By Jim Rossignol on June 9th, 2012 at 11:06 am.
PC Gamer have spied that LoL are sounding the alarm, with player passwords and dates of birth having been grabbed. You know the drill, get in there and change your passwords/when you were born, etc.
Rock, Paper, Shotgun
Sigh: League Of Legends Has Been Hacked
« Ah, I Just Need To Share This Day Z Story… | The RPS Bargain Bucket: Absurd Heights »
Comment on this story
You must be registered and logged in to post a comment.
XHTML: Allowed code: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Respond to our gibber
- Safilpope : “This is why my brother and I share a steam account, that way we both enjoy the games at half the cost” on Unlearning To Share: The Industry’s Hatred Of Generosity
- kirby2112 : “GameInformer's YouTube channel is hinting at a new mirrors edge, so you might just get your wish.” on Parkour Vs Zombies: Techland’s Dying Light
- Parge : “Is it fair to say that this looks *exactly* the same as the last 5 NFS based games. Seriously, what is the difference?” on Car Wars: EA Announces Need For Speed Rivals
- baltasaronmeth : “Until the day the German rating board puts its hands on the game to find out, that you just spelled peasants wrong...” on Sir, You Are Hiking In The Mountains
- mangrove : “A periscope would be quite sweet for peeking over dense shrubs/walls/roc~ without revealing yourself. UP PERISCOPE!!” on Sir, You Are Hiking In The Mountains
Read our finest words
09/06/2012 at 11:14 Joseph-Sulphur says:
The second link is broken, it links to the cover image.
09/06/2012 at 11:18 Jim Rossignol says:
Fixed.
09/06/2012 at 17:15 Randomer says:
I think it bears mentioning that the hack only seems to have affected EU West and EU Nordic & East databases. So if you are on the North America server, your password should be fine.
10/06/2012 at 01:09 ShineyBlueShoes says:
Though the way these things have gone with this sort of business recently it’s still prudent to change your password at least regardless of your region.
09/06/2012 at 11:16 Anthile says:
I really need a third hand for myself.
09/06/2012 at 11:41 Vorphalack says:
”Yo dawg we heard you like hands so we put a hand on your back so you can clap while you fap.”
Pimp my……self?
09/06/2012 at 11:17 CaspianRoach says:
I want to change when I was born in real life. Can I do that?
09/06/2012 at 11:25 Shortwave says:
No, don’t be such an idiot. Wow.
09/06/2012 at 11:32 shitflap says:
uhh, lay off the coffee chief, you’re clearly highly strung.
09/06/2012 at 11:51 Shortwave says:
I’z JK, it’s okay.
09/06/2012 at 12:06 asianhottie says:
Good one.
09/06/2012 at 14:35 Catsplosion says:
Haha. Oh wow.
09/06/2012 at 18:19 Snakejuice says:
+1
Troll of the day! :)
09/06/2012 at 23:59 Shortwave says:
That seemed like a good idea as I rolled out of bed with a spilled pipe all over me.
I think if you read it in the voice of Napoleon Dynamite it makes more sense.
Sorry for the confusion, ha. I wasn’t even trying to troll, I’m just a weird jerk.
09/06/2012 at 11:27 Carra says:
Sure, it’s called a fake ID.
09/06/2012 at 11:28 rei says:
Lying is easier though.
09/06/2012 at 13:22 caddyB says:
I’ve never done this before.
09/06/2012 at 11:43 Heliocentric says:
You need to fly around the world backwards at supersonic speeds, the government are trying to prohibit it though, that’s why they shut down concorde planes.
09/06/2012 at 11:59 jon_hill987 says:
Actually you have to fly around the earth so fast it spins backwards. I saw it in this film one time.
09/06/2012 at 12:17 Muhu says:
I thought you only needed 88 mph for that.
09/06/2012 at 12:23 golem09 says:
Just make a wish to the universe, don’t know how long shipping is though. Depending on where you live it could take until your next life.
09/06/2012 at 12:31 NathanH says:
I did once see a document that said “if your name, sex or date of birth have changed, please inform…”
09/06/2012 at 17:05 Bhazor says:
I would like to get a new birthday but I think my mum would have something to say about it.
09/06/2012 at 19:09 InternetBatman says:
Crawl back in and come back out. It’s kinda messy though.
09/06/2012 at 11:27 Shortwave says:
This game has been out a really long time now yea?
Sort of crazy it took this long for an exploit such as this to appear.
