News:

FOR INFORMATION ON DONATIONS, AND HOW TO OBTAIN ACCESS TO THE GAME, PLEASE VIEW THE FOLLOWING TOPIC: http://stick-online.com/boards/index.php?topic=2.0

Main Menu

PSN Down

Started by Jmac, April 26, 2011, 12:53:06 PM

Previous topic - Next topic

stick d00d

Quote from: CherryPie on April 30, 2011, 08:58:17 AM
Quote from: YayForLife on April 30, 2011, 08:23:37 AM
Quote from: Mr Pwnage on April 30, 2011, 08:10:11 AM
Quote from: LeGuy on April 30, 2011, 01:23:44 AM
This is entirely speculation, but do any of you suppose that maybe PSN's linkup with Steam could have had anything to do with this?

I was curious about what it meant when PSN could link up with steam. I had never heard of that. Thing is, I love steam...and they continue to pump out good security features like the newly implemented steam guard. I am curious though if you could explain it, how exactly was PSN linked with steam? If you bought a game for PS3 can you play it on your computer too?
Pretty much. I know that at least Portal 2 on PS3 could be linked to your steam account, so you got a free PC copy to download as well.
Portal 2 was actually the first and only game, having that feature.
Yea, as of right now it's just Portal 2, but the feature hasn't been out very long(a few weeks I think). Coincidentally it was only a week later that PSN was hacked...

Scotty

Quote from: Meiun on April 30, 2011, 02:49:33 AM
Wait, am I missing something? Where are you getting this info about them storing plain text passwords as opposed to hashes?

According to all the articles and the email I received (see http://arstechnica.com/gaming/news/2011/04/sony-admits-utter-psn-failure-your-personal-data-has-been-stolen.ars), they've all stated that the passwords and password hints were compromised.  Now if they were hashes, at least the passwords, then that wouldn't be such a big deal, likely not even worth noting, so long as they use one way encryption (which would make the whole process of hashing useless if they weren't).  In my experience, you would have to hash the passwords as well as the hint's answers (thus making them cAsE-SenSitIve), as they are both equally as dangerous if left un-hashed.  If both are using something like md5 checksums for the passwords, chances are there wouldn't be too much concern over the loss of them.

From what other people are telling me, it's still common practice to store passwords in plain text.  I have no idea why that is even considered, because it damn well ain't right, but apparently a lot of providers out there still do it.

RayRay

Does this mean I should be glad I don't have a PS3?

Scotty

Quote from: RayRay on April 30, 2011, 02:31:16 PM
Does this mean I should be glad I don't have a PS3?

Yes.

Jmac

You should also be glad if you own one, and used fake info to register. :D

CherryPie

Quote from: Jmacrules on April 30, 2011, 03:26:03 PM
You should also be glad if you own one, and used fake info to register. :D

I live in a weird non existant street in New York :D



Meiun

#36
Quote from: Scotty on April 30, 2011, 02:11:10 PM
Quote from: Meiun on April 30, 2011, 02:49:33 AM
Wait, am I missing something? Where are you getting this info about them storing plain text passwords as opposed to hashes?

According to all the articles and the email I received (see http://arstechnica.com/gaming/news/2011/04/sony-admits-utter-psn-failure-your-personal-data-has-been-stolen.ars), they've all stated that the passwords and password hints were compromised.  Now if they were hashes, at least the passwords, then that wouldn't be such a big deal, likely not even worth noting, so long as they use one way encryption (which would make the whole process of hashing useless if they weren't).  In my experience, you would have to hash the passwords as well as the hint's answers (thus making them cAsE-SenSitIve), as they are both equally as dangerous if left un-hashed.  If both are using something like md5 checksums for the passwords, chances are there wouldn't be too much concern over the loss of them.

From what other people are telling me, it's still common practice to store passwords in plain text.  I have no idea why that is even considered, because it damn well ain't right, but apparently a lot of providers out there still do it.
It still seems like you are making a really strong assumption that they were plain text. MD5 and most other forms of hashes can fairly easily be cracked, often through as simple a method as brute force for many of them. Even if you have a relatively strong hash type with a strong password, there are always dictionary attacks, as well as rainbow tables. Sure, it would take ages to crack all of them, but none of them individually are safe, which is more than enough reason in my book to declare them all compromised even if they were hashed.

