A security expert has raised questions about French video game company Ubisoft's password security practices after the company revealed that hackers had stolen customer data.
Ubisoft warned customers yesterday that it "recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems."
"During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords."
Despite the claim that passwords were encrypted, it advised customers to reset them.
“Passwords are not stored in clear-text but as an obfuscated value," it said. "Those cannot be reversed but could be cracked, in particular if the password chosen is weak. This is the reason we are recommending our users to change their password.”
According to Rik Ferguson, security researcher for Trend Micro, this suggests that the company is not following best practice for keeping passwords secure.
One possible explanation, Ferguson wrote in a blog post last night, is that the company has not added a "salt" – a random string of characters – to the encrypted form of its user's passwords, known as the hash. This means it would be relatively easy to decrypt the passwords through automated guesswork.
"If simple passwords could be cracked with ease, this sounds like the weakest form of hashing, unsalted, which is vulnerable to a simple lookup attack known as a Rainbow Table attack," he wrote in a blog post last night.
Alternatively, Ubisoft may have used a "common salt" – i.e. the same random string – for every password. Again, this means the passwords would be relatively easy to decrypt.
"If they were salted, then were they using a common salt for every user and a hashing algorithm designed for speed rather than security? If so, then their password database is still vulnerable to a Rainbow Table attack."
Ferguson said that best practice is to use a unique salt for every password and to feed them through the hashing function repeatedly, a technique known as adding a "work factor", to make them harder to decrypt.
"This drastically increases the time taken to crack individual passwords and because the work factor is variable, it can be modified to keep up with advances in processing power," Ferguson wrote.
He also criticised the company's decision to send out an email with a password reset link, which could easily be spoofed by other hackers to trick customers into handing over their passwords and usernames.
Information Age asked Ubisoft whether or not Ferguson's analysis of its password security is correct. "We are unable to provide further technical details about this particular case," a spokesperson replied. "We would like to reassure our customers that Ubisoft’s security teams are constantly exploring all available means to expand and strengthen our security measures in order to better protect them.”
Speaking to Information Age this morning, Ferguson said that the Ubisoft data breach follows similar attacks on electronics giant Sony and marketing firm Espilon, in which hackers are evidently targeting large caches of personal data.
"These companies represent a large concentration of a lot of different data items. By breaching someone like Ubisoft, you're going to walk away with names, dates of birth, email address, maybe marketing preferences – all kinds of things that allow you to construct much more credible email- or social-networking attacks."
"Personal information is a saleable commodity, and companies with a large user-base represent a very attractive target," he added. "They should absolutely be taking care."
However, he also said that Ubisoft would not be alone in failing to follow best practice for password security. "Unfortunately, there are far too many organisations who don't secure their passwords databases properly."
Last year, UK retail giant Tesco came under fire for apparently storing passwords in an encrypted form.