I wonder if it was related to a recent patch.
09/06/2012 at 11:52 Namey says:
This kind of stuff generally has absolutely nothing to do with the game and it’s development. It’s not a game exploit, but rather a security breach in the servers/database that hold user information.
09/06/2012 at 15:02 Shortwave says:
Ah, I see. Thank you!
09/06/2012 at 11:28 Revisor says:
… and start using KeePass to generate and manage all your passwords. Really. It’s the best thing you can do for your online security this year.
http://www.keepass.info/
To answer your questions before you articulate them:
1. You can press a keyboard shortcut to autofill your password in any application. Not only browser, but file managers etc. as well.
2. It works on all platforms known to man. Win, Linux, iOS, you name it.
3. You can synchronize your password database across devices with Dropbox, Skydrive, GDrive and similar services. Very handy.
Instead of thanking me for changing your life, spread the password-manager-goodness further, to your friends and family.
Edit: Just checked, my RPS password has ~50 random 0-9a-Z chars. All ~200 passwords in the database are unique. And the best thing? It gets autofilled for me, I don’t have to do anything, remember anything, type anything.
As Solidstate89 says, you can also try LastPass, another password manager, this one online and for browsers. And there are more. It’s not important which one you choose, but start using that password manager right now.
I have experience with KeePass so that’s what I recommend.
09/06/2012 at 11:30 rei says:
I really should, considering how lazy I am with my passwords.
EDIT: yes, I was wondering about #3, thanks! :D
09/06/2012 at 11:56 stupid_mcgee says:
KeePass is great. I also highly recommend it. I have a few passwords that I remember for certain services, but the vast majority are random codes generated by KeePass. So very, very useful.
09/06/2012 at 12:48 somini says:
For added security, you can use SpiderOak as a Cloud Service, since it encrypts everything in your computer.
https://spideroak.com/download/referral/1762c2f9d2fed837be9c056767827fd6
Shameless referral for and added 1GB for both of us.
09/06/2012 at 12:57 Dana says:
Which wont help you at all in such cases.
09/06/2012 at 13:05 Llewyn says:
The benefit of KeePass comes from simplifying the management of unique passwords; that is, helping you to ensure that the loss of your LoL password doesn’t compromise any other accounts you might have.
If you’re already using unique passwords for everything then you’re right that it doesn’t help at all. Otherwise it helps enormously.
09/06/2012 at 13:18 Dana says:
Hmm, thats true. I use unique passwords for important services like bank account or game accounts. I use the same on sites of low importance, like Internet forums or other sites.
09/06/2012 at 14:33 Solidstate89 says:
Or you can use LastPass and it’ll sync between all of your browser instances in real-time. I can’t even imagine not using a Password manager anymore. Having a completely different password for every single website I have a sign-up for is a little calming. I think when the Bioware forums were hacked it didn’t bother me one bit because it was some 15-character long random jumble of letters, numbers and symbols that is completely unique to that one and only website.
There are dozens of password managers out there. I prefer LastPass, KeePass is another great option too. Basically, just pick one. It’s so easy to do you don’t have an excuse not to use one.
09/06/2012 at 14:42 LionsPhil says:
Or even just write them down in a little book. *OMINOUS THUNDERCLAP*
Anybody with physical access to your house has already completely outdone being able to say “penis” in your name on the Internet, especially if you let your browser save your less-important passwords for convenience anyway and they’ve made off with your valuable computer equipment. If it means you can choose stronger, unique passwords where network-exposed, a weakpoint in a known location with physical security may be an acceptable tradeoff. (It’s also more robust about some indie game quietly sneaking in a trojan that lies in wait for you to unlock your keychain.)
09/06/2012 at 15:05 Solidstate89 says:
Lastpass doesn’t store anything locally on your machine, that’s one of the differences between it and KeePass. It stores it on Lastpass’ servers and it’s encrypted client-side as well before its hashed and salted again on LastPass’ servers. They don’t know your password, and they can’t look at what you have because it’s been encrypted on both your side and server side.
Yes, if someone has your computer you’re already finished. But it wouldn’t do them any good as far as getting my passwords is concerned because it’s not stored on my computer.
09/06/2012 at 15:20 LionsPhil says:
In theory, your LastPass login could be keylogged.
In practice, sure, I’m not trying to deter people from using a password manager—I do. I do mean the “or” up there—do anything other than re-using passwords, or using crap ones, even if it means having to (HORRORS) write them down.
