Nintendo It is being affected by several security flaws in recent weeks. In late April the company confirmed that there were hackers using credentials of hacking to other platforms in Nintendo Switch, and there were thousands of affected users who were forced to change the password. Now, the Switch itself would be making it easy for hackers for what guess your passwordAnd it would even prove something dangerous: that Nintendo is storing passwords in plain text.

It has been the security researcher Runa Sandvik who has discovered this dangerous flaw related to how the login is done on the console. Before entering our credentials to connect to the Nintendo Switch online, the “okay”Appears with Gray background and we cannot press it. However, when we enter the correct password, the box changes color and already lets the user click on it.

Nintendo knows what text you are entering in the password

Interestingly, the OK button also appears when the user enters the first eight characters of their password. The eShop doesn’t let you log in with only eight characters, but it tells someone other than us that you’re on the right track when it comes to guess our password. If for example we have the password “bat”, and the hacker enters “bat”, the most logical thing is to try to complete the word, since you only have to guess what comes next. And in most cases it will not be more than 4 or 5 digits.

Although this is a problem that may seem minor, in reality what it shows is something even more dangerous: that Nintendo stores passwords in plain text. A service can only know the hash of our password (its cryptographic key), and not the content of it. Thanks to this, when we introduce the full password, it would be logical if the box were to light up when the same hash coincided. But by introducing a part of it, the hash It should be different, and therefore the box should not light up.

So we don’t know if Nintendo is storing passwords in plain text, or if it’s creating two different hashes for our password; one for the first eight characters, and one for the full password.

The recommendation we make at the security level is the same as always: use complex and unique passwords for each service. In addition, if you can, always activate the two-step verification so that, in the event that a person manages to get your password, at least they need a second code that reaches your mobile and that person cannot know.

The post A switch failure allows you to guess your Nintendo eShop password appeared first on ADSLZone.