Sign in to follow this  
Kegan

Change your Password (Discussion)

Recommended Posts

Well if you have not seen this post then i suggest first thing you do is go look..


 


http://forum.wurmonline.com/index.php?/topic/103402-change-your-passwords/#entry1048982


 


Okay now after seeing this it makes me wonder how secure we are here. We have volunteer staff for just about everything how do we know this will not happen in the future? Not saying anything bad about any of the people but like for instance the website getting reworked is it wise to use a player volunteer to do that work? I would feel safer if Rolf himself was to handle the critical parts of your sites and security and not delegate it out to players. 


Edited by Kegan
  • Like 1

Share this post


Link to post
Share on other sites

and rolf decreed that every announcement shall be discussed by the community and the worst type of assumptions shall be put forward to all that bothers to read, so it is written, so shall it be.


Edited by demondan
  • Like 3

Share this post


Link to post
Share on other sites

I dont think a website face lift is the same as giving a player access to all the security credentials. I am no web guru, but I would imagine it is just about as unsecured as hiring anyone to do the work.


Share this post


Link to post
Share on other sites

Let's discuss the crackable password.txt file stored locally.

You shouldn't be using your same password anyways for anything.

Share this post


Link to post
Share on other sites

I'd like to know how much staff/ex staff involvement there was in this? I can't tell if it's just careful wording or what, did staff at some point compromise something intentionally?


  • Like 1

Share this post


Link to post
Share on other sites

It's fine, my standard password would take 48 thousand years to bruteforce :D

My ultrastrong, 3 trillion years

https://howsecureismypassword.net/

My "easy" password:

It would take a desktop PC about 4 billion years to crack your password

 

My "wtf!?!" password

It would take a desktop PC about A tredecillion years to crack your password

Edited by Hussars

Share this post


Link to post
Share on other sites

Yet there are many, many newer methods used to crack passwords other than brute force.. Like rainbow tables, etc... Not saying a good password is a bad thing by any means.. stronger the better.. But brute force isn't used nearly as much as in the past. ;)

Share this post


Link to post
Share on other sites

Would be nice to have Enki or another GM post how to change your password and how to recover a lost password for those who don't remember what theirs is.


  • Like 1

Share this post


Link to post
Share on other sites

Good Idea Nosyt.


 


 


Now to curtail some speculation.  No, the compromise that happened was not done by a team member past or present.  This was nothing intentional by any of us.  This was an external incursion.  We saw it and took care of it, but the damage was done so to speak.


  • Like 2

Share this post


Link to post
Share on other sites

Yo dawg, I hacked the anti-password hack site, and got all your passwords, I herd u liek security.

Nah but seriously, my client password has always been different from forum one. Learned that lesson on an indy fallout mod. Also, two million years to brute force my client pass.

Share this post


Link to post
Share on other sites

It's fine, my standard password would take 48 thousand years to bruteforce :D

My ultrastrong, 3 trillion years

https://howsecureismypassword.net/

I kept spamming random stuff till I hit "Infinite". Got 25 Million years for my PW. I think I'm good. 

 

On another note, shouldn't the team send out mass emails? Not everyone lurks the forums.

Edited by Banzai

Share this post


Link to post
Share on other sites

I memorized like 8+ passwords already.. I'm not even remember some of them >_> ...


Share this post


Link to post
Share on other sites

So... if one never made a new email account to change security question when that one got reset, is it safe to change password? o.O


Not sure if that question was ever answered if we really need to make a new email account now just to change security question.


Not using same password on forum and ingame login anyways but just wondering how the exact procedure would be to get me on the safe side again with everything.


  • Like 1

Share this post


Link to post
Share on other sites

Dunno how usefull can be tool like this https://howsecureismypassword.net/ in collecting your passwords ...

if I had been hacker, my first step should be prepare page like this, advertise it a bit and wait :P

Edited by Zakerak
  • Like 1

Share this post


Link to post
Share on other sites

I didn't create a new e-mail account to change my security question. After reading Enki's post I simply logged in with both of my toons and sent a /tell to myself (not wanting to announce my pw to the local folks), then typed in /password oldpw newpw


If its done correctly you should see something like Goldenvalley -ok Independence -ok in your event tab.  ^_^


Share this post


Link to post
Share on other sites

Another thing, if you're too lazy to make your own hard to crack password, use the password recovery system and get an automatic one!


Share this post


Link to post
Share on other sites

It baffles me that the devs still store passwords in plain text. Not only for the forum, but for the game as well. It takes all of five seconds to crack a password.txt.

I reported Wurm to http://plaintextoffenders.com

Kinda quick there skippy considering Invision uses salted passwords and not plain text.

Share this post


Link to post
Share on other sites

Why do you keep telling people to create overly complex passwords with strange charcters and not using words? 


 


Using 4 random words that makes up a 16+ letter password is very very safe and not too hard to type or remember. The most significant aspect of a good password is that it is long. It should also be as random as possible (random words is enough, not scrambled letters). 


 


I never use those sites to check my actual password either, if you do, there is a risk they record it and put it in some "known" passwords list used for breaking into your account later :)


 


And I also ask, why does forum or game store my password and not a hash? Is it even legal to store peoples passwords?


Edited by Torgrim
  • Like 1

Share this post


Link to post
Share on other sites

I'm software developer. I store user passwords in unreadable form, masked by complex text, some XOR and few other operations...

Once friend (gifted programmer) visited me at work, he saw that database table with stored coded passwords and asked me to copy one of them to him. In 20 minutes he said me correct uncoded password. Only tool he used was calc.exe. I still do not understand how he did it, but I know even passwords in hash form are not absolutely secure. It is unreadable only for us, less gifted :D

Share this post


Link to post
Share on other sites

Ok, Manny, so they just steal the hash and it is same in both DBs? You could use differrent salt or algorithms for them I guess... 


 


 


Zakerak, your passwords were not hashes. If they were he could not have gotten the real password out of them. Home made encryption and hash is not the same thing. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this