(But not in a shared office environment or anything, duh.)
09/06/2012 at 17:57 Solidstate89 says:
Well yeah sure, in theory it could have. I could also have been simultaneously infected with Flame and Stuxnet, but the point is nothing is ever truly secure, you just do whatever and everything you can to mitigate any possible attack vectors.
If you want to be 100% security, never connect to the internet and shut-off all of your USB ports in the BIOS so you couldn’t possibly mount any infected flash drives.
09/06/2012 at 17:16 mmalove says:
My concern with going this route, (IE my reasoning for not yet doing so), is that if KeyPass or whatever service I chose is compromised, it would have the same impact.
09/06/2012 at 17:55 Solidstate89 says:
It would be difficult for KeePass to be compromised given the fact it doesn’t run on any servers. It’s just encrypts all of your passwords locally and if you do want to share them, the easiest way is with a cloud sharing service like Skydrive or Dropbox.
LastPass has actually already has a security scare, but unlike every other company I’ve seen they actually handled exactly how you should expect and because of that, it’s why I still use Lastpass.
Basically they noticed unusual traffic going to their servers. They couldn’t verify what it was so they went all President of Madagascar on it and literally shut everything down, disconnected all of their servers and forced everyone’s Lastpass browser installations into off-line mode. They then repaired whatever security flaw they had, re-hashed and re-salted every single password and had everyone change their master password that encrypts the passwords client side (on your computer) before it ever even reaches their servers.
They still haven’t actually been able to confirm whether it was a breach and whether they got anything. They believe they found it quick enough that they weren’t able to compromise any information, but they didn’t take that chance. They went into complete lockdown and that kind of act inspired some confidence in their service and it’s the only reason I’m still using LastPass instead of moving to a more off-line, less centralized manager like KeePass.
09/06/2012 at 22:11 LionsPhil says:
Nice.
09/06/2012 at 18:32 Ricc says:
KeePass is highly, highly recommended. Started using it gaming services started to get hacked a lot more, like one or two years ago. (Maybe that’s just when it started to concern me. Anyways.) Now all my passwords are unique and I don’t have to remember them. Super useful.
10/06/2012 at 01:12 ShineyBlueShoes says:
Think I’ll check that out. Too bad it would completely screw me if I used it with my google account since my phone uses the same account.
10/06/2012 at 01:25 Revisor says:
I don’t know what phone you have, but there are apps on iOS as well as Android.
As for iOS I recommend KyPass.
I synchronize the password database with Dropbox, it’s free and effortless.
Go for it!
09/06/2012 at 11:33 DiamondDog says:
What I want to know is, now that half the world has my name, address and date of birth due to constant hacks, why don’t I get more birthday cards?
09/06/2012 at 11:38 grundus says:
I think all the offers of free iPads and gift vouchers sent to your email is their way of expressing their love.
09/06/2012 at 11:47 Njordsk says:
Though those “size-increaser” offers are starting to get me worried, I don’t recall giving me thingy size on any site.
Might have been drunk though
09/06/2012 at 12:03 Sleepymatt says:
.. should probably expect some “cure your brewer’s droop” emails too then ;p
09/06/2012 at 12:04 LionsPhil says:
Google Plus was able to infer it from some of your web searches.
09/06/2012 at 11:56 Namey says:
My strictly no-nonsense email is getting constant spam these days, and I never use it for anything remotely shady. It has been a part of a mass user information leak before, though. I wouldn’t be surprised if that’s why I keep getting spam in it.
09/06/2012 at 11:43 celozzip says:
wtf is league of legends?
09/06/2012 at 11:55 Ringwraith says:
A rather addictive competitive multiplayer DotA-like (sorry, MOBA), game with a bunch of dross disguising itself as a community at the lowest rung.
09/06/2012 at 11:58 Vicho says:
Yes nothing like being raged at by an 8 year old because you failed to press XYZ at precisely the right time and in the right order.
09/06/2012 at 12:11 DiamondDog says:
XYZ buttons don’t do anything in League of Legends you idiot GOD WHAT IS WRONG WITH YOU! F**K NOOB C**T!
**** ****.
****.
09/06/2012 at 12:01 dE says:
A community that has stepped up to the challenge of proving that it is in fact possible to be worse still than those of Counter-strike or Call of Duty. League of Legends for instance has a rather nasty streak of bigotry and racism.
