said, it really couldn't have happened to a nicer company.  Firstly there's Sony's relentless legal pursuit of George Hotz (GeoHotz) - an enthusiast who worked out how to bypass the digital locks that prevent Playstation owners running their homebrew software on their own Playstation (note: not illegally-copied games, but useful stuff, like Linux).

And secondly there's an experience of a good friend of mine who last summer found some questionable credit card transactions linked to their Playstation account.  Sony's response was incredible.  No, he couldn't have a refund.  Yes, he could pursue a complaint with his card provider under the Consumer Credit Act 1974 or Distance Selling Regulations however...

... If he filed a complaint he was informed he would lose all access to his existing Playstation account, including gamer ID and all purchased titles! Simply incredible.  If anyone from Sony wants to comment I've reserved a space right here:
Space intentionally left blank
And on the reported attack itself, there's no excuse for storing user passwords unencrypted.  It's well established that people will use the same password for various purposes.  The public know this is a bad idea but keep on doing it.

The solution is not to shake one's head and say "dear me the public keep on doing this bad thing..."  The solution is readily available in the form of either asymmetric or one-way encryption.

The encryption technology has been freely available for years.  The database stores an encrypted representation of the user's password.

When the user enters their password, the software on the web server knows how to turn the plain text password into the encrypted form and check against the database.  Because the algorithm used is asymmetric (eg like PGP), having the cipher key and algorithm to encrypt the password does not help in any way decrypting the encrypted password.  It may sound complex but I assure you it's all pretty standard stuff.

1/10 Sony - and the 1 point is for coughing to the leak.


Question (via twitter):
"have sony actually confirmed passwords where stored in plaintext? I'd assumed as much but i'm finding it hard to believe."
Answer: Yes, in their own press release Sony state: "PlayStation Network/Qriocity passwords and login" are amongst the details obtained by an "unathorized person".

UPDATE 2-May: Sony have released a press statement effectively claiming now that passwords were indeed hashed and therefore your password might not have been lost to hackers. 


  1. I know what your saying and I do agree however it's the classic usability vs security.

    Users are idiots and just as they use the same password everywhere they also use stupidly simple passwords that have already been cracked via rainbow tables years ago.

    In fact, there are so many rainbow tables online now that I have "Hacked" four out of five of the last password hashes I've needed too just by looking up the password hash on Google!

    Don't get me wrong, I agree passwords should be hashed as it's an added layer of security but it is one very very small additional layer.

    Sony knew what they were doing and decided to make a more usable service (where they could do support via the phone and via a PS controller probably) over a a more secure one. That trade off failed. The question is, have they lost more customers due to the breach than they gained from having less support costs. My guess is they are still quids in.

  2. I called them today so that I could understand the risk to me.
    Q1. Were the passwords encrypted?
    A1. Yes
    This is expected and good, but ....

    Q2. Was the encryption algorithm Symmetric or Asymmetric?
    A2. Cant and wont tell you this
    This means I cannot assess the overall risk properly, plus show Sony's lack of care to the actual users (US)

    Q3. I wish to check which of a handful of passwords I have used for my account to see which other accounts may be affected and at what level. Can I log on anywhere?
    A4. No. The sites are unavailable until we complete our investigation.

    This leaves myself in a totally unknown state of exposure. Sony is doing very little to help us, and is only trying to look after itself.

    They should be doing everything they can to help us!!!!!


Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.