Page 1 of 3 123 LastLast
Results 1 to 20 of 45

Thread: Heartbleed Vulnerability and your Passwords

  1. #1

    Funcom employee Heartbleed Vulnerability and your Passwords

    Hello Everyone

    I'm sorry if this post gets quite technical in places. If you are not all that interested in the technical aspects, then please read the parts in bold and feel free to ask questions.

    I'm sure most of you have read the news about the OpenSSL vulnerability that has affected most of the internet in the past few days. I wanted to post a short update about how Funcom was affected and our recommendation on your password(s).

    Like most other sites, we use OpenSSL for our encryption when you are browsing using https. This affected our registration site(s), The Secret World's Chronicle site and our Item Shops. Once we heard about the vulnerability we immediately patched all of our sites and the work was completed at 10am GMT on the 8th April. Well before the vulnerability hit mainstream media.

    Why is this vulnerability so serious?
    Well the short story is, it allowed an attacker to read the process memory of the web server in 64kb chunks.

    Due to the way our technical setup works, this actually affected us less than many other sites. We only use our web servers as a pass-through for data, rather than actually using the web server to execute code (ala Apache+mod_php).

    However there is important information stored in the web server's memory, such as the security certificate that we use to encrypt your requests. Also its possibly that information submitted to the web servers resided in memory for a short period of time while it passed through the web server.

    All our security certificates will also be re-issued to ensure that any data that was leaked is no longer valid.

    What should I do to protect myself?
    We have decided not to enforce password changes on everyone. This is extremely disruptive and since we have no evidence that passwords are compromised, we don't believe it will help.

    You are of course free to change your passwords, and we'd also recommend doing so regularly.

    Funcom does however recommend the following for ALL users:
    1. It is very important that you use SEPARATE password for at least Email, Online Banking, PayPal and Game Logins.

    We understand that remembering multiple passwords is difficult. Having a separate password for every site is the gold standard, and to do that you really need to have a password manager (KeePass, LastPass etc)

    2. Never use your game password to log into anywhere other than register.funcom.com (or game variants) and the game itself.

    Don't use it on fan sites, guild sites, your favorite music message board etc. The admins of these sites do great work, but the more places you use the same password, the more exposed you are.

    3. If your password is in this list, change it: http://www.symantec.com/connect/blog...words-all-time

    The next version of our registration site will simply ban this list from being used.

    4. Your email password is your MOST important password.

    Please keep in mind that if your email password is compromised, then all your passwords can be reset. This is a very common way that we see game accounts getting hacked.

    5. Any password that you make should be LONG (ideally more than 10 characters!).

    This isn't as hard as it sounds and really does make your password much more secure. If you only use lowercase letters then an 8 character password has 208 billion combinations, actually not that many for a modern processor especially if the data is only weakly encrypted. If you double that to 16 characters then there are actually 43608742899428 billion combinations.

    To put that in context, if its 200 meters to the end of your street, with an 8 character password you were only making them walk to the end of the street to crack it. With a 16 character password you are now making them walk around the planet over 1 million times.

    If you add in uppercase letters and numbers then it is even harder to crack, but an 8 character mixed case+numbers password is only about 1000x harder than an all lowercase password, so length of password is critical.

    If you don't want to use a password manager, then come up with a system for passwords. For example if your standard password is WkF3g99X, then add something to it for each site, i.e. FuncomWkF3g99X, PaypalWkF3g99X, SteamWkF3g99X etc. In doing so you have just created a unique password for each site, while only having to remember one password.

    Password security is no longer about someone you know guessing your pet's name and date of birth. It’s about websites being compromised, databases being stolen and your password being cracked using a rainbow table. The longer and more unique your password is, the less likely it will be in a rainbow table.

    6. Even after all of this… your brother/sister* is the most likely person to hack your account
    Sad, but true, we get cases of this every single day. Don’t leave your IPad lying around the house logged into your email or give them your game password.

    * This may also apply to your loving girlfriend/wife/boyfriend/husband, your mother or house mates (because you pwned them last night in the arena).



    I'll also leave this thread open for discussion. If you have any questions about password security, I will be happy to answer them today as best I can.

    Regards,
    Alex Cowan (aka Lucien)
    Billing Director
    A Genuine Lucien - Accept No Substitutes

  2. #2
    What is your effective limitation for password length? Four to five words which aren't related to AO is probably easiest to remember and very good still. Or if they are related to AO and not used on site related to AO...
    Ekarona 220/30 Female Solitus Engineer, long term member of Northern Star and proper "poor" gimp.
    Ekaslave 220/low Female Solitus Trader, FLAT(TM) pricing TS, almost all can do!
    Ekaros almost there/almost there too Male Solitus Martial-Artist.
    Ekadv gimp/gimp Female Opifex Adventurer

  3. #3
    hi u! u thar! can we has mobilenumber-security added to account? So if email is fux0red it is still not fail? tnx
    Disclaimer: My posts should not be read by anyone.

