Sony: “Passwords Were Not Stored In Cleartext Form”
Sony clarifies.
Published: 8:24, 03/05/2011 by Dan Lee.
28In what we hope is the last PSN related story to not contain “hurrah, it’s working again”, Sony has clarified how your credit card information had been stored on PSN:
“We want to state this again given the increase in speculation about credit card information being used fraudulently. One report indicated that a group tried to sell millions of credit card numbers back to Sony. To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list.
One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form.”
Many rumours are circulating that the PSN will be back up today. We will let you know as soon as any news breaks.
Source: EU PS Blog, Thanks marshaal5
Most Comments This Week
- Gaikai’s Streaming – Does This Mean No PS4? [65]
- PSN Store Update: 23/05/12 [55]
- First Party Vita Games Drop To £12 On PSN [52]
- PSN Store Hit With 80023163 Errors [51]
- Is Something Big Coming To PlayStation Plus Soon? [50]
- “Leap” Motion Controller Could Revolutionise Gaming [43]
- Ghost Recon: Future Soldier PS3 Install Is Huge [42]
- Australian & New Zealand D3 Players Suffer High Ping Rates [41]
- Sony Files Patent For Game-Interrupting Soda Adverts [40]
- Ghost Recon Future Soldier Review (PS3, Xbox 360) [39]
Latest Reader Comments
- NFS: Most Wanted Due Out In November
- Meet the Reader: KAMIKAZE-UK
- TSA Speculates: Why You Might Not Need To Buy A PS4
-
New Hardware, New Plus: All Eyes On Sony This E3
- 13:28 damoxuk: No thanks. I don;t want to stream games and have worst lag than when I played Atari 2600 games 30 years...
- 12:30 Radiitz: Its 2012. I can’t believe there are still people begging for PS2 compatibility with PS3....
- 12:28 Radiitz: Personally, I would like the PS4 (when/if it releases) to be like the Onlive console. You buy what is...
- Microsoft Job Offer Mentions “Next Generation” Of Xbox
TSAtv: Original Video Content
Batman book review
Kris Dancing, again
Joe Danger interview
Sonic Generations
03/05/2011 at 08:28
Member since: Aug 2009
Cant wait to play black ops online lol
03/05/2011 at 13:13
Member since: Jan 2010
why its plop?
03/05/2011 at 17:53
Member since: Mar 2011
I think it’s fun, just what I need after a hard day of woodwork in the workshop too.
03/05/2011 at 08:33
Member since: Oct 2008
Come on 15:00-15:59!
03/05/2011 at 09:08
Member since: Mar 2010
WHAT!? are you referring to the fact that the PSN will be back 2day at around that time?
03/05/2011 at 09:40
Member since: Jun 2009
You should check out the Sweepstake in the Forums.
03/05/2011 at 09:57
Member since: Mar 2010
Aha! cheers Mosh!
03/05/2011 at 13:13
Member since: Jan 2010
i gotta leave for work!
03/05/2011 at 08:34
Member since: Sep 2010
I can’t help thinking that as soon as PSN is up and running again it will be overloaded with people coming online and will crash under the pressure. Even people like myself who don’t play online that often will want to have a quick go after having it taken away.
03/05/2011 at 08:42
Member since: Jan 2011
Apparentlyt the Japan PSN is up and running…
I guess its EU then US. If the switch on is staggered, then the PSN might be able to cope?
03/05/2011 at 08:48
Member since: Sep 2010
Maybe, but in the past when COD map packs and other big releases have hit the store hasn’t this caused it to crash?
03/05/2011 at 09:27
Member since: Jan 1970
Sadly, just a rumor since all Japanese accounts still cannot log in as of 1:26 AM PST.
03/05/2011 at 08:39
Member since: Jan 1970
finally someone reporting something positive, its getting a bit bad with the media taking cheap shots at sony for hits. for example i keep seeing “biggest data theft in history” when clearly it isnt. 1 minute searching could find you that info!
03/05/2011 at 08:40
Member since: Aug 2008
Jesus Sony! Obviously most people don’t know what hashing is, saying passwords were not encrypted is like saying they were not protected to the ears of the layman! With all the fear and panic that the leak caused, this was not the time to try and be technically correct about the method of obfuscation.
03/05/2011 at 08:45
Member since: Feb 2009
Obfuscation = great word, well done to you!
03/05/2011 at 08:51
Member since: Oct 2009
Just to point out 3shirts, they did provide a link on the blog which explains hashing.
It was right after the “cleartext form” of the quoted paragraphs :)
03/05/2011 at 09:25
Member since: Jul 2010
oops uncanny. was replying to 3shirts, then read your comment after submitting. here is that article Thechunkymunky mentioned…
03/05/2011 at 09:56
Member since: Aug 2008
Actually I was referring to the original press release when they first said that passwords were not encrypted. That is what he references here.
03/05/2011 at 10:09
Member since: Oct 2009
Ah ok, I misinterpreted. Apologies for misunderstanding :)
03/05/2011 at 09:21
Member since: Jul 2010
i must adimt, i didnt know prior to reading this yesterday.I found this most helpful & interesting, not being the most computer literature & i’m sure i won’t be alone.
Encryption – the process of converting information from its normal, comprehensible form into an obscured guise, unreadable without special knowledge.
Hashed – a special form of encryption often used for passwords, that uses a one-way algorithm, that when provided with a variable length unique input (message) will always provide a unique fixed length unique output called hash, or message digest.
detailed further here: http://www.infocellar.com/networks/Security/hash.htm
03/05/2011 at 09:38
Member since: Jul 2010
*literate
can we please, please have access to the same edit feature as the writers/mods.
