Sony Finally Explains PSN Data Encryption, or Lack Thereof

8

Comments

+ Add a Comment
avatar

aarcane

with todays distributed botnets, an encrypted password is less secure than a salted hash in this case.  the reason being that if the attackers got just ONE known password, they can reverse the key and recover ALL the passwords.  conversely, if the attackers acquired hashed passwords, the best they could hope to do is recover the hash and identify the hash algorithm.  they would still have to hope that the hashes weren't unique per password, and if the hashes were unique, they would still have nothing.  assuming unsalted, or single hash passwords, they could at best generate a rainbow table and hope for hits, or run a brute-force attack.

avatar

Ndien

SoE press release

 

Got to love em

avatar

greencpu

I just hope it was a salted hash.  otherwise a rainbow table would probably reveal the passwords

avatar

Caboose

I prefer salted salmon myself

avatar

aca20031

Sorry but unless I missed something, a cryptographic hash is much more secure than simply encrypting the password.

 

A hash cannot be reversed, and to verify that you are who you say you are, your proposed password is hashed and then compared to the stored hash.  Encryption is LESS secure becuase it is designed to be reversable given the key.  A hash doesn't need to be reversed.

 

I'm happy to hear PSN did this, not hashing the password was one of the main reasons I was upset in hearing they "have our password" -- a strange way to phrase them having a pass, they would have to use brute force, dictionary, or rainbow tables to find out our real passwords.

avatar

leetNightshade

I was thinking to myself, isn't hashing in a way a form of encryption, and why is this writer trying to tell me it's in inferior and you can find the original pw? I was afraid I would have to try to write a post correcting him on this, so thanks for your clear post.  

avatar

BAMT

SHA1.

But I agree, hashes are most often better than encryption.

avatar

BrandNewJesus

Yeah, As a security now listener, I think you are correct sir. 

Just listen to the SN podcast on lastpass...That should get everyone familiar with hashing. 

Log in to MaximumPC directly or log in using Facebook

Forgot your username or password?
Click here for help.

Login with Facebook
Log in using Facebook to share comments and articles easily with your Facebook feed.