Sony: “Passwords Were Not Stored In Cleartext Form”

In what we hope is the last PSN related story to not contain “hurrah, it’s working again”, Sony has clarified how your credit card information had been stored on PSN:

“We want to state this again given the increase in speculation about credit card information being used fraudulently. One report indicated that a group tried to sell millions of credit card numbers back to Sony. To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list.

One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form.”

Many rumours are circulating that the PSN will be back up today. We will let you know as soon as any news breaks.

Source: EU PS Blog, Thanks marshaal5

– ARTICLE CONTINUES BELOW –
– PAGE CONTINUES BELOW –

72 Comments

  1. Cant wait to play black ops online lol

    • why its plop?

      • I think it’s fun, just what I need after a hard day of woodwork in the workshop too.

  2. Come on 15:00-15:59!

    • WHAT!? are you referring to the fact that the PSN will be back 2day at around that time?

    • i gotta leave for work!

  3. I can’t help thinking that as soon as PSN is up and running again it will be overloaded with people coming online and will crash under the pressure. Even people like myself who don’t play online that often will want to have a quick go after having it taken away.

    • Apparentlyt the Japan PSN is up and running…
      I guess its EU then US. If the switch on is staggered, then the PSN might be able to cope?

      • Maybe, but in the past when COD map packs and other big releases have hit the store hasn’t this caused it to crash?

      • Sadly, just a rumor since all Japanese accounts still cannot log in as of 1:26 AM PST.

  4. finally someone reporting something positive, its getting a bit bad with the media taking cheap shots at sony for hits. for example i keep seeing “biggest data theft in history” when clearly it isnt. 1 minute searching could find you that info!

  5. Jesus Sony! Obviously most people don’t know what hashing is, saying passwords were not encrypted is like saying they were not protected to the ears of the layman! With all the fear and panic that the leak caused, this was not the time to try and be technically correct about the method of obfuscation.

    • Obfuscation = great word, well done to you!

    • Just to point out 3shirts, they did provide a link on the blog which explains hashing.
      It was right after the “cleartext form” of the quoted paragraphs :)

      • oops uncanny. was replying to 3shirts, then read your comment after submitting. here is that article Thechunkymunky mentioned…

      • Actually I was referring to the original press release when they first said that passwords were not encrypted. That is what he references here.

      • Ah ok, I misinterpreted. Apologies for misunderstanding :)

    • i must adimt, i didnt know prior to reading this yesterday.I found this most helpful & interesting, not being the most computer literature & i’m sure i won’t be alone.

      Encryption – the process of converting information from its normal, comprehensible form into an obscured guise, unreadable without special knowledge.
      Hashed – a special form of encryption often used for passwords, that uses a one-way algorithm, that when provided with a variable length unique input (message) will always provide a unique fixed length unique output called hash, or message digest.

      detailed further here: http://www.infocellar.com/networks/Security/hash.htm

      • *literate
        can we please, please have access to the same edit feature as the writers/mods.
        (unless there is a tech issue preventing this, that im unaware of.)

      • yeah, they don’t want us to hack the site…;)

    • I bloody told you lot to wait before losing your rags about passwords not being “encrypted”, SONY were giving you the correct statement…it was actually this site, and many other sites that forgot that there is a difference between the two forms of protection…so it isn’t the layman’s fault for getting all worked up over it, it’s the media.

      at least this is being posted now though…wonder how many other sites have posted this…

      • No, I disagree.
        Sony said the passwords were not encrypted. The average person reads that to mean ‘unprotected’. It’s the age old problem of techies talking to non-techies.
        This site repeated the Sony statements and offered some additional speculation, it never stated the passwords were in clear-text. Some commenters might have made that assumption but we represent the public so that just emphasises the point.

      • agree with 3shirtts, even haz… said at the press conference they weren’t encrypted, only for a different executive to point out some time later(in same p.conf) that although not encrypted, they were hashed.

      • “encrypted” and “hashing” are both very different from one another, I’m no “techie” or tech master, but I know why they said “no, the passwords were not encrypted” because it has nothing to do with hashing, should that person have said “but they were hashed” straightaway? probably, but, they are only human, it might not have occurred (plus even if they had said it straightaway, some media knobs would have left it out anyway.

        oh, and gaming sites aren’t really run by “average” non techie people, so they should have known better, and yes, some writers did speculate that it was in clear text, if not actually using those words…it’s better to report on facts than on rumour…don’t you agree? the fact they said “not encrypted” does not rule out other forms of protection, if they had said…”there was no protection” then by all means proceed to lose ones rag…

      • @MaD dOctoR, you seem to be the only one here(today) getting worked up, or loosing a rag as you put it. everyone else is communicating in a calm manner.

      • wow…not sure why you think that, but I’ll tell you that you are completely wrong.

      • “losing your rags” who? where?
        “media knobs” is that really necessary & quite a generalised term, who exactly are you referring to?
        you come across very aggressively & nobody in this articles comments provoked that.

      • who said I was referring to this article?

        for “losing rags”, please check other comments on other articles, you can’t seriously tell me that everyone kept a level head when this story first broke out?

        also “media knobs” refers to those media types who prefer to only report the shock value of a story, not the actual facts, and yes, it is a generalizing statement…because it is generally true (not meaning all…as that would have been “ALL MEDIA” or “EVERY JOURNALIST”)

        you are the one being aggressive here, not me.

  6. Ok then, so other than failing to detect the intrusion and their poor early customer relations, what have Sony done wrong? Everyone was having a go at them for not at least hashing passwords, but now it seems they did. So come on nay-sayers, what have Sony done wrong other than what I stated above?

    • Apparently they lost a horse or something… I like to imagine she was called Gumdrop.

      • Expect that horse had protection so he should be fine :-p

    • Sony could have stated the fact about the hashed passwords as clear as this post back when they said passwords were not encrypted. They could have avoided a lot of confusion.

      • they did at weekend press conference.

      • Which was like a whole week after they said passwords were not encrypted? I don’t understand why they didn’t just say it in their initial statement.

      • @KeRaSh, i fully agree.

      • because they didn’t account for the “media knob” factor…you know…make something out to be something it isn’t.

  7. One quick question from me: What’s the exact status regarding the possible theft of credit card information? I’m having difficulties piecing together the many small bits of info, so should I cancel the VISA or nay?

    • They have confirmed that your address etc may have been taken. However, it sounds like your CC details are still fine and were not accessed during the attack. Also the security code on the back of the card was never stored by Sony so you should be fine.

      • Okay, thanks! – that was the impression I had, but there’s a lot of fearmongering out there.

        …ooooh, “out there”… I’m so melodramatic.

  8. Phew. Go Sony.
    For a while there it looked like you had 100,000,000 peoples usernames, email address, real address, date of births, security questions, transaction histories etc and passwords leak unnoticed until it was too late from various servers.

    Anyway, looking forward to the network coming back on now so I can remove my card details from your systems & get my Warhawk groove back on.

  9. I will personally be leaving my card details on, my bank said they will cover all fraudulent transactions resulting from the psn breach so no worries there, plus it will be very secure now (hopefully)

  10. Dunno if it’s connected but my PSP has just found and downloaded an update. I’ll check.

    • Updates have been working throughout the downtime. But not automatic updates through plus oddly enough.

Comments are now closed for this post.