Scotty

Quote from: Meiun on April 30, 2011, 07:42:32 PM
Quote from: Scotty on April 30, 2011, 02:11:10 PM
Quote from: Meiun on April 30, 2011, 02:49:33 AM
Wait, am I missing something? Where are you getting this info about them storing plain text passwords as opposed to hashes?

According to all the articles and the email I received (see http://arstechnica.com/gaming/news/2011/04/sony-admits-utter-psn-failure-your-personal-data-has-been-stolen.ars), they've all stated that the passwords and password hints were compromised.  Now if they were hashes, at least the passwords, then that wouldn't be such a big deal, likely not even worth noting, so long as they use one way encryption (which would make the whole process of hashing useless if they weren't).  In my experience, you would have to hash the passwords as well as the hint's answers (thus making them cAsE-SenSitIve), as they are both equally as dangerous if left un-hashed.  If both are using something like md5 checksums for the passwords, chances are there wouldn't be too much concern over the loss of them.

From what other people are telling me, it's still common practice to store passwords in plain text.  I have no idea why that is even considered, because it damn well ain't right, but apparently a lot of providers out there still do it.
It still seems like you are making a really strong assumption that they were plain text. MD5 and most other forms of hashes can fairly easily be cracked, often through as simple a method as brute force for many of them. Even if you have a relatively strong hash type with a strong password, there are always dictionary attacks, as well as rainbow tables. Sure, it would take ages to crack all of them, but none of them individually are safe, which is more than enough reason in my book to declare them all compromised even if they were hashed.

That's the thing though, so far as I know, MD5 remains "un-cracked".  Having an md5 sum is just as effective as not having anything at all.  The only method that I'm aware of to crack them is to brute force them, hence the term "One Way Encryption".  I'm sure they might get a couple, but it won't do them any good at all having the hashes.  The concern is having the PSN ID's, as now they have half the pieces to the puzzle. 

ARTgames

Well md5 and sha1 is not fully compromised but has definitely gotten to the point ware its no longer consider a well secure hash. There are many rainbow tables out there like Meiun said. Not really that big of a deal because its easy to get around them as long as your salting your hashes. Its also recommended to use compute intensive hashes to slow down brute force attacks. There is still a problem that even compute intensive can be gotten by field programmable gate arrays and graphics cards. Best way to over come this is to make it memory intensive but I don't know of any that are.

Meiun

Quote from: Scotty on May 01, 2011, 12:41:00 PM
Quote from: Meiun on April 30, 2011, 07:42:32 PM
Quote from: Scotty on April 30, 2011, 02:11:10 PM
Quote from: Meiun on April 30, 2011, 02:49:33 AM
Wait, am I missing something? Where are you getting this info about them storing plain text passwords as opposed to hashes?

According to all the articles and the email I received (see http://arstechnica.com/gaming/news/2011/04/sony-admits-utter-psn-failure-your-personal-data-has-been-stolen.ars), they've all stated that the passwords and password hints were compromised.  Now if they were hashes, at least the passwords, then that wouldn't be such a big deal, likely not even worth noting, so long as they use one way encryption (which would make the whole process of hashing useless if they weren't).  In my experience, you would have to hash the passwords as well as the hint's answers (thus making them cAsE-SenSitIve), as they are both equally as dangerous if left un-hashed.  If both are using something like md5 checksums for the passwords, chances are there wouldn't be too much concern over the loss of them.

From what other people are telling me, it's still common practice to store passwords in plain text.  I have no idea why that is even considered, because it damn well ain't right, but apparently a lot of providers out there still do it.
It still seems like you are making a really strong assumption that they were plain text. MD5 and most other forms of hashes can fairly easily be cracked, often through as simple a method as brute force for many of them. Even if you have a relatively strong hash type with a strong password, there are always dictionary attacks, as well as rainbow tables. Sure, it would take ages to crack all of them, but none of them individually are safe, which is more than enough reason in my book to declare them all compromised even if they were hashed.