It’s curious though that the MOBA Games have slightly different communities – yet each is total arse.
09/06/2012 at 12:18 The Great Wayne says:
Well, actually it’s in no way curious.
The moba genre promotes that, for a loss on one side is doubly beneficial to the other team (you hamper the enemy, and you gain gold/xp).
Therefore, a bad player or a careless one is really dragging the whole team down, on so many levels it’s silly. Therefore causing rage, etc. Also the fact that a game can play along 45mins – 1 hour, and that you mostly only gain points if you win are a real bummer if your game is ruined by one of your own teammates.
In short : specific environment creates specific behaviour. That said, while I agree that MOBA communities are awful, LoL rly isn’t the worst. DOTA / HoN, I’m looking at you.
09/06/2012 at 12:22 LionsPhil says:
It sounds like they took everything that’s wrong with PVP RTS play against anyone you can’t laugh with and doubled the intensity.
09/06/2012 at 14:27 dE says:
Yes, I’ve heard TBs theory.
The mechanics are only part of the problem though. The by far bigger influence are the unwritten rules of each specific community, those that govern what’s acceptable and encouraged behavior and what’s shunned and rejected.
Quick example:
Quake 3 – Modding your game to the max? Go for it, it’s cool.
Counter-Strike – Having a custom weapon model? Banworthy.
As such, while the mechanics of MOBAs promote a certain kind of rage, it’s the community as a whole that sanctions and encourages bad behaviour.
11/06/2012 at 10:59 Milky1985 says:
DOTA is only worse cause of the elitism that comes with the game being harder to pick up than lol, there are a lot more mechanics that you need to use and sod all training (and less people who are willing to accept noobs (for once the legitiamate use of the phrase, the new player)
Because of that elitism you have the terrible behaviour with the attitude behind it as well :/
09/06/2012 at 12:18 EPICTHEFAIL says:
Heroes of Newerth says hi, ***** ***** ************.
09/06/2012 at 17:05 Joshua Northey says:
This, and to be a complete snot, the age/intellect of those it attracts. Many of the MOBA games I have seen as mods of other games are the haven of the least mature, least sophisticated portion of the player-base. 13 year old’s just are not very well mannered generally, put them behind the great anonymous internet shield and they turn into little more than gibbering monkeys.
09/06/2012 at 12:01 jon_hill987 says:
http://www.youtube.com/watch?v=Z_78J6FEouM
09/06/2012 at 12:12 Yuri says:
When asked about any primarily multiplayer game, every community is “the worst”.
Call of Duty, Heroes of Newerth, DotA, Battlefield, etc. No exceptions, each and every one of them is “the worst”.
Solution to the problem: play with friends. That’s what its meant for anyway.
Also, LoL currently has 12 million players and continues to get regular updates every 2 weeks with new playable champions and constant improvements.
It’s actually one of the best F2P games out there. I wouldn’t say “the” best, since TF2 exists.
But alas, it’s close enough, offering an insane amount of entertainment.
Also, the competitive scene for LoL is enormous. Makes me wonder why RPS don’t exactly report anything about LoL. This is the first news post about it that i’ve seen on this site.
09/06/2012 at 12:20 LionsPhil says:
I dunno, I’ve had plenty of OK randoms and semi-randoms in plenty of games. The old Alien Swarm for UT2004, TFC, TF2 (admittedly on selective servers), Altitude, Red Alert: A Path Beyond…you get the odd complete bell-end, but the community in general can manage to just play the game and be pleasant enough. Possibly helps but all but the “selective server” one up there are less than completely mainstream, but I’m not about to call TFC “niche” either.
Meanwhile anything involving Counterstrike is a toxic hole.
09/06/2012 at 12:28 Jay says:
‘When asked about any primarily multiplayer game, every community is “the worst”.
Call of Duty, Heroes of Newerth, DotA, Battlefield, etc. No exceptions, each and every one of them is “the worst”.’
Used to be, maybe. I think it’s pretty much universally agreed these days that DOTA-likes ran away with the crown some time ago. Though to be fair, I think LoL’s considered one of the friendlier ones. If only because HoN seems to have set some kind of strange new benchmark in hostility.
09/06/2012 at 16:36 Reefpirate says:
Probably because HoN is still clinging to a sense of relevance.
09/06/2012 at 22:41 Psychopomp says:
It has a lot to do with the fact that the HON devs are almost unanimously the raging douchebag DOTA stereotype. Why would they punish the guys who respond to “hi, I’m new. Any advice?” with “OMG NOOB KILL YOURSELF” when they *agree* with them?
