Posted June 10, 2014 (edited) Well if you have not seen this post then i suggest first thing you do is go look.. http://forum.wurmonline.com/index.php?/topic/103402-change-your-passwords/#entry1048982 Okay now after seeing this it makes me wonder how secure we are here. We have volunteer staff for just about everything how do we know this will not happen in the future? Not saying anything bad about any of the people but like for instance the website getting reworked is it wise to use a player volunteer to do that work? I would feel safer if Rolf himself was to handle the critical parts of your sites and security and not delegate it out to players. Edited June 10, 2014 by Kegan 1 Share this post Link to post Share on other sites
Posted June 10, 2014 ya stuff like that is scary huh Share this post Link to post Share on other sites
Posted June 10, 2014 (edited) and rolf decreed that every announcement shall be discussed by the community and the worst type of assumptions shall be put forward to all that bothers to read, so it is written, so shall it be. Edited June 10, 2014 by demondan 3 Share this post Link to post Share on other sites
Posted June 10, 2014 I dont think a website face lift is the same as giving a player access to all the security credentials. I am no web guru, but I would imagine it is just about as unsecured as hiring anyone to do the work. Share this post Link to post Share on other sites
Posted June 10, 2014 It's fine, my standard password would take 48 thousand years to bruteforce My ultrastrong, 3 trillion yearshttps://howsecureismypassword.net/ Share this post Link to post Share on other sites
Posted June 10, 2014 Let's discuss the crackable password.txt file stored locally. You shouldn't be using your same password anyways for anything. Share this post Link to post Share on other sites
Posted June 10, 2014 I'd like to know how much staff/ex staff involvement there was in this? I can't tell if it's just careful wording or what, did staff at some point compromise something intentionally? 1 Share this post Link to post Share on other sites
Posted June 10, 2014 (edited) It's fine, my standard password would take 48 thousand years to bruteforce My ultrastrong, 3 trillion yearshttps://howsecureismypassword.net/My "easy" password:It would take a desktop PC about 4 billion years to crack your password My "wtf!?!" passwordIt would take a desktop PC about A tredecillion years to crack your password Edited June 10, 2014 by Hussars Share this post Link to post Share on other sites
Posted June 10, 2014 It's fine, my standard password would take 48 thousand years to bruteforce My ultrastrong, 3 trillion yearshttps://howsecureismypassword.net/ Used password123 to see if the site worked.. Totally does 4 Share this post Link to post Share on other sites
Posted June 10, 2014 Yet there are many, many newer methods used to crack passwords other than brute force.. Like rainbow tables, etc... Not saying a good password is a bad thing by any means.. stronger the better.. But brute force isn't used nearly as much as in the past. Share this post Link to post Share on other sites
Posted June 10, 2014 Would be nice to have Enki or another GM post how to change your password and how to recover a lost password for those who don't remember what theirs is. 1 Share this post Link to post Share on other sites
Posted June 10, 2014 Good Idea Nosyt. Now to curtail some speculation. No, the compromise that happened was not done by a team member past or present. This was nothing intentional by any of us. This was an external incursion. We saw it and took care of it, but the damage was done so to speak. 2 Share this post Link to post Share on other sites
Posted June 10, 2014 Yo dawg, I hacked the anti-password hack site, and got all your passwords, I herd u liek security.Nah but seriously, my client password has always been different from forum one. Learned that lesson on an indy fallout mod. Also, two million years to brute force my client pass. Share this post Link to post Share on other sites
Posted June 10, 2014 (edited) It's fine, my standard password would take 48 thousand years to bruteforce My ultrastrong, 3 trillion yearshttps://howsecureismypassword.net/I kept spamming random stuff till I hit "Infinite". Got 25 Million years for my PW. I think I'm good. On another note, shouldn't the team send out mass emails? Not everyone lurks the forums. Edited June 10, 2014 by Banzai Share this post Link to post Share on other sites
Posted June 10, 2014 I memorized like 8+ passwords already.. I'm not even remember some of them >_> ... Share this post Link to post Share on other sites
Posted June 10, 2014 So... if one never made a new email account to change security question when that one got reset, is it safe to change password? o.ONot sure if that question was ever answered if we really need to make a new email account now just to change security question.Not using same password on forum and ingame login anyways but just wondering how the exact procedure would be to get me on the safe side again with everything. 1 Share this post Link to post Share on other sites
Posted June 10, 2014 (edited) Dunno how usefull can be tool like this https://howsecureismypassword.net/ in collecting your passwords ... if I had been hacker, my first step should be prepare page like this, advertise it a bit and wait Edited June 10, 2014 by Zakerak 1 Share this post Link to post Share on other sites
Posted June 10, 2014 I didn't create a new e-mail account to change my security question. After reading Enki's post I simply logged in with both of my toons and sent a /tell to myself (not wanting to announce my pw to the local folks), then typed in /password oldpw newpwIf its done correctly you should see something like Goldenvalley -ok Independence -ok in your event tab. Share this post Link to post Share on other sites
Posted June 10, 2014 It baffles me that the devs still store passwords in plain text. Not only for the forum, but for the game as well. It takes all of five seconds to crack a password.txt.I reported Wurm to http://plaintextoffenders.com 1 Share this post Link to post Share on other sites
Posted June 10, 2014 Another thing, if you're too lazy to make your own hard to crack password, use the password recovery system and get an automatic one! Share this post Link to post Share on other sites
Posted June 10, 2014 It baffles me that the devs still store passwords in plain text. Not only for the forum, but for the game as well. It takes all of five seconds to crack a password.txt. I reported Wurm to http://plaintextoffenders.com Kinda quick there skippy considering Invision uses salted passwords and not plain text. Share this post Link to post Share on other sites
Posted June 10, 2014 (edited) Why do you keep telling people to create overly complex passwords with strange charcters and not using words? Using 4 random words that makes up a 16+ letter password is very very safe and not too hard to type or remember. The most significant aspect of a good password is that it is long. It should also be as random as possible (random words is enough, not scrambled letters). I never use those sites to check my actual password either, if you do, there is a risk they record it and put it in some "known" passwords list used for breaking into your account later And I also ask, why does forum or game store my password and not a hash? Is it even legal to store peoples passwords? Edited June 10, 2014 by Torgrim 1 Share this post Link to post Share on other sites
Posted June 10, 2014 Both store the hash, not the pw Share this post Link to post Share on other sites
Posted June 10, 2014 I'm software developer. I store user passwords in unreadable form, masked by complex text, some XOR and few other operations... Once friend (gifted programmer) visited me at work, he saw that database table with stored coded passwords and asked me to copy one of them to him. In 20 minutes he said me correct uncoded password. Only tool he used was calc.exe. I still do not understand how he did it, but I know even passwords in hash form are not absolutely secure. It is unreadable only for us, less gifted Share this post Link to post Share on other sites
Posted June 10, 2014 Ok, Manny, so they just steal the hash and it is same in both DBs? You could use differrent salt or algorithms for them I guess... Zakerak, your passwords were not hashes. If they were he could not have gotten the real password out of them. Home made encryption and hash is not the same thing. Share this post Link to post Share on other sites