Sega Pass Website Breached

Date: 2011-06-18 08:58:21

On Thursday, June 16, 2011, Sega shutdown public access to it's Sega Pass network. Sega sent emails to it's users explaining breach including:

emails addresses
dates of birth
encrypted passwords

In the announcement, Sega said "To stress, none of the passwords obtained were stored in plain text."

Encrypted passwords are much better than other recent breaches at Sony and Writerspot, where the passwords were stored in plain text. Coming days will reveal the strength of the encryption used. If weak, publicly known, hashing algorithms were used, we may still see posted password lists in the near future.

It's time for companies to wise up. They should store usernames in a different place than passwords and join the two using meaningless keys. This makes it much harder to compromise a system, since the attackers must compromise two different systems to join the data. See It is Time for Website Login Credential Compliance Programs for ideas websites can use to improve authentication security.