09/06/2012 at 13:06 Spengbab says:
No, just no. Played plenty of multiplayer games, the MoBA stuff has got the worst dregs of them all, or maybe those games just bring out the worst in players.
09/06/2012 at 14:14 Hoaxfish says:
As someone who doesn’t really play any of them… dota/moba games definitely come across as the ones most talked about in regards to how terrible the communities are.
09/06/2012 at 18:05 Strangerator says:
MUDs have good communities for a few simple reasons…
1. No graphics – so they require imagination
2. Lots of reading and highly complex systems
3. Newbies coming in who express “modern sensibilities” tend to be shunned by the community, and quickly quit.
All of these things drive the average player age upward, and make for a far more reasonable community… though of course there is always “that guy”.
I guess another important factor is the typically small playerbase, making the community more tightly-knit.
09/06/2012 at 23:39 FunkyBadger3 says:
All that’s true, but it in no way dissipates the chance of them being control-freaks and/or maniacs. In fact, the smallness and close-knittedness positively encourages it…
09/06/2012 at 18:17 LintMan says:
“When asked about any primarily multiplayer game, every community is “the worst”.
Call of Duty, Heroes of Newerth, DotA, Battlefield, etc. No exceptions, each and every one of them is “the worst”.”
That’s not really true. While you’ll find jackasses everywhere online, there were and are plenty of multiplayer communities that don’t have that sort of overall bad rap. I’m not online much anymore, but Team Fortress Classic had a really great community, IMHO. And there’s plenty of other multiplayer games you don’t hear so many community complaints about and don’t seem to have such a bad reputation. I haven’t played Diablo 3, but D2 had a decent community, and I’d guess D3 is the same (notwithstanding the network problem outrage).
The games with the bad rep seem mostly to be either MOBA games, the big multiplatform shooters, or fighting games. But even among those, the only ones where the developers are constantly being asked how they will address the problems of having a terrible community are the MOBA games.
09/06/2012 at 11:45 Jon says:
“11 passwords were shared by over 10,000 players each”. – Come on people, that’s just asking for trouble.
09/06/2012 at 12:05 jon_hill987 says:
“This is a free to play game I’m going to use “qwerty” as I don’t really care and am not going to spend cash on it” were probably their thoughts.
09/06/2012 at 12:38 gwathdring says:
I do that, sometimes. Because, if I really don’t give a crap about the account … why waste the time creating a new safe password or mimic a password from a service I do care about? All of my passwords are unique except for my passwords for these sorts of accounts. If I change my mind and really become an active member of one of these website communities or of the FTP game or whatever the account is for, I change my password accordingly.
That way I only have to remember one password for all the throwaway crap and I don’t have to pour through cryptic clues on an encrypted drive to figure out what the password is. I could use a password generator, but I like this method for now. Decent, unique passwords for stuff like RPS, the same crap password for stuff like Fileplanet, and randomly generated passwords for anything with financials attached.
09/06/2012 at 11:52 MeestaNob says:
RPS staff: Was there any further developments regarding the server intrusion reported on Steam a few months ago?
09/06/2012 at 11:57 LionsPhil says:
IIRC, that was only their forums?
(And, seriously, props to them for keeping separate systems separate, and not swallowing the whole “single federated sign-on so we can track people across the web” thing. Gabe knows what his business is, and it’s selling games, not selling his users to marketing* like every free social platform, at least.)
* This is not the same as saying that Valve never release aggregate info about game popularity or opt-in hardware surveys.
09/06/2012 at 12:00 0positivo says:
oh wow, I got an email about it, but I trashed automatically thinking it was phishing. Damn
09/06/2012 at 12:08 mr.ioes says:
last.fm, linkedin, eharmony, league of legends. Who’s next? rockpapershotgun?
“Even though we store passwords in encrypted form only, our security investigation determined that more than half of the passwords were simple enough to be at risk of easy cracking. ”
Why don’t they force people then to make good passwords? Other services do that too … why not all?
09/06/2012 at 12:16 LionsPhil says:
Might also mean that they’re not salting them.
09/06/2012 at 12:22 Unaco says:
Who’s next? rockpapershotgun?
Happened already. In January.
09/06/2012 at 18:10 Jay says:
Wasn’t that the joke?
09/06/2012 at 12:32 hemmingjay says:
Did the hack only affect EU? No news about it on the NA LoL site.
09/06/2012 at 12:40 Belsameth says:
And, let me guess, they didn’t bother to use a salted hash… because, obviously, hacks like this only happen with others so why bother…
09/06/2012 at 12:45 Captchist says:
Was wondering this myself:
“We store passwords in encrypted form” – says to me, we use salted hashes, and we do multiple hashes. That’s what encrypting a password is.
But then they say: ““Even though we store passwords in encrypted form only, our security investigation determined that more than half of the passwords were simple enough to be at risk of easy cracking.”
The simplicity of the password is NOT an issue if you are salting your hashes. So clearly they ballsed up somewhere and either they don’t salt, or the salt got stolen in the hash too. How do companies manage to screw this stuff up every day…
09/06/2012 at 12:56 Llewyn says:
Nonsense, simplicity of passwords is absolutely an issue. You have to assume, if the database containing the hash has been compromised, that the methods used to generate that hash have also been compromised. Therefore your assailant can generate a dictionary of hashes from their dictionary of common passwords and match that against the hashes retrieved from the databases. For the thousands that match he can be effectively certain that he now has the original passwords used.
Salting and hashing are not a substitute for using strong passwords.
09/06/2012 at 13:08 LionsPhil says:
If you’re not using a published, proven cryptographic hash function, but something you came up with in the shower and think you need to keep secret, you’ve failed already.
The very point of salt is to render that impractical by bulking the grouped instances of “passw0rd” into distinct “passw0rdABCDE” and “passw0rdFGHIJ” and so on. You have to go for slower one-by-one brute-forcing.
09/06/2012 at 13:14 Captchist says:
Well and to clarify that. Salting doesn’t necessarily mean padding.
Typically you would do the following:
Take “passw0rd”
Pad it out to a set length:
“passw0rdasdfghjkl”
Then salt it. I.e. use some psudo random data to twist the password:
“passw0rdasdfghjkl” combined with “39dfs@G4t’tsdgfhsdf934rn” to give you some amalgamation of that password which now looks like giberish:
“fde3r’gre’t450gaa@CV~@XC}}”
Then you hash THIS password using a well known and respected hash (i.e. not MD5)
To get a password hash:
“oirj2309r09f0we-f9dfsf324u9u120-u2n” and then you store THAT.
This method works regardless of how simple the password is so long as you don’t lose the salt in the attack.
The only time the simpleness of the password is a risk is if:
1. People are just trying random passwords to login – they might guess yours
But this doesn’t need people to hack in to Riot, it just needs somebody to start guessing. You can do this any time.
2. You don’t pad and salt your passwords before you hash them and an attacker steals the hashed passwords. Then they can look for common hashes which represent common passwords. For example “passw0rd” would always hash to “xyzab220-0″ so any time they see that they can guess it might be “passw0rd”
3. You do pad and salt, but the attacked stole the salt in the attack as well. You shouldn’t be storing your salt and your hashes in the same place. They should be in securely distinct places.
09/06/2012 at 13:21 Llewyn says:
@Captchist: Yes, assuming you’ve not lost the salt. But it’s ridiculously naive to assume that if you’ve lost the hashes because of other security failings.
09/06/2012 at 13:31 LionsPhil says:
Even if the attacker has the salts and the hashes, they still have a tougher time of it than if the passwords were unsalted, since the thousand accounts that all used “passw0rd” won’t have the same hash, and rather than being able to build a mapping like this, and looking up hashes in it backwards (for which there are clever optimizations):
“passw0rd” – > 1234
“qwery” -> 5678
You’ve got this (still going for concatonating salts for simplicity of demonstration):
“passw0rdABCDE” -> 9375
“passw0rdFGHJI” -> 2086
“qwertyABCDE” -> 1997
“qwertyFGHJI” -> 5733
So it really, really bloats up the size of lookup table you’d need: more working memory required, more hashes to compute (and they’re designed to ideally not be particularly fast).
In practice you get a lot of benefit even if the salt is stored with the hash.
09/06/2012 at 13:45 Llewyn says:
@LionsPhil: I didn’t at any point claim that proper salting is not providing a significant benefit. What I said was that it wasn’t a substitute for strong passwords. It absolutely isn’t.
Once you’ve been completely compromised any password which can be discovered via a dictionary attack can still be recovered from the salted hash, it ‘merely’ takes in this case 12 million times as many hashing calculations to retrieve them as it otherwise would. It’s not trivial but it’s not security.
As an aside, why would there be any significant increase in working memory requirements? Each hash calculation is an independent process.
09/06/2012 at 14:58 LionsPhil says:
I was actually replying to Captchist, but:
If you’re going to hash them one at a time (which is what salt basically forces), you’re going to be there a while. Without salt, you can, in feasible amounts of storage, pre-process a lot of that, and look up passwords much more quickly. It is an optimisation—as is a dictionary attack. Using non-dictionary words may stop someone finding your password in such a shortlist, but given “merely” more time, they can still step through every possible representation of characers up to the maximum password length, and they will get yours.
Almost all security is a question of time to break; there is no “perfect” passwording. One-time-pad is the only exception for encryption; I’m not sure offhand if there’s an information-theoretically secure partner for authentication.
This is why it tends to be a bit of an arms race, after all; it’s not just flaws being found with old algorithms that let corners be cut, it’s also that things like secure hashes have to be made more computationally expensive to keep up with greater amounts of affordable processing power. This is why tunably-slow hashes like bcrypt exist. (See also.)
09/06/2012 at 13:18 Captchist says:
“Salting and hashing are not a substitute for using strong passwords.”
You are absolutely correct, but for a slightly different reason.
You should use a strong password so people don’t guess it.
When it comes to people stealing passwords however what is important is not the strength of the password, it’s the strength of the hashing and salting process.
09/06/2012 at 13:39 Llewyn says:
You’re making the assumption that the salt hasn’t been lost. That’s a deeply flawed assumption. Once the salt’s been lost all the salting and hashing do for you is buy time by increasing the number of hashing calculations required by the number of users you have, and hopefully requiring a relatively significant amount of computation per calculation.
100bn hashes are not a trivial thing to generate, but that’s not providing any significant level of security. Which leads us back to salting and hashing not being substitutes for strong passwords.
09/06/2012 at 14:23 Captchist says:
I’m makingthe assumption the salt hasn’t been lost because if you do it right you store your salt and you store your hashed passwords in different places with different security. If they haven’t done that, they are making basic mistakes.
Given the statements they have made – it sounds like the salt WAS lost. In which case I am presuming they ARE making basic mistakes
09/06/2012 at 15:05 LionsPhil says:
I’m curious as to where you’re getting this salt-and-hash separate idea, since both components are needed to check the password, and both are stored together in, for example, the shadow password database on UNIX-like systems.
09/06/2012 at 16:38 Captchist says:
In a situation where I have a web login, I’m storing my hashed passwords in a database.
I am specifically not keeping my salt in that same database.
So getting hold of the database of hashed passwords should not give you the salt needed to generate/check them.
So yes of course you need to be able to get hold of the salt to do a password comparison. But you should not be able to get it by just hacking the server and dumping the database.
09/06/2012 at 16:49 Belsameth says:
What capt said.
Dumping a database with username and passwords is something alltogether different then getting the salt, as that should be stored somewhere even more securely then the password database.
Sure, strong passwords help but the strength of the password almost doesn’t matter when the hash isn’t salted. Brute forcing is very, very fast nowadays :)
09/06/2012 at 17:17 LionsPhil says:
But the same can be said of the hashes, ideally. You have a simple access problem here: to verify the password, the login mechanism has to retrieve both. In what way are you going to make one “more secure” to get at than the other, and conversely, why would you not make the other that “secure”? You’ve ultimately got to stash yourself some user:salt:ciphertext triples somewhere.
An attacker getting hold of the user:salt mappings is not the same as not having salted passwords, unless that attacker is only interested in targeting one specific user. For the more common case of wanting as many valid logins as possible, they still have more combinations to worry about, and at most can hope to batch a few lookups together, depending on salt size and quality of random number generation.
09/06/2012 at 15:23 Asurmen says:
This long chain of relies is kind of funny,going on about salting and hashing, when if you read Riot’s response a certain way they’re simply saying “Your password is easy enough that while we’ve safeguarded it, it’s possible to be brute forced.”
09/06/2012 at 16:27 Italianmoose says:
All this talk of salt and hash is making me think of a full English breakfast. i.e. Hungry
Does a full English even contain Hash Browns?!
09/06/2012 at 22:42 elevown says:
Nope. English people have NEVER eaten hash browns.
That generalisation is broadly accurate.
