Sony is only No. 2 in all-time-largest data breach, despite bad security, weak passwords
Customer passwords were too weak to add much security, but they never had to
The series of clusterfracks that combined into the six-week-long Sony Hack online adventure series turn out to be only the fourth and tenth-largest recorded hack in history, according to data gathered and analyzed by DataLossDB, but more attractively packaged at FlowingData.
Combine the breaches recorded as having lost 77 million records April 26 and 25 million May 2, however, and you have a total of 104 million records – second in the history of all online data breaches only to the 130 million records stolen from credit-card processor Heartland Payment Systems in January, 2009.
And that doesn't even include records and partial records stolen during the dozen or two subsequent Sony hacks, none of which were in the same league, but for which Sony should get credit.
During trying times like these, within Sony's IT security group, it's important to get credit for everything you deserve.
Admittedly, Sony did get some help from its customers. Their passwords were too short, too simple and too predictable – as is pretty usual for consumer sites especially – according to an analysis of the passwords from developer and security pro Troy Hunt.
Ninety-three percent of the passwords were between 6 and 10 characters – which is short but not impossibly bad.
Much worse, only one percent of all the passwords contained a character that was not a letter or number. Adding symbols like % or & to alphanumerics make passwords almost impossible to crack using rainbow tables or brute force.
Much, much worse, 64 percent of the passwords exist in dictionaries of frequently used passwords, which work swimmingly as data sets that would allow hackers to unencrypt encrypted passwords more easily.
So, as with the revealed password files at Gawker.com, the Sony passwords were simple, short and crackable.
Sony's IT security group stepped up to the plate there, however, never allowing attackers chance to unencrypt or crack users' passwords.
They did it by storing user names and passwords in plain text that would be readable by any browser or any application able to read a .txt or ASCII file.