Page 2 of 3 FirstFirst 123 LastLast
Results 21 to 40 of 45

Thread: Heartbleed Vulnerability and your Passwords

  1. #21
    Definitely true, Eka. The thing to remember is, that nature’s rules also apply here. Anyone attempting to gain something from you (like account details) are likely to take the path of least resistance.

    What is true for business can, to a lesser extent, be true elsewhere. Small businesses (fewer than 250 employees) are becoming increasingly popular targets amongst cybercriminals (source source). The recent compromise of Target's Point-Of-Sale (POS) systems is the perfect example of this. According to this, Target's systems were compromised using credentials belonging to a third party. It is therefore reasonable to assume that it was easier for the attackers to gain access to this third party company, and utilise their unrestricted access to Target's systems as a means of entry. This isn't the first time a smaller company has been used to take down a larger one, and it certainly won't be the last. As I mentioned above, the path of least resistance is to take the easiest road to accomplish your objective. If your objective was to hack Target, than apparently the easiest road to do that was to compromise the systems of the HVAC company they hired to monitor the temperatures inside their store. Why that company had unrestricted access to Target's payment systems is something you'll have to ask them. :P

    The point I'm trying to make, is that while it's definitely a good idea to make sure everything of value has a unique set of login credentials, it's also a good idea to maintain some measure of protection even on the most basic of websites. You'd be surprised how much damage can be done by compromising a supposedly small website. By this I mean that if you know the website is throwaway, use a temporary email address and/or password, that way potential attackers cannot gain any information from a breach of these smaller and less well-defended websites.

    Cheers.
    -Trony-
    Doctrony - 220/30 Doctor
    Neurix - 100/10 Nano-Technician

    "The best of leaders when the job is done, when the task is
    accomplished, the people will say we have done it ourselves"
    - Lao Tzu

  2. #22

    Exclamation

    TY Funcom for this information and warning
    Too bad it still happens too many times that people use a top-500 password or jsut use the same password everywhere they can.

    Quote Originally Posted by Wakizaka View Post
    I generate my passwords here, and store them in this.
    Would love to see AO support 64 char+ passwords.
    I also use Keepass, but I let keepass generate the passwords too.

    ALso a nice bit of security is that you can use a keyfile in combination with a password to secure your password database

    So again: KeePass Password Safe at http://keepass.info

  3. #23

  4. #24
    While we are at it: A thing I never understood was why there is a password length limit after all. It can't be storage space, because hashes always have the same length, no matter how long the input. It can't really be support, since password resets are automated anyways.

    Can anyone who has worked anywhere in Infosec or knows details explain to me, why many companies still have password length limits? Battle.N*T for example allows only 16 chars. My university only recently graciously upgraded from 8 (!!!) to 14 characters, which is still a joke.
    220 Agent + :: 220 Doctor + :: 220 Soldier + :: 220 Enforcer + :: 220 Bureaucrat + :: 217 Adventurer + :: 217 Trader + :: 159 Engineer :: 112 Fixer

    Inferno Travelguides

  5. #25

    Funcom employee

    Quote Originally Posted by Keex View Post
    While we are at it: A thing I never understood was why there is a password length limit after all. It can't be storage space, because hashes always have the same length, no matter how long the input. It can't really be support, since password resets are automated anyways.
    One of the important things with security is that everything should have a limit, min/max length, valid characters, validation regular expression etc. Many of these things are left over from decisions taken many years ago.

    It can be down to all sorts of things, some places are still using crypt for example. Crypt only actually uses the first 8 characters of any password.

    It may also be down to the length of the password field in the database. I've seen some sites that actually cut off your password due to database field length and front end validation being different.

    Whether the reason is good or not is debatable.
    A Genuine Lucien - Accept No Substitutes

  6. #26

    Funcom employee

    Quote Originally Posted by schloops View Post
    Any plans on using ssl for all your pages and deploying Perfect Forward Secrecy
    The register site and item store already support PFS. The other sites don't, and would need a fair amount of work to support it.

    We should really have SSL on the forums. I will look at that next week.
    A Genuine Lucien - Accept No Substitutes

  7. #27
    Quote Originally Posted by Lucien View Post
    One of the important things with security is that everything should have a limit, min/max length, valid characters, validation regular expression etc. Many of these things are left over from decisions taken many years ago.

    It can be down to all sorts of things, some places are still using crypt for example. Crypt only actually uses the first 8 characters of any password.

    It may also be down to the length of the password field in the database. I've seen some sites that actually cut off your password due to database field length and front end validation being different.

    Whether the reason is good or not is debatable.
    For games, I do see that at one point 20 characters was considered reasonable and there is probably a custom protocol in use for login...

    Someone still stores password as plain text on database? That is very bad practise if you use off-the-self technologies like SQL and don't do your other work 100% right...
    Ekarona 220/30 Female Solitus Engineer, long term member of Northern Star and proper "poor" gimp.
    Ekaslave 220/low Female Solitus Trader, FLAT(TM) pricing TS, almost all can do!
    Ekaros almost there/almost there too Male Solitus Martial-Artist.
    Ekadv gimp/gimp Female Opifex Adventurer

  8. #28
    Some very good information. I am very pleased at the way this was handled.

    This is a strip from XKCD about the heartbleed bug.
    http://xkcd.com/1354/
    DROP TABLE AO.Secret_Nerf_Table

    AOSpeak Site
    Join AOSpeak, the Anarchy Online Teamspeak 3 server!
    Send /tell speak help for more information.

  9. #29
    Quote Originally Posted by Lucien View Post
    The register site and item store already support PFS. The other sites don't, and would need a fair amount of work to support it.

    We should really have SSL on the forums. I will look at that next week.
    O.o good job on already supporting PFS for the most critical parts.
    I agree on ssl for the forums.

    Thx for your answer .
    There are no problem that an absence of solution could'nt solve

    Wielder of the "IWin" button.

  10. #30
    Thanks for this info Lucian, very clear and helpful
    ALTS: Alienhunter, Moonglum, Quellist, Quellcrist, Jesharet

  11. #31
    Quote Originally Posted by Lucien View Post
    It may also be down to the length of the password field in the database. I've seen some sites that actually cut off your password due to database field length and front end validation being different.
    I hope not, as that would mean the password was stored in plain text. A hash always returns a fixed length. For example MD5 is 128 bit, 16 bytes, or 32 hexadecimal characters, regardless of what data you throw at it. MD5 (and sha*) is discouraged for passwords though, as it's a fast hashing algorithm. You want a slow algorithm when hashing passwords, to make it as expensive as possible to guess.

    I believe the limit of scrypt ("the" recomended password hashing library) is 64 characters per password, simply because allowing more than this would make it easy to overload the server doing the computation.
    ::: My Tools & Stuff :::
    ::: Cratine Savagedheals Enfine Zoewrangle Demoder :: Solitron Demotionform :: IRC Demoder Savagedlight :::
    ::: AOItems :: Blog :: CIDB :: HelpBot :: ItemsBot :: PlanetMap Viewer :: Tower Wars :: Twitter :::

  12. #32
    ......
    Last edited by Enforser; Apr 16th, 2014 at 01:13:39.

  13. #33
    Enforser, as much as I dislike being 'that guy' I can't help but feel like you would make better headway with that issue by contacting Funcom's support team. From personal experience I can tell you that many of them will go out of their way to help you, even if some make a few mistakes or get a bit confused along the way; we're all human after all.

    The point being that when you come to the forums as you have, posting stories and accusations that may or may not be accurate, you achieve very little from your efforts. In no way do I mean to demean you, I only wish to highlight the fact that most of the people who read these forums are intelligent enough to realise that we're only getting a truncated version of your half of the story, rather than the whole picture Account related grievance topics are (in my humble opinion) not forum material, and as I mentioned earlier you're likely to make more progress elsewhere.

    Thanks for understanding, and best of luck in resolving your issue.
    -Trony-
    Doctrony - 220/30 Doctor
    Neurix - 100/10 Nano-Technician

    "The best of leaders when the job is done, when the task is
    accomplished, the people will say we have done it ourselves"
    - Lao Tzu

  14. #34
    ......
    Last edited by Enforser; Apr 16th, 2014 at 01:13:30.