09/06/2012 at 15:24 LionsPhil says:
On the subject of salt and brute-forcing, while trying to look up what Windows domain logins do these days, I got sidetracked by this amusing rant.
09/06/2012 at 12:43 Raziel_Alex says:
Wish I could change my bday and my country in real life. Sadly, it’s still not possible.
09/06/2012 at 12:54 8BitLager says:
I wonder how many people are going to start screaming their Diablo 3 accounts were mysteriously hacked after this.
09/06/2012 at 13:01 DickSocrates says:
Hackers should be shot. And people who use autotune. And litterers and noisy neighbours. In fact, let’s just shoot everyone. I’d go first but I don’t trust anyone would follow. People who don’t follow me should be shot.
09/06/2012 at 13:13 LionsPhil says:
Shooting is thinking too small-scale, because it requires too many individual actions. You need to engineer some kind of global-level extinction event.
09/06/2012 at 14:21 marcusfell says:
Zombies?
09/06/2012 at 22:45 LionsPhil says:
Zombies.
09/06/2012 at 22:56 Jay says:
Fatal flaw in this plan: Hackers would need to leave the house to be affected.
Also zombies are notorious litterbugs.
10/06/2012 at 13:51 EPICTHEFAIL says:
Solution: use the Mass Effect zombie model. I sincerely doubt any hacker cave can withstand a few hours of scion bombardment. Also has a few other advantages.
Failing that, just ask Karthus to spam ult.
09/06/2012 at 17:59 MythArcana says:
None of my accounts get hacked ever. But then again, I only play single player games offline.
HRMMMMMMMMMM….
09/06/2012 at 22:37 Psychopomp says:
What a precious little snowflake.
09/06/2012 at 19:22 SkittleDiddler says:
Couldn’t have happened to a nicer community.
09/06/2012 at 20:36 Dances to Podcasts says:
On a related note, here’s a Diablo III farmer/hacker/whateverer live streaming his activities: http://www.youtube.com/watch?v=8NUQTATy5dc&feature=g-all-lsb
09/06/2012 at 22:24 zagor says:
LoL personal info hacked:no big deal on RPS
Diablo 3,not that many players reporting items stolen….. :FUCKIN BIGGEST STORY OF THE WEEK
09/06/2012 at 22:46 elevown says:
Actualy it was a damn lot of people. And they are gonna tie it to a real money auction house. And its one of the biggest game releases in years. And a hell of a lot of people are pissed about alot of things blizz did- like forcing online. And its had lots of problems… do they need any more reasons?
09/06/2012 at 23:35 Moraven says:
Actualy it was a damn lot of people. And they are gonna tie it to a real money auction house. And its one of the biggest game releases in years. And a hell of a lot of people are pissed about alot of things blizz did- like forcing online. And its had lots of problems… do they need any more reasons?
A lot less then an entire database being compromised.
RMAH and using your Battle.Net Balance will require the use of an authenticator. And like any game, lots have problems, lots do not. You have 6 Million+ players, more people will be affected and this day and age easier for the minority to have a bigger voice.
11/06/2012 at 11:17 Milky1985 says:
The diablo 3 thing happened a week after release, and people were losing items from there single player game because of it.
This is a big story but is another hack in a rash of hack attacks (3rd in a 2 week period I think, guess theres another round of hacks going on :/)
Both big stories, both talked about on RPS, there was more to say on the diablo 3 thing so they said more, don’t really see the problem.
Unless your a blizz fanboy that is angry that someone said something nasty about your favorite game.
09/06/2012 at 23:39 Moraven says:
I have a lv 3 accounts i think on EU, can not remember. Do not have a email. At least they are emailing people right away.
I still to this day never received an e-mail from Valve. I saw the message (in place of ads) when you leave a game. Was only a few days after it happened, they did not seem to care to inform everyone well.l
At least their stuff was more crypted then what you mostly see.
11/06/2012 at 11:20 Milky1985 says:
The valve thing was the forums not the main login,don’t think i got an email either way tho (and i defo have a forum account)
Theoretically they told a lot more people than they needed to doign it via the game client :p
10/06/2012 at 04:18 jrodman says:
Remind me why it’s acceptable that they store more than your username and password hash in accessible servers?
Date of birth? WTF?
10/06/2012 at 04:18 jrodman says:
Incidentally, glad i gave them false info at this point.
11/06/2012 at 00:07 daggerbite says:
Can’t even remember my password for this. Nevermind!