  4. #4

    Funcom employee

    Quote Originally Posted by Ekarona View Post
    What is your effective limitation for password length? Four to five words which aren't related to AO is probably easiest to remember and very good still. Or if they are related to AO and not used on site related to AO...
    Right now the billing site has a limit of 20. I think this is due to the game's password field.
    A Genuine Lucien - Accept No Substitutes

  5. #5

    Funcom employee

    Quote Originally Posted by leetlover View Post
    hi u! u thar! can we has mobilenumber-security added to account? So if email is fux0red it is still not fail? tnx
    I'll see if we can get that added into the next version of the site. We certainly have the capability to do it, but we've never added it.
    A Genuine Lucien - Accept No Substitutes

  6. #6
    First of all, congratulations on a swift reaction. This being said...

    Any plans on using ssl for all your pages and deploying Perfect Forward Secrecy?
    Eff.org kinda vehemently requires it.
    There are no problem that an absence of solution could'nt solve

    Wielder of the "IWin" button.

  7. #7
    zDD - a Damage/HEALS/Tanks/XP parser
    Quote Originally Posted by Vlain View Post
    yea...the best way to fix messed up game mechanics is by giving up item slots for new 'bug fix items'...like I said before, next we'll get the Staff of Pet Pathing and perhaps an Anti-LD Ring and how about some pants that make it so I don't get forced to autoface my opponent after casting a nano when I'm trying to run away...Combined Developer's Wear of Autoface Resistance, and maybe some new symbs with broken quest resistance, oh, and how could I forget the upgrade to the scuba gear that adds Rubberbanding Resistance...

  8. #8
    I have a basic question sicne I don't understand how they can get someones password by testing many combinations quickly. I used to run an FTP and before that a BBS (last century :> ).. If someone tried (and they did try) to log in with the wrong psw or login, they'd get 5 chances and then they'd get disconnected and not allowed to try for half an hour.

    Isn't this simple technique employed here or do they log on from multiple ip's and stuff?

  9. #9
    Quote Originally Posted by Phatkeep View Post
    I have a basic question sicne I don't understand how they can get someones password by testing many combinations quickly. I used to run an FTP and before that a BBS (last century :> ).. If someone tried (and they did try) to log in with the wrong psw or login, they'd get 5 chances and then they'd get disconnected and not allowed to try for half an hour.

    Isn't this simple technique employed here or do they log on from multiple ip's and stuff?
    That isn't the issue here. Heartbleed allowed people to get parts of memory of server running it. This chunks of memory could have had password hashes and users names visible.

    Once hash is leaked they can be cracked offline.
    Ekarona 220/30 Female Solitus Engineer, long term member of Northern Star and proper "poor" gimp.
    Ekaslave 220/low Female Solitus Trader, FLAT(TM) pricing TS, almost all can do!
    Ekaros almost there/almost there too Male Solitus Martial-Artist.
    Ekadv gimp/gimp Female Opifex Adventurer

  10. #10

    Funcom employee

    Quote Originally Posted by Phatkeep View Post
    I have a basic question sicne I don't understand how they can get someones password by testing many combinations quickly. I used to run an FTP and before that a BBS (last century :> ).. If someone tried (and they did try) to log in with the wrong psw or login, they'd get 5 chances and then they'd get disconnected and not allowed to try for half an hour.

    Isn't this simple technique employed here or do they log on from multiple ip's and stuff?
    The problem isn't really people trying to guess your password anymore.

    What they are trying to guess is if you use the same password at a different website. They already know your password.

    Say for example you use the same password everywhere. One day you register for ilovecupcakes.cn, a perfectly (fictitious) legitimate website. You create a username, password and give them your email address.

    EvilHacker1 has hacked ilovecupcakes.cn though, and now he knows the username, email and password of everyone registered there. He just needs to find out where else they have used those usernames+passwords.
    A Genuine Lucien - Accept No Substitutes

  11. #11
    I understand. But why do we need really strong passwords for then?

  12. #12
    what are the chances of changing our acct names
    what if the hokey pokey?...is what its all about
    I AM BORED!!!!
    Capnsfix, Capncaveman, Denamari, Monkeylips, and boatloads of others
    Insanity inc. still waiting on our in game strait jacket

  13. #13
    Quote Originally Posted by Phatkeep View Post
    I understand. But why do we need really strong passwords for then?
    That is because no serious company stores your passwords anywhere. If hackers "steal passwords" they actually steal so called hashes. A hash algorithm takes your password and messes it up into a lump of random bytes. The same input always creates the same hash. It is however impossible to take the hash and directly reverse the process to get the password.

