Closed Thread
Page 1 of 4 1 2 3 4 LastLast
Results 1 to 15 of 54
Like Tree18Likes

Thread: Trion's incompetence at account security, no, not being hacked but afterwards

  1. #1
    Ascendant
    Join Date
    Feb 2011
    Posts
    3,668

    Default Trion's incompetence at account security, no, not being hacked but afterwards

    So Trion got hacked. That's bad, and to the fanboys saying that others have been to, that's no excuse.

    However, what they've done now is totally incompetent. Let's review the situation:

    1) Due to a poor security decision way back, they used our E-MAIL address as our login name.
    2) The hackers stole, among other things, our E-MAIL address, thereby given them our login name.
    3) The hackers got our encrypted passwords .. I note the lack of mention that these were SALTED so I presume they weren't, if so that's another Trion fail, however even if they're salted it's still a problem.

    So now the hackers have our E-MAIL and encrypted PASSWORD. If their rainbow table stikes gold then they'll find some passwords that work and will be able to log in ...

    ... this is where Trion FAIL HARD ...

    they are NOT asking the current SECRET QUESTIONS! Yes, that's right, the ONLY protection against someone getting their hands on the login credentials IS NOT BEING USED TO PROTECT THE PASSWORD CHANGE OPERATION or the selecting of new new secret questions.

    THIS IS UTTERLY INCOMPETENT, what purpose have secret questions got if they're not used at the very time they would have some use in protecting our accounts???
    Last edited by Kerin; 12-22-2011 at 11:55 PM.

  2. #2
    General of Telara
    Join Date
    Apr 2011
    Posts
    944

    Default

    If Trion didn't use emails as username then whoever stole the data would have access to both your email address and some username you might be using in other places.

    And yeah it was weird that they made us change secret questions without answering the old ones, perfect timing for whoever has been phishing accounts for a while to be able to steal accounts for real!

  3. #3
    Soulwalker Stignos's Avatar
    Join Date
    Dec 2011
    Posts
    16

    Default

    Kerin, following your logic, every time you send an email to somebody your giving them your username and thus breaching your own security.

    Whoever uses the same password for all their internet accounts is begging to be robbed.

    I am not worried about the attack, why? Because I actually take precautions so these hacks dont affect me.

    Learn to live in the internet.
    Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn.

  4. #4
    Champion
    Join Date
    Feb 2011
    Posts
    549

    Default

    Quote Originally Posted by Stignos View Post
    Learn to live in the internet.
    Well... from whom?

    Password strength is described here rather well:
    http://xkcd.com/936/

    So Trion's password-requirements encourage Tr0ub4dor&3

  5. #5
    Soulwalker Stignos's Avatar
    Join Date
    Dec 2011
    Posts
    16

    Default

    Quote Originally Posted by Oktabi View Post
    Well... from whom?

    Password strength is described here rather well:
    http://xkcd.com/936/

    So Trion's password-requirements encourage Tr0ub4dor&3
    Common sense goes a long way...

    The internet is just another environment where "survival of the fittest" can be applied to some extent.
    If your "fit" it will be hard to actually steal from you and if they do you will have a backup measure ready.
    Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn.

  6. #6
    Telaran
    Join Date
    Dec 2010
    Posts
    83

    Default

    Quote Originally Posted by Oktabi View Post
    Well... from whom?

    Password strength is described here rather well:
    http://xkcd.com/936/

    So Trion's password-requirements encourage Tr0ub4dor&3
    Well with passwords the length is what makes them more secure (depth plays a minor factor in the grand scheme of things)

    A lecturer showed me an example where a psuedo random string (Say 'xhD82^%d') was less 'secure' than a simple string with enough padding (say 'd0G.............................................. ..')

    Trion's new restrictions/guidelines mean you could have easily have a sentence as your password (512chars is the (new?) max length of password), I'd love to see someone brute force a random line from a book.

    On a note, correct horse battery staple is not a secure password as it'll probably be in a password cracking dictionary right now

  7. #7
    RIFT Guide Writer intrinsc's Avatar
    Join Date
    Feb 2011
    Location
    Warminster, PA
    Posts
    5,957

    Default

    Quote Originally Posted by Kerin View Post
    So Trion got hacked. That's bad, and to the fanboys saying that others have been to, that's no excuse.

    However, what they've done now is totally incompetent. Let's review the situation:

    1) Due to a poor security decision way back, they used our E-MAIL address as our login name.
    2) The hackers stole, among other things, our E-MAIL address, thereby given them our login name.
    3) The hackers got our encrypted passwords .. I note the lack of mention that these were SALTED so I presume they weren't, if so that's another Trion fail, however even if they're salted it's still a problem.

    So now the hackers have our E-MAIL and encrypted PASSWORD. If their rainbow table stikes gold then they'll find some passwords that work and will be able to log in ...

    ... this is where Trion FAIL HARD ...

    they are NOT asking the current SECRET QUESTIONS! Yes, that's right, the ONLY protection against someone getting their hands on the login credentials IS NOT BEING USED TO PROTECT THE PASSWORD CHANGE OPERATION or the selecting of new new secret questions.

    THIS IS UTTERLY INCOMPETENT, what purpose have secret questions got if they're not used at the very time they would have some use in protecting our accounts???
    cool story bro

    also, encrypted passwords does not mean they got the decrypted password DERP!
    Last edited by intrinsc; 12-23-2011 at 01:12 AM.
    "I love being a father, but there are some things I miss: Silence, the absence of noise, one single moment undisturbed by the sounds of a childrens’ TV program called Doc McStuffins. There is no quiet anymore, there is only Doc McStuffins.
    — Ron Swanson, 2014

  8. #8
    Champion
    Join Date
    Feb 2011
    Posts
    549

    Default

    You missed the point a bit - everyone is encouraged to use an upper case letter, some numbers and special signs. Most people have a password that is less than 12 characters, if it's a sentence it's mostly a popular one (Bible, Shakespeare and most likely some quote from Jersey Shore, if you insist of calling it a "quote", which adds an intellectual flare to something that's not supposed to be within a mile of something productive - like manure.)

    Additionally restrictions can weaken encryption (or passwords), in a popular example: WWII Enigma-encryption was not allowed to encrypt a letter by itself (leaving it unchanged) - which made decrypting easier.

    The problem is, that everyone is taught to use a passWORD and make it fit the requirements.

  9. #9
    This Space For Rent Scormus's Avatar
    Join Date
    Oct 2010
    Location
    Pacific Northwest, USA
    Posts
    679

    Default

    Quote Originally Posted by Sywyn View Post
    On a note, correct horse battery staple is not a secure password as it'll probably be in a password cracking dictionary right now
    Wouldn't work for Rift anyway, since the passwords here require at least one number and symbol. And anyone who chooses their password off of a popular webcomic deserves to get their account compromised, in my opinion.

  10. #10
    Rift Disciple Ruthik's Avatar
    Join Date
    Jul 2011
    Posts
    161

    Default

    To the ones defending trion with the "It's encrypted" stance. All that means is that the password is jumbled using a pattern of bit encryption and probably using a standard protocol (i would hope not).

    It sucks it happened, but I see it as free stuff... I changed it before they got my account and every single password of every single site and account is different :-).

  11. #11
    Rift Chaser NerfedWar's Avatar
    Join Date
    Dec 2010
    Posts
    377

    Default

    Quote Originally Posted by Kerin View Post
    So Trion got hacked. That's bad, and to the fanboys saying that others have been to, that's no excuse.

    However, what they've done now is totally incompetent. Let's review the situation:

    1) Due to a poor security decision way back, they used our E-MAIL address as our login name.
    2) The hackers stole, among other things, our E-MAIL address, thereby given them our login name.
    3) The hackers got our encrypted passwords .. I note the lack of mention that these were SALTED so I presume they weren't, if so that's another Trion fail, however even if they're salted it's still a problem.

    So now the hackers have our E-MAIL and encrypted PASSWORD. If their rainbow table stikes gold then they'll find some passwords that work and will be able to log in ...

    ... this is where Trion FAIL HARD ...

    they are NOT asking the current SECRET QUESTIONS! Yes, that's right, the ONLY protection against someone getting their hands on the login credentials IS NOT BEING USED TO PROTECT THE PASSWORD CHANGE OPERATION or the selecting of new new secret questions.

    THIS IS UTTERLY INCOMPETENT, what purpose have secret questions got if they're not used at the very time they would have some use in protecting our accounts???
    Hehe, I thought I was through to a rogue website when it asked me to choose new secrets without prompting for existing.

    not very confident in Trions wording regarding whether CC info got stolen or not...

    Very bad timing for Trion as many people ( me included) were just looking for an excuse to give something else (swtor) a go.
    ...the internet treats censorship as damage, and routes around it...
    NerfedWar Addons and Tutorials
    * Note: tutorials are currently being ported to the new site.

  12. #12
    Rift Disciple
    Join Date
    Jun 2011
    Posts
    117

    Default

    Unless you're in idiot you don't use the email address you use for your Rift login anywhere else on the internet so some hacker knowing this email address shouldn't matter in the slightest.

  13. #13
    Rift Disciple Ruthik's Avatar
    Join Date
    Jul 2011
    Posts
    161

    Default

    Quote Originally Posted by Llranda View Post
    Unless you're in idiot you don't use the email address you use for your Rift login anywhere else on the internet so some hacker knowing this email address shouldn't matter in the slightest.
    I wouldnt say they are idiots in the slightest. A bit naive or ignorant maybe, but not an idiot. BTW, I do use a different email lol.

  14. #14
    Ascendant Pixel Monkey's Avatar
    Join Date
    Feb 2011
    Posts
    3,231

    Default

    ooo im so paranoid for my pixels that i must make angry posts in forums
    unique credentials for one specific purpose and anything that happens in game can be undone.
    get over it already, the internet was not designed to rob you of your shineys

  15. #15
    Telaran Elonie's Avatar
    Join Date
    Aug 2011
    Posts
    62

    Default

    Quote Originally Posted by Ruthik View Post
    To the ones defending trion with the "It's encrypted" stance. All that means is that the password is jumbled using a pattern of bit encryption and probably using a standard protocol (i would hope not).
    Actually, I hope and expect that they do use a standard protocol that has been properly cryptanalyzed.

    Encrypting in this context generally means that the password is sent through a so-called one-way hash function; you cannot retrieve the original password from the hashed output; to verify that you entered your password correctly, Trion will simply send it through the same function again and check that it generates the same output. The only practical attack that will find your password is a dictionary based attack, where the attack tries common dictionary words (as well as variations that you get through capitalization, misspelling, replacing letters with numbers or symbols, plus easy combinations). If you chose a good password (i.e. one that is resistant to dictionary attacks), you should be safe.

Closed Thread
Page 1 of 4 1 2 3 4 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts