Sony hack reveals password security is even worse than feared

[geekyone]

From The Register: Sony hack reveals password security is even worse than feared

A million Sony users' password/username IDs and 250,000 Gawker login credentials, each stored in plain text, were exposed via separate hacks.

Four in five of the passwords in the 37,608 account sample from the Sony hack actually only occurred once. But users are independently making poor passwords choices, Hunt reports. Around 36 per cent of the passwords used appeared in a password dictionary, a factor that would leave them wide open to brute-forcing attacks in instances where the same passwords were used and only a password hash database was exposed by a hack. Hunt reckons more than four in five (82 per cent) of the passwords would have fallen to a basic rainbow table crack.

Maybe it is just me but I think the fact that two companies, who should be using adequate security controls, stored passwords in plain text is a much more important trend then identifying that internet users use insecure passwords on sites without sensitive data.

I mean really the researcher says that 82% of the passwords would fall to a basic rainbow attack, except that the reality of the situation is the hackers didn't have to use a rainbow attack because the companies didn't bother to hash the passwords.

Anyway /rant.

[lorddicranius]

The companies: they need to take measures to hash/encrypt the passwords stored on their systems.  I find it extremely disturbing that any company, let alone a company as giant and public as Sony, stores their passwords in plain text.  It's 2011 - I thought we were past this.

The users: they still aren't grasping the concept of the need to use stronger passwords and the importance of not using the same passwords across multiple systems.

While the companies storing passwords in plain text is more disturbing, I don't think it should take away from the importance of the users part in all of this.