    However, hashes can be calculated very, very quickly. So the cracker takes a random input, computes the hash and compares it to the hash he got from the website. If the hashes match, then he has the correct password. He just tests every combination until he finds the correct hash.

    So the more complex the password is, the more possible combinations need to be tested and the longer it takes.

    Crackers are more sophisticated (keywords dictionary attacks, rainbow tables for example, if you are interested), but it basically all boils down to comparing hashes until one matches.


    This is the reason why most websites can't email you your password if you forgot it. They just don't know it themselves. So all they can do is allow you to reset it or create a new password themselves for you. If a website actually CAN mail you your password: Don't use any important password there! Best: Stay away, they are acting completely careless.
    Last edited by Keex; Apr 10th, 2014 at 18:33:03.
    220 Agent + :: 220 Doctor + :: 220 Soldier + :: 220 Enforcer + :: 220 Bureaucrat + :: 217 Adventurer + :: 217 Trader + :: 159 Engineer :: 112 Fixer

    Inferno Travelguides

  14. #14
    Thank you for the thorough explenation Keex+Lucien. So in order to be able to do a brute force attack they have to obtain the hash containing the passwords first, right?

    Another question: If they manage to get the hash, how do they know which algorithm to use?
    Can't different algorithms at least in theory end up making the same hash from two different inputs?

  15. #15
    Quote Originally Posted by Lucien View Post
    5. Any password that you make should be LONG (ideally more than 10 characters!).
    I generate my passwords here, and store them in this.
    Would love to see AO support 64 char+ passwords.

    220s "Wakizaka", "Sneakygank", "Wakimango", "Wakisolja", "Tardersauce", "Bushwaki", "Midgetgank", "Bugfixxx", "Ramsbottom", "Paskadoc"
    200s Chrisd, Malema, Delbaeth
    TL5s Youfail, Bugfixx, Riothamus, Johndee

    Proud President of Haven | TL5 PvP


  16. #16
    Quote Originally Posted by Phatkeep View Post
    Thank you for the thorough explenation Keex+Lucien. So in order to be able to do a brute force attack they have to obtain the hash containing the passwords first, right?

    Another question: If they manage to get the hash, how do they know which algorithm to use?
    Can't different algorithms at least in theory end up making the same hash from two different inputs?
    If you want to crack passwords efficiently you usually get hash lists. You also have to think about the scope: Nobody is after YOUR password, they are about all the passwords on the site, and you may just fall in there. That means that they get a large list of hashes and if the company that stored them was careless and did not use further security measures (e.g. salt and pepper) then at least one individual is bound to have a bad password (refer to the top 500 bad passwords...). So if you throw your large list into your cracker program and you don't find at least a few passwords quickly, then it's a good chance that maybe your algorithm is wrong.

    About inter-algorithm collisions (made-up name): I think it's feasible that there are. But that doesn't really matter, because in the end you need to send the respective server the correct password. If I found the password "anarchy" that matched the stolen hash via SHA-0, and I type it into the login prompt, the webserver will still translate it for example with SHA-1 and will end up with another hash than what's stored in the database and reject your login.
    Collisions (meaning two phrases that result in the same hash) are only critical if they are found in the same algorithm as far as I know. For modern hash algorithms like SHA-256, no collisions have been found yet.
    220 Agent + :: 220 Doctor + :: 220 Soldier + :: 220 Enforcer + :: 220 Bureaucrat + :: 217 Adventurer + :: 217 Trader + :: 159 Engineer :: 112 Fixer

    Inferno Travelguides

  17. #17
    Ty again keex. Now please explain why my puter freezes when I play certain youtube videos. :>

    But only if I have the nvidia driver installed. Works without it. Happens in both ie and chrome.

  18. #18
    My problem is that I have 8 accounts. After accessing 5 of them from the same IP address to change my e-mail address it stops me from going in and changing any more. I am still trying to change e-mail addresses on 3 accounts and the register site tells me I am using the wrong password. This is frustrating and I want to know what can be done about it. As it stands I still have 3 accounts with the wrong e-mail address because of this. Now if I want to change passwords on all my accounts which I do I will not be able to.

  19. #19
    Gunforhire, that sounds like an issue you would be best to take up with the Accounts and Billing services. You can contact them using live chat by going to this link and clicking the 'Live Chat' button at the bottom of the page. Additionally, you can contact their support department directly by sending an email to 'support@funcom.com'.

