Monday, May 16, 2011

Sony #PSN Password Resets: Inconsistent & Inadequate?

Sony's Playstation Network (PSN), has been offline for a long time. You know the reason for that by now. Following @mikkohypponen and others on Twitter, I saw that #PSN would open up again, territory by territory. I downloaded and installed the mandatory v3.61 update, eagerly awaiting some serious pwning in MW2:Black Ops again. Just had to change my password first, according to tweets and Sony themselves in a blog post. You know; for my own security. Thanks to Sony for taking care of me!


As most people I know, RTM or RTMF just doesn't stick to the top polytetrafluoroethylene coating. Try first, try a few more times, than eventually cave in and RTM. Easy.

Whoa... Wait a minute. Passwords first, MW2:Black Ops second. Lets take a look at the process for my multiple password resets using my PS3 as well as the web, and look for differences and weaknesses.

First of all: the PS3 process. Screenshots using my HTC Desire against my 100" and a Sony (!) VPL-HW15 projector.

Updated to v3.61. Request to logon to #PSN, this is what I get:

 Ok, sure. If your organisation and/or your customers has been pwned: DO A COMPLETE PASSWORD RESET FOR ALL ACCOUNTS. (Sorry for the bold capital text there, but hey; it's important!). So far, so good.


Ah. Password requirements. At least length eight, numbers and letters. Ok. Lets try out the most common of them all (remember RockYou?): 123456.


Nope, that didn't work, and they do tell me which requirements my attempt didn't fulfill. GOOD! Some complexity and pattern matching rules here as well; PLEASE notice the last one: "The password must be different than your previous password". Ahhh. Password history I see, good that might be. Well: lets try the PCI DSS compatible password then: password1 (That's a single digit at the end there...)


Hrmf. Well, say whatever you want: password1 is NOT what I would consider a good password. As far as most recommendations from non-commercial organisations goes, the minimum requirement today is for a MixAlphaNumeric minimum length 8 password. Not that Password1 would be much better, but again: my own research shows that as much as 50% of users that are forced to comply with a mixalphanumeric policy will use the pattern of UPPERlowerlowerlowerlowerlowerdigitdigit (or 2 additional digits). The keyspace is considerable, while reality is not. But hey; you'll learn more about such things at Passwords^11. :-)

Just a final screenshot to show a heavily censored version of which data you could get access to using my PS3 and knowing my password. (Card number: first4 as well as last 4 digits, no security code):


Well. So far so good. Or not? Well, password1 for sure is not acceptable to me. Entering that password using my PS3 controller was more than enough, can't imagine too many people enter a length 12+ MixAlphaNumericSpecials password using their PS3 controller, even if the password gets stored locally after entering it.

So I had to do a another round or two - or three - of "lost password", just to see what that looked like. Back down to my home office and my computers. Pleasant surprise: DoNotReply@ac.playstation.net had sent me an e-mail with the subject: PlayStation(R)Network Password Change. Nice. I think that a default opt-out option should be available in online services, where the default setting will send you some kind of confirmation if/when security settings related to your account are changed in any way.

Browsing to www.playstation.com, "Sign in", "Forgot password", and voila:


Date of birth? Hm. Not too difficult to remember for most of us, and just a little bit more programming to do for an attacker to bypass. Nice. (Forgive me again for the heavy censorship, I'm sure you understand...)


Only one method for resetting my password available, but I've got to say I really hope to see more and better alternatives here in the future. "Please dial this premium number in Japan. If your callerID matches the number entered into your profile using your PS3, we'll give you a 10-digit OTP valid for 30 minutes to reset your password". Ah well, got carried away there, replacing Sony's losses over #PSN downtime.


Getting a confirmation on screen telling me that an e-mail has been sent to my e-mail address, which is also my logon id. Some comments here:

  • I've written about Guarding your usernames earlier. I'll stand by that, pointing my finger at Sony as well as others for not giving me any alternatives.
  • The way Sony has implemented this may enable easier identification of correct e-mails and birth dates. Another take, which I've seen at some sites, is to say something like "An e-mail has now been sent to your registered address, as long as the data entered are correct". Not sure about the usability vs security aspect there yet, still spending time thinking about it. 

Anyway; the e-mail from DoNotReply... came within seconds, containing an https link to store.playstation.com/(something...), with a timeout value of 3 hours from the time it was sent. There are other variations around of that timeout, IF they have one at all.

For those paranoid among us: clicking the link gives me a case-sensitive CAPTCHA. Wow. Well, I did it in 3 attempts. :-) (Always a good idea to be a bit careful with capital i and so on in captchas...)


Lets see if the web interface will allow me to use a as my password. (A favorite test of mine for sure!)


Nope, didn't work. Instead I get a banner stating the password policy:


Hey! There's something wrong here! Compare this image above to the one below. Seems like Sony #PSN isn't completely consistent in their password policy, differentiating between passwords entered through the web or using the PS3s own interface? Hmmmm.... Could there be more weaknesses here? (Please continue to read below...)


There are.

See that last sentence there? "The password must be different than your previous password?". Doesn't seem to be implemented. I've changed away from password1, then back again, then away from it again. Not much sign of any password history being kept there. Could be a good thing, as I've written about in an earlier blog post entitled Why History May Be Bad For You. I really don't like to see written password policies not getting implemented to the word. It just make things harder for end users. The policy says one thing, the system apparently require something else.

My main concern with this: If Sony #PSN doesn't enforce this policy requirement, how many of their 70+ million customers will eventually type in the same previous password as they've used all along? The password that apparently has been compromised already? Any chance Sony would do a limited NDA based release of their user database, so that others could take actions to protect their own customers, like Linkedin did after the Gawker compromise? I guess not.

If you get compromised, you are compromised and you will basically remain compromised unless you change everything, including your users.

Now if you'll excuse me, I'm going to play Modern Warfare 2 : Black Ops on #PSN. I just have to delete my credit card details from my #PSN profile first.

2 comments:

  1. Thanks for the analysis from a PSN user!

    ReplyDelete
  2. "The password must be different than your previous password"

    This very clearly states "password" in singular form, not plural, hence if you change from password1 to wordpass6 then back again to password1, you are still within their policy. A fairly useless policy, I agree, but still correct. :-)

    ReplyDelete

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.