14 DAY TRIAL // Sony has issued a clarification saying that while exposed PlayStation Network (PSN) account passwords were not encrypted, they were hashed using a cryptographic function.
The clarification comes after many news outlets reported that passwords were stored in plain text form, a practice known for being insecure.
The confusion arose from Sony's initial reports that PSN passwords were amongst the compromised data and a later statement saying that they weren't encrypted.
"While the passwords that were stored were not 'encrypted,' they were transformed using a cryptographic hash function.
"There is a difference between these two types of security measures which is why we said the passwords had not been encrypted.
"But I want to be very clear that the passwords were not stored in our database in cleartext form," said Patrick Seybold, senior director of corporate communications & social media at Sony Computer Entertainment America, the Sony division operating the PlayStation Network.
While hashing is technically a form of encryption, the later term usually refers to a reversible process that allows data obfuscation.
Hashing is only a one-way process and is generally used for input validation. A hash is an unique representation that cannot shouldn't be reversible.
In case of hashed password, each time a user inputs his password, the corresponding hash is calculated and compared with the one on file. Since hashes are supposed to be unique, if they match, it means the user supplied the correct password.
There are, however, hashing algorithms that are vulnerable to various types of attack. The MD5 algorithm, for example, is vulnerable to so-called collision attacks, where it is possible for two different inputs to have the same hash.
Considering that Sony has not specified what hashing algorithm was used and whether further protection methods like "salting" were used, it's hard to determine the risk associated with the theft of PSN password hashes.
Mr. Seybold also took the opportunity to dispel rumors according to which Sony was contacted by hackers and offered to sell millions of compromise credit card numbers back to the company.