How-To Geek

Analysis of Sony Leak Shows Weak and Duplicate Passwords

Whenever there is a massive password leak it offers a treasure trove of data for security experts to analyze and the massive leak of Sony logins and passwords was no exception. Consider the analysis a guide in what not to do.

Troy Hunt did an analysis of the torrent of passwords released by the group that hacked Sony’s servers. He crunches the numbers on the logins for things like length, character selection, dictionary occurrence, and–rather interestingly–to the passwords from Gawker’s 2010 password breach. It turns out that a full 67% of users were using the exact same password on both networks (to put this in perspective the Gawker breach occured last year yet 67% of the Playstation Network users had not changed their password despite it being the exact login/password combo that had been leaked).

Hit up the link to read the full analysis and remember: use a different and strong password for every login! It’s highly probable that the users who recycled the same login/password on Gawker and the Playstation Network also recycled the same login for more important and personal logins too. You don’t want to be in that position.

A Brief Sony Password Analysis [Troy Hunt via BoingBoing]

Jason Fitzpatrick is a warranty-voiding DIYer who spends his days cracking opening cases and wrestling with code so you don't have to. If it can be modded, optimized, repurposed, or torn apart for fun he's interested (and probably already at the workbench taking it apart). You can follow him on if you'd like.

  • Published 06/7/11

Comments (5)

  1. Radie

    Im not here to defend being lackadaisical with your password or security settings, but I often wondered (especially with something like Gawker and/or Sony) just how valuable this information is…

    I mean how many of these accounts can really be used to hurt someone? Of course there are more then enough for it to be an issue. But what does that matter to an 18 year old college kid with $8.17 in the bank.. That is just one example of people that it almost certainly doesnt matter that his passwords are weak. I bet the majority fall in that category as opposed to people with lots to lose… mainly becasue I bet when you have lots to lose then you do your due diligence to protect that.

  2. gyffes

    Fine, fine, but if they’re reusing passwords for something they pay for, they’re using those same credentials many places.

    How many does a hacker need to try to make it worth his while?

    Obviously, the headline the next day (“The day the internet changed its password”) wasn’t fully accurate, but it damnwell should’ve been and these chumps, hopefully, have FINALLY learned.

  3. Neil the newbie

    This sort of problem does highlight how insecure a password “protected” system can be.

    User lethargy or apathy often leads to short and simple passwords used on a number of systems. Also passwords are becoming vulnerable as CPU power increases.

    So, should alternatives be used? Retina scans or fingerprints perhaps?

  4. rintrah

    does this really matter even tough you have a strong password the whole site was hacked and they got it anyway so it is pointless i rather lie in the forms so my personal info is not accurate so there is nothing to steal there right?

  5. TG2

    you know what would be really telling … is once the network is fully back up, and all the users return to re-enable their accounts, etc.. how many passwords will still be the same?

    As to the entry, and strength … the strength depends on the ease with which the password can be entered. It was quite the hassle entering my networks’ WPA phrase into the Wii .. having no keyboard, just the wand.. perhaps if it were easier to sync a user via web activation (get code from console, go to website – enter it and there you are, linked)

    and how often does a password prompt in account creation say “hey, that’s a dictionary word its pretty easy to hack” … or some other checking like O.P. comparing the password with one that’s out in the wild.. .. then the user gets a message “hey … did you know that password was found in the list of 100 million passwords stolen from us the last time? did you know that all a hacker needs is your user name .. oh that’s right john61538 its shown for player info when you connect .. and the hackers can compromise your account again? and its not the same password you use at your bank is it?”

    figuring a slightly taunty password nag might get people to change..

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!