Sony Breaches Show Need for Strong Passwords

Sue Marquette Poremba
Slide Show

Tips for Creating a Strong Password

Correct risky password behavior and reduce your chances of being hacked.

Did Sony's users play a role in accounts being breached?


The knee-jerk reaction is of course to say "no" since it is the responsibility of the company to protect its databases and networks. And on one level, that is true. Sony and other companies are trusted to protect the information of their users.


But a software architect named Troy Hunt discovered that users left themselves more vulnerable by using weak passwords. Hunt said in a blog post that Sony's customers made the breach much worse because of the way passwords are used and reused. An InformationWeek article stated:

How prevalent is password reuse? To find out, Hunt looked at two of the Sony databases released by LulzSec, and found that they contained over 2,000 identical email addresses, meaning that "someone has registered on both databases," he said. But had they used different passwords? In fact, 92% of people used the same password. Perhaps, however, they were just reusing the same password on multiple Sony websites?

Granted, Sony didn't help matters by allegedly storing the passwords in a plain-text format rather than encrypting them.


In his research, Hunt compared the passwords in the Sony breach with the Gawker breach. One of the things he found, his blog reported:

What really strikes me in this case is that between these two systems we have a couple of hundred thousand email addresses, usernames (the Gawker dump included these) and passwords. Based on the finding above, there's a statistically good chance that the majority of them will work with other websites. How many Gmail or eBay or Facebook accounts are we holding the keys to here? And of course "we" is a bit misleading because anyone can grab these off the net right now. Scary stuff.

Hunt's conclusion is that users are lax about passwords, and pointed out the best password is one you can't remember. Of course, it doesn't do you any good if you can't remember them at all. In my opinion, the best password defense is to come up with a strong password system that works for you, but most importantly, don't use a one-size-fits-all password for everything you do.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.