  15. #35

    Funcom employee

    Quote Originally Posted by Lucien View Post
    We should really have SSL on the forums. I will look at that next week.
    And now we do, https://forums.anarchy-online.com

    I still need to do some fixing on assets that are being served from the cdn via http but the actual page submissions etc are done via https.
    A Genuine Lucien - Accept No Substitutes

  16. #36
    Quote Originally Posted by Lucien View Post
    And now we do, https://forums.anarchy-online.com

    I still need to do some fixing on assets that are being served from the cdn via http but the actual page submissions etc are done via https.
    Nice!
    keep smiling
    Najade s, Najengi s, Najngi s, Najmp s, Shadysannz, Toccata, Frobos, Chaodoc, Najcrat, Najtank
    sannz - ENL - NR01-GOLF-11
    a time of changing has begun; the leaves are fallen and undone; inside my spirit starts to run; and all my fears are overcome. - Chiasm, Rewind, 2005

  17. #37
    Quote Originally Posted by Lucien View Post
    And now we do, https://forums.anarchy-online.com

    I still need to do some fixing on assets that are being served from the cdn via http but the actual page submissions etc are done via https.
    Too bad it isn't for proper forum address: forums.anarchyonline.com
    Ekarona 220/30 Female Solitus Engineer, long term member of Northern Star and proper "poor" gimp.
    Ekaslave 220/low Female Solitus Trader, FLAT(TM) pricing TS, almost all can do!
    Ekaros almost there/almost there too Male Solitus Martial-Artist.
    Ekadv gimp/gimp Female Opifex Adventurer

  18. #38
    Quote Originally Posted by Ekarona View Post
    Too bad it isn't for proper forum address: forums.anarchyonline.com
    Don't believe these no-dash heretics. forums.anarchy-online.com is the bestest forum address.
    My posts are my own and do not reflect the views of my current nor former employers/clients

    Remco "Vhab" van Oosterhout
    Former Anarchy Online Game Programmer


    Live Chat Support | E-mail Support | Forum Rules | AODevs | Vha.Chat

  19. #39
    Quote Originally Posted by Ekarona View Post
    Too bad it isn't for proper forum address: forums.anarchyonline.com
    Still valid, as the alternate names list:
    DNS-Name=forums.ageofconan.com
    DNS-Name=www.forums.ageofconan.com
    DNS-Name=ctrack.funcom.com
    DNS-Name=ctrack.ageofconan.com
    DNS-Name=forums-tl.ageofconan.com
    DNS-Name=forums.anarchy-online.com
    DNS-Name=forums.thesecretworld.com
    DNS-Name=forums-tl.thesecretworld.com

    So yea, we're not the primary one, but we're good.
    keep smiling
    Najade s, Najengi s, Najngi s, Najmp s, Shadysannz, Toccata, Frobos, Chaodoc, Najcrat, Najtank
    sannz - ENL - NR01-GOLF-11
    a time of changing has begun; the leaves are fallen and undone; inside my spirit starts to run; and all my fears are overcome. - Chiasm, Rewind, 2005

  20. #40
    Now forums.anarchyonline.com redirects to forums.anarchy-online.com and breaks links in the process

    for example: http://forums.anarchyonline.com/forumdisplay.php?f=165
    redirects to a broken page: http://forums.anarchy-online.com/?f=165


    Also...
    https://forums.anarchyonline.com uses an invalid security certificate.
    zDD - a Damage/HEALS/Tanks/XP parser
    Quote Originally Posted by Vlain View Post
    yea...the best way to fix messed up game mechanics is by giving up item slots for new 'bug fix items'...like I said before, next we'll get the Staff of Pet Pathing and perhaps an Anti-LD Ring and how about some pants that make it so I don't get forced to autoface my opponent after casting a nano when I'm trying to run away...Combined Developer's Wear of Autoface Resistance, and maybe some new symbs with broken quest resistance, oh, and how could I forget the upgrade to the scuba gear that adds Rubberbanding Resistance...

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •