PS3 Firmware Update Incoming, Will Force PSN Users To Change Password

by Mike Bendel April 27, 2011 @ 8:08 pm

As revealed today in an update posted on the official PS Blog, Sony plans on releasing a new PS3 firmware update soon. In addition to allowing users to connect to the rebuilt PSN infrastructure, it’ll force a password change on connect. This comes in response to the recent PSN security breach, which has left a staggering 70 million+ accounts compromised.

Here’s the item in question, direct from the FAQ:

We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.

In related news, Sony also confirmed that personal data – such as your PSN password – was stored unencrypted in their database. We’ve since been informed, however, that password data was hashed. Which means, it’s impossible to┬áretrieve┬áthe passwords without resorting to time-consuming brute force attempts. This can take years for complex passwords, so it’s a very safe way of storing such details. Regardless – we still recommend changing your password.

Going forward, Sony’s strategy to improve security entails “moving our network infrastructure and data center to a new, more secure location, which is already underway.”

For individuals affected, it might take more than mere assurance to regain trust, but at least Sony is headed in the right direction.

Follow this author on .

Seth says:

Via reddit

Biggy204 says:

So how secure is this supposed secure firmware $ony has in store for users?

karnbmx says:

Sony failed. Miserably.


El Diablo says:

I switch the S with a $ to show how greedy and money hungry of a corporation $ony is, maaaaaaaaaaaaan.

karnbmx says:


I checked their blog, and they say that all our personal data was "protected, and access was restricted both physically and through the perimeter and security of the network".

So our personal data WAS actually encrypted, and hence, they didn't fail that badly.

x3sphere says:

No it wasn't. Just the credit card data. Read the rest.

"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

So whoever hacked PSN has a massive wordlist of 70+ million passwords, thanks to Sony's inability to prepare for a worst case scenario.

Robby says:

Seeing as they lied to us once, I wouldn't trust them. They probably don't want to cause a bigger uproar.

TeamOverload says:

Since they continuously can't comment on the fact of if our credit card information was taken or not, they obviously have a very poor series of protections put in place to begin with. How do you not know what was retrieved from your own servers?

x3sphere says:

Also, even though CCs are encrypted, it doesn't mean the hacker wasn't able to obtain the real values.

As encryption is not a one way street, there is a decrypt function located on the server since it remembers your CC for subsequent purchases. So a skilled intruder could have decrypted every CC using their server. No brute force needed.

NeilR says:

I very much doubt that x3. For that to be true they would have to serve as their own clearing house which is unlikely. The encrypted CC info is what is sent to clearing houses; CC numbers are supposed to be encrypted immediately upon submission and it is this encrypted value that gets sent for processing. A clearing house (payment gateway) is responsible for the public and private keys issued to each of their clients; meaning Sony would not have access to the keys. They wouldn't be in business if they didn't follow the global standards; they're subject to audits just like everyone else.

JohnVani18 says:

Yeah!! Kick them in the nut$.. in the nut$.... in the nut$...... xD

Hellcat says:

That sounds like there is hope CC information is not compromised.... doesn't it?

Sarcasm says:

Well, that's good now i'm a bit more impressed.

Dan says:

Still, there's a chance the credit card data table can be decrypted, right?

NeilR says:

Sure there's a chance but it isn't simple. It would be far easier for someone to try and manipulate the system by sending requests using the encrypted info directly to a payment gateway but that would also require knowledge of all kinds of other things.

Personally, I'm more concerned about the obvious potential for identify theft rather than the legitimate card I've used with PSN.

Dan says:

They're prepping dev units with a devised SDK. Hopefully some benefit will come of it.

iamjoeyb says:

Smoke and mirrors! They are blowing this up so when we all get back on our systems and there is a charge to use the network we convince ourselves its for safety so its ok to pay. Sony is not dumb, they pay for the best of the best in all fields, marketing included. So i am guessing the price will be something like $29.99 to $49.99 and they will make back all there money they lost and some. 70million users times 20 bucks hahahah yeah. around of applause for the genius marketeer behind this one. Let us know how big your bonus is. Thumbs down!!!!

Abe Froeman says:

I'm so confident that won't happen, I'd eat my own shit if it does.

Josey Wales says:

Im on Sony's side just to see this happen

Dan says:

It would be excellent if Sony merely did this to watch Abe eat his shit

Seth says:

Wow I too would like to see this happen :)

january39 says:

If it gets PSN back online and Abe thinks it would help, I'm right behind him (not literally though) :)

you say: