I'm no security expert, but typically websites will take the user inputted password and perform an encryption like an MD5 encryption on them, then store them in a database. Example: 'password' when encrypted with an MD5 algorithm becomes '5f4dcc3b5aa765d61d8327deb882cf99'. It would be impossible to take '5f4dcc3b5aa765d61d8327deb882cf99' and determine that it is 'password'. When someone logs in and types 'password' to their account, it is encrypted again and compared to the stored encryption. (In addition a good system will 'salt' the value to further complicate things so you can't just see that md5 checksum and go look up possible combinations).

When I saw the hack attempt the most alarming thing was that in Bethesda's response they have claimed that the hackers have access to the passwords, which indicates that they aren't using this kind of protection.

Is there a reason they are using the PSN strategy of network security?

Why would you think that the passwords are unencrypted? :huh:

It's more likely that the hackers were able to decrypt the passwords they found using some code found in the login process on the site.

REALLY bad example. MD5 is so broken it isn't funny.

Let's just hope they salted the hashes.

Mmm salty hash...

Edit: But I doubt Beth had unencrypted passwords. It's likely they hash them with SHA-2. :shrug:

I'm not going to jump to conclusions about Beth's strategy right now. Let's wait and see and hope for the best.

MD5 is really bad for security-related applications but it does have some uses :shrug:

Those uses are usually checksums right?

The example was given of using MD5 for password hashing, which is an all-around bad idea. I didn't mean to imply MD5 has no uses, as it's still great for checking file integrity.

Yes, but I should point out that it IS possible to 'fake' a md5sum. (Two different files with identical checksums)

What makes you think they store unencrypted passwords?

Would you guys be happier if I used AES-256 as an example?

We're just discussing security. We get what you were saying.

that or any SHA-2 function

SHA-512 would be best and most likly since I doubt symmetric key encryption would be chosen over hashing

What about using xr9-5000 super duper encryption?

I'm gonna go ahead and lock this, because there's other threads on the same topic.

I will say that I'm 99% sure that Bethesda uses a hash to protect passwords. I don't know the details of it (salted or unsalted) or anything like that though. Or whether or not passwords could be recovered from it (simply having the hash would probably be enough to access these forums).