Passwords were hashed and they have not been offered the chance to buy the database back.
Another day, another announcement from Sony on the official blog.
My own first question to Sony was whether the passwords were in clear text or hashed/encrypted.
Now hashed is an excellent defence against brute force attacks and casual/small scale exposure. There is only one real weakness and that is the Rainbow Table.
Hashes work with a one way encryption methodology. But this means that you can, if you know the encryption algorithm, generate vast tables of input/output of that algorithm- Rainbow Tables.
We quite rightly don’t know the algorithm used by Sony, but that is a minor point to the really malicious hacker; all they really need is a little time to try a few options from all the tables available to them. Even better for them would be a reference value in the table. Easy to setup in this case, they just need a PSN account themselves.
The next question that crops up is “can we prevent the effectiveness of Rainbow Tables?“. Simple answer, yes – and it isn’t difficult either.
The easiest mechanism is called a Salt or Seed.
All you do is slightly customise the algorithm to include an extra element or salt. This immediately renders the entire Rainbow Table for the original encryption algorithm useless.
Will the seed protect the hashes if there is a reference value in the table? Possible, but only if:
- They used Random Seeds for each Hash
- The Random Seed is not stored with the Hash (simply not done these days)
- The Programming/Scripting used to generate the Hash/Seed is not exposed
Were Sony using a Salt? We don’t know but if they were using hashes we hope a Random Seed was involved.
Another Sony announcement on PSN