That's the thing though, so far as I know, MD5 remains "un-cracked".  Having an md5 sum is just as effective as not having anything at all.  The only method that I'm aware of to crack them is to brute force them, hence the term "One Way Encryption".  I'm sure they might get a couple, but it won't do them any good at all having the hashes.  The concern is having the PSN ID's, as now they have half the pieces to the puzzle. 
Ah, thats where your mistaken though. Both dictionary attacks and rainbow tables do work (and in the case of rainbow tables, exist) for MD5 hashes as well as most other hash types. Rather unfortunate really in all honesty. But you do have a point in that MD5s are pretty good as long as you have a semi-strong password, and like Art said, there are ways to aid in the protection against them. But even certain operating systems use fairly easily crackable hashes for their password storage, so my only real point is that I wouldn't straight up assume they messed up as bad as having them plain text just because they say they could be compromised (not to say they didn't do a poor job at securing them in some manner though). But anyways, its all really a bit trivial I guess, as this whole situation still sucks either way for PS3 owners.

ARTgames

I bet all this was because some one clicked a link in an email.

Jmac


tehrozzy

Edit: Wtf, this posted to the wrong topic when i hit "quote" from a different topic. Eh.

Scotty

Quote from: Meiun on May 01, 2011, 01:32:04 PM
Quote from: Scotty on May 01, 2011, 12:41:00 PM
Quote from: Meiun on April 30, 2011, 07:42:32 PM
Quote from: Scotty on April 30, 2011, 02:11:10 PM
Quote from: Meiun on April 30, 2011, 02:49:33 AM
Wait, am I missing something? Where are you getting this info about them storing plain text passwords as opposed to hashes?

According to all the articles and the email I received (see http://arstechnica.com/gaming/news/2011/04/sony-admits-utter-psn-failure-your-personal-data-has-been-stolen.ars), they've all stated that the passwords and password hints were compromised.  Now if they were hashes, at least the passwords, then that wouldn't be such a big deal, likely not even worth noting, so long as they use one way encryption (which would make the whole process of hashing useless if they weren't).  In my experience, you would have to hash the passwords as well as the hint's answers (thus making them cAsE-SenSitIve), as they are both equally as dangerous if left un-hashed.  If both are using something like md5 checksums for the passwords, chances are there wouldn't be too much concern over the loss of them.

From what other people are telling me, it's still common practice to store passwords in plain text.  I have no idea why that is even considered, because it damn well ain't right, but apparently a lot of providers out there still do it.
It still seems like you are making a really strong assumption that they were plain text. MD5 and most other forms of hashes can fairly easily be cracked, often through as simple a method as brute force for many of them. Even if you have a relatively strong hash type with a strong password, there are always dictionary attacks, as well as rainbow tables. Sure, it would take ages to crack all of them, but none of them individually are safe, which is more than enough reason in my book to declare them all compromised even if they were hashed.

That's the thing though, so far as I know, MD5 remains "un-cracked".  Having an md5 sum is just as effective as not having anything at all.  The only method that I'm aware of to crack them is to brute force them, hence the term "One Way Encryption".  I'm sure they might get a couple, but it won't do them any good at all having the hashes.  The concern is having the PSN ID's, as now they have half the pieces to the puzzle.  
Ah, thats where your mistaken though. Both dictionary attacks and rainbow tables do work (and in the case of rainbow tables, exist) for MD5 hashes as well as most other hash types. Rather unfortunate really in all honesty. But you do have a point in that MD5s are pretty good as long as you have a semi-strong password, and like Art said, there are ways to aid in the protection against them. But even certain operating systems use fairly easily crackable hashes for their password storage, so my only real point is that I wouldn't straight up assume they messed up as bad as having them plain text just because they say they could be compromised (not to say they didn't do a poor job at securing them in some manner though). But anyways, its all really a bit trivial I guess, as this whole situation still sucks either way for PS3 owners.

Ahh.  Wasn't aware of "Rainbow Tables".  After reading up on them, it would make sense that the less secure (a.k.a shorter) passwords would be more easily compromised, if not through brute force, then something that could consume a lot of disk space (I think doing the math, it comes out to nearly 2 trillion string variations with all the keys on the keyboard at eight character string length).  I guess a salt would greatly increase the unlikelihood of cracking them, but I'd guess that if they managed to compromise all the information they did, they were probably also able snatch the salt as well...  Yeah, that definitely gave me a different outlook on password security, effin' hell!

ARTgames

Quotebut I'd guess that if they managed to compromise all the information they did, they were probably also able snatch the salt as well...
That is fine just as long as they cant use pre-existing Rainbow Tables. Because then its no different from a normal brute-force attack to make a new Rainbow Table for that salt. Top that with a compute intensive hash it becomes not imposable but much less likely to get anything useful out of the data anytime soon.