(unless there is a tech issue preventing this, that im unaware of.)
03/05/2011 at 10:08
Member since: Dec 2010
yeah, they don’t want us to hack the site…;)
03/05/2011 at 10:06
Member since: Dec 2010
I bloody told you lot to wait before losing your rags about passwords not being “encrypted”, SONY were giving you the correct statement…it was actually this site, and many other sites that forgot that there is a difference between the two forms of protection…so it isn’t the layman’s fault for getting all worked up over it, it’s the media.
at least this is being posted now though…wonder how many other sites have posted this…
03/05/2011 at 11:02
Member since: Aug 2008
No, I disagree.
Sony said the passwords were not encrypted. The average person reads that to mean ‘unprotected’. It’s the age old problem of techies talking to non-techies.
This site repeated the Sony statements and offered some additional speculation, it never stated the passwords were in clear-text. Some commenters might have made that assumption but we represent the public so that just emphasises the point.
03/05/2011 at 12:28
Member since: Jul 2010
agree with 3shirtts, even haz… said at the press conference they weren’t encrypted, only for a different executive to point out some time later(in same p.conf) that although not encrypted, they were hashed.
03/05/2011 at 14:16
Member since: Dec 2010
“encrypted” and “hashing” are both very different from one another, I’m no “techie” or tech master, but I know why they said “no, the passwords were not encrypted” because it has nothing to do with hashing, should that person have said “but they were hashed” straightaway? probably, but, they are only human, it might not have occurred (plus even if they had said it straightaway, some media knobs would have left it out anyway.
oh, and gaming sites aren’t really run by “average” non techie people, so they should have known better, and yes, some writers did speculate that it was in clear text, if not actually using those words…it’s better to report on facts than on rumour…don’t you agree? the fact they said “not encrypted” does not rule out other forms of protection, if they had said…”there was no protection” then by all means proceed to lose ones rag…
03/05/2011 at 14:28
Member since: Jul 2010
@MaD dOctoR, you seem to be the only one here(today) getting worked up, or loosing a rag as you put it. everyone else is communicating in a calm manner.
04/05/2011 at 00:22
Member since: Dec 2010
wow…not sure why you think that, but I’ll tell you that you are completely wrong.
04/05/2011 at 01:43
Member since: Jul 2010
“losing your rags” who? where?
“media knobs” is that really necessary & quite a generalised term, who exactly are you referring to?
you come across very aggressively & nobody in this articles comments provoked that.
04/05/2011 at 08:20
Member since: Dec 2010
who said I was referring to this article?
for “losing rags”, please check other comments on other articles, you can’t seriously tell me that everyone kept a level head when this story first broke out?
also “media knobs” refers to those media types who prefer to only report the shock value of a story, not the actual facts, and yes, it is a generalizing statement…because it is generally true (not meaning all…as that would have been “ALL MEDIA” or “EVERY JOURNALIST”)
you are the one being aggressive here, not me.
03/05/2011 at 08:48
Member since: Feb 2009
Ok then, so other than failing to detect the intrusion and their poor early customer relations, what have Sony done wrong? Everyone was having a go at them for not at least hashing passwords, but now it seems they did. So come on nay-sayers, what have Sony done wrong other than what I stated above?
03/05/2011 at 11:57
Member since: Apr 2010
Apparently they lost a horse or something… I like to imagine she was called Gumdrop.
03/05/2011 at 12:08
Member since: Forever
Expect that horse had protection so he should be fine :-p
03/05/2011 at 12:01
Member since: Nov 2009
Sony could have stated the fact about the hashed passwords as clear as this post back when they said passwords were not encrypted. They could have avoided a lot of confusion.
03/05/2011 at 13:16
Member since: Jul 2010
they did at weekend press conference.
03/05/2011 at 15:35
Member since: Nov 2009
Which was like a whole week after they said passwords were not encrypted? I don’t understand why they didn’t just say it in their initial statement.
03/05/2011 at 16:21
Member since: Jul 2010
@KeRaSh, i fully agree.
04/05/2011 at 00:25
Member since: Dec 2010
because they didn’t account for the “media knob” factor…you know…make something out to be something it isn’t.
03/05/2011 at 09:02
Member since: Jul 2009
One quick question from me: What’s the exact status regarding the possible theft of credit card information? I’m having difficulties piecing together the many small bits of info, so should I cancel the VISA or nay?
03/05/2011 at 09:09
Member since: Sep 2010
They have confirmed that your address etc may have been taken. However, it sounds like your CC details are still fine and were not accessed during the attack. Also the security code on the back of the card was never stored by Sony so you should be fine.
03/05/2011 at 09:34
Member since: Jul 2009
Okay, thanks! – that was the impression I had, but there’s a lot of fearmongering out there.
…ooooh, “out there”… I’m so melodramatic.
03/05/2011 at 09:14
Member since: Forever
Phew. Go Sony.
For a while there it looked like you had 100,000,000 peoples usernames, email address, real address, date of births, security questions, transaction histories etc and passwords leak unnoticed until it was too late from various servers.
Anyway, looking forward to the network coming back on now so I can remove my card details from your systems & get my Warhawk groove back on.
03/05/2011 at 09:18
Member since: Nov 2008
I will personally be leaving my card details on, my bank said they will cover all fraudulent transactions resulting from the psn breach so no worries there, plus it will be very secure now (hopefully)
03/05/2011 at 09:21
Member since: Aug 2008
Dunno if it’s connected but my PSP has just found and downloaded an update. I’ll check.
03/05/2011 at 11:32
Member since: Mar 2010
Updates have been working throughout the downtime. But not automatic updates through plus oddly enough.