    --------------------------------------------------------------------------------------------------------

    Keex is basically spot on with their analysis of storing passwords. What fascinates me most about this whole situation is how long the 'bug' has been in circulation. According to sources, the bug was first introduced in 2011, and was known in mid 2012.

    Due to the nature of the 'bug', the information that an attacker could take from a server was 'random' in that the application running it chose what to display, even if it did so according to a set of pre-defined rules. That said, the issue is such a big one because the attack could theoretically be repeated very easily, and very quickly, resulting in an exponential increase in threat levels.

    Returning to the topic of password storage and security, few people realise the potential consequences for poorly maintaining these aspects of security. Take the large software company Adobe, as a case in point. Recently, Adobe Systems Inc. was 'hacked' and had a significant portion of their database, and the source code to a handful of their programs, stolen. While the theft of this data on its own was a huge cause for concern, Adobe were also well behind on the password security front.

    Currently, salted hashes are touted as the 'best' way to store passwords, with a standard hash and no salt following down the chain of weakening security. Adobe went one step further, forsaking hashes altogether, and simply leaving their passwords 'encrypted'. The result of this: 150,000,000 or 150 million compromised accounts. The point I'm trying to make here, is that too many people put too much trust in these large corporations to protect their online credentials, when in actual fact many of them are incredibly vulnerable and we may not even aware. Adobe Systems Inc. are the makers of huge programs like Photoshop, for those who are unaware.

    Here is another example, although I admit it is a bit of a detour, it is still relevant: This is well worth the read, and highlights just how vulnerable those of us who work, think and live on the internet actually are. To summarise the link, the owner of the Twitter handle '@N', was extorted out of his account by an attacker who was able to change the ownership of his account. The attacker did this by phoning PayPal, posing as the legitimate owner of the account, and saying he couldn't remember his credit card number. PayPal willing told him the last 4 digits of the credit card they had stored in their system. The attacker then took these 4 digits and used them as authentication on other websites to facilitate the attack. Note here that PayPal, one of the largest and most trusted financial transaction companies in the western world, lacks enough security to prevent a basic attack such as this one.

    While it is easy enough to point fingers at these companies, these corporations, these 'other people', at the end of the day the security of your accounts and of your information is primarily your responsibility. To limit the effectiveness of any attacks against you is actually fairly simple, and Lucien covered a number of the better ways to do so in his original post:

    • Maintain unique lengthy passwords
    • Do not allow websites to store your credit card information
    • Ensure you always have a plan B


    When creating strong passwords, I always refer to this very useful cartoon to highlight that not all strong passwords must be difficult to remember. (Note: Do not use 'Correct Horse Battery Staple' as your password)

    In the later example about the Twitter handle, that situation could have been avoided if the target had not stored his credit card information on his PayPal account. Now, PayPal is a bit of a pain, in that if you make a purchase using a card, via your account, the card details are automatically saved. Setting aside my own personal disagreements with this practice, it is possible to make PayPal payments without using an account, although the process is more convoluted.

    Thirdly, the plan B, using Gmail as an example: Gmail as an email provider offer you the ability to print off hard-copies of 'backup' codes, codes that can be used to restore access to your email account should it become compromised. This in addition to linking a cell phone to your account for additional security. Other plan Bs are things like authenticators, machines that continuously rotate through codes that can control access to your account. World of Warcraft, Star Wars: The Old Republic and numerous banks employ this technology as an additional fail-safe.

    Now that I've said far too much, I'll just leave you with this:

    TL;DR:
    Your security is primarily your own concern; do not leave the safety of your digital life up to anyone else.

    Thanks for reading.
    -Trony-
    Doctrony - 220/30 Doctor
    Neurix - 100/10 Nano-Technician

    "The best of leaders when the job is done, when the task is
    accomplished, the people will say we have done it ourselves"
    - Lao Tzu

  20. #20
    Gmail also has an security token-app for atleast android.

    What is needed to remember that not all sites are as critical. The most critical account is your email, next is any payment provider and then those online shops you have stored your payment details. Also some things like game accounts might have real value in some cases.

    Rest like social media can be used for datamining so being careful of what information you share might be a good idea. And then there is things like these forums, which don't really matter compared to other sites.

    My point is, evaluated the risks and know where going the extra effort is worth your time and where getting compromised might be just a nuisance.
    Ekarona 220/30 Female Solitus Engineer, long term member of Northern Star and proper "poor" gimp.
    Ekaslave 220/low Female Solitus Trader, FLAT(TM) pricing TS, almost all can do!
    Ekaros almost there/almost there too Male Solitus Martial-Artist.
    Ekadv gimp/gimp Female Opifex Adventurer

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •