Today the UK Information Commissioner’s Office levied a record £250k fine against Sony over their 2011 Playstation Network breach in which 77 million passwords were stolen. Sony stated that they hashed the passwords, but provided no details. I was hoping that investigators would reveal what hash algorithm Sony used, and in particular if they salted and iterated the hash. Unfortunately, the ICO’s report failed to provide any such details:
The Commissioner is aware that the data controller made some efforts to protect account passwords, however the data controller failed to ensure that the Network Platform service provider kept up with technical developments. Therefore the means used would not, at the time of the attack, be deemed appropriate, given the technical resources available to the data controller.
Given how often I see password implementations use a single iteration of MD5 with no salt, I’d consider that to be the most likely interpretation. It’s inexcusable though for a 12-page report written at public expense to omit such basic technical details. As I said at the time of the Sony Breach, it’s important to update breach notification laws to require that password hashing details be disclosed in full. It makes a difference for users affected by the breach, and it might help motivate companies to get these basic security mechanics right.
1 thought on “Dear ICO: disclose Sony's hash algorithm!”
@ Joseph Bonneau,
As I said at the time of the Sony Breach, it’s important to update breach notification laws to require that password hashing details be disclosed in full
Err no, that would not be a good idea.
Technology changes very much faster than any law maker can ever hope to keep up with. Worse hurreied law is ill thought out law and thus subject to many faults, the least of which is “The law of unintended consequences”.
The way to do it would be more akin to the way the EU does it with technical issues. Basicaly you have a law that sets out the scope of coverage etc and mandates the use of regulations that use frameworks. These frameworks consists of standards drawn up by specialist bodies in the area concerned.
Overall it is more flexible and errors can be fairly easily rectified without having to return it to the legislature who will almost certainly medal with other aspects just to justify putting it back befor the legislature.
Although one thing I do like about EU technical directives is most have an inbuilt review data which means there is a process of managing major change in an effective manner.
Personaly I would like to see not just this but “sundown clauses” in all legislation so that both bad and unused laws change or die with changes in society limmiting the oportunity for them to be abused.
A side effect of this would be that legislators would be given a more sensible set of planed activites to do rather than “invent laws to justify their income”. It would also serve as a break on the lobbying industry which would be no bad thing.