use a PS3 device ID and only allow changing the password on the device, but that is also known by the attackers and I'm sure it could be spoofed.
Often, every device in a secure network would benefit by having its own asymmetric encryption key. This way, Sony could have easily implemented a challenge-response that only clients could respond to. The hackers would only have gotten the public keys, which wouldn't do them any good outside of some sort of man in the middle exploit, which would require secret control of a part of the PSN network over an extended period of time.
Often, every device in a secure network would benefit by having its own asymmetric encryption key. This way, Sony could have easily implemented a challenge-response that only clients could respond to. The hackers would only have gotten the public keys, which wouldn't do them any good outside of some sort of man in the middle exploit, which would require secret control of a part of the PSN network over an extended period of time.