Thackers: You’d Better Change Your Ubisoft Passwords

By Alec Meer on July 3rd, 2013 at 12:30 pm.

You know the drill. Publisher hacked. User details compromised. Payment details safe. Systems taken offline in the meantime. Change your Ubisoft passwords. Change the passwords of anything you use the same passwords for. Modern life is rubbish.

__________________

« | »

, .

65 Comments »

  1. NotInventedHere says:

    Why are they giving me a maximum password length?? *sigh*

    • Lord Custard Smingleigh says:

      Because smart-arses like me would try to use the entire text of Moby Dick as a password. Or possibly the entire uncompressed Star Wars original trilogy DVD rip transliterated into ASCII.

      • Nalum says:

        If they did it right it’d make little difference, but then publishers rarely do it right.

        • HothMonster says:

          If the server is constantly checking hashes of 1,000,000,000 character passwords it certainly would have an effect. Someone could basically ddos the login server by making a couple accounts with Custard’s methods and logging them both in and out over and over.

          A limit isn’t bad practice. A limit under ~26 characters is pretty stupid though. IMO

          • jalf says:

            … except a simpler and more robust way to do that would be to just rate-limit how often you can attempt to log in.

          • HothMonster says:

            Ok do that. Then people with malicious intent just have to make more free accounts or convert the entire geocities dump to txt and input that.

            We are talking about what around 60 million accounts? Better to plan for worse case then say sorry to gamers when they cant game. I can’t think of any site with 10s of millions of users that doesn’t have some character limit, though surely some must exist.

      • Alien426 says:

        That’s what (cryptographic) hash functions are for. And when you store only that hash in the database, a hacker has no real passwords and no way to reverse-engineer passwords from the acquired data.

        • ix says:

          Your server will fall over trying to compute that hash though (well, if enough people do it).

        • MrPo0py says:

          Not exactly correct. There is no way to reverse a hash to it’s original cleartext. But hackers now have collected over the years massive databases of millions of passwords along with their hashes. All that they need to do is write a script to compare Ubisofts hashes against their own database and it will usually spit out a crapload of matches. They then have the password and the associated email address of tens of thousands of Ubisofts accounts. So if there are 58 million Ubisoft accounts I suspect they will eventually crack at least 50% of them. Probably most of them.

          Read this:
          http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

          The advice from security experts is to keep your passwords long. The longer it is the more likely it is to be completely unique and not on any of those uber-lists. So a limit of 16 characters is dumb as hell in terms of security. 16 should really be the minimum.

          • Tei says:

            These hash dictionaries are rendered useless using a crypt function has your hash function or using a salt that use part of the user data like the id. Only the most simple hash functions already have hash dictionary. If you use a salt, the hackers must create a new dictionary wih that salt. If the salt its based on the user id, he new dictionary will only be usefull for 1 password. Crypt functions are slow, so creating a dictionary of then is very slow. And you need the crypt password, so if only have dwonloaded the database, cant get the passwords.

          • jalf says:

            These hash dictionaries are rendered useless using a crypt function has your hash function or using a salt that use part of the user data like the id.

            Do read the article, please… :)

            These are not rainbow tables, not lists of which hashes correspond to which plaintext passwords.

            They are lists of which passwords people actually use *in practice*. And salting does not protect against hackers using those.

            And you need the crypt password, so if only have dwonloaded the database, cant get the passwords.

            Sure, that was true 10 years ago.

            Today? Not so much.

            Like I said, read the article linked to above.

          • Tei says:

            Nothing in the article contradict what I say. You can slowdown hackers, by making salted passwords, so must build a entire dictionary for every password.

        • Dan Puzey says:

          Most commonly-used hashes sadly make little difference these days: the GPU has rendered most of them near-obsolete. See http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html for reference – though there are still some *more* secure algorithms, we’ll need fresh ones before long.

          That’s even true if you use a salt. Salted SHA hashes – industry standard for a *long* time and still in use on *so many* sites – are cracked pretty trivially for the majority of passwords.

          Strong passwords are still a must, no matter what your server is using.

    • Skabooga says:

      All this talk about salt and hash is making me hungry. I’m just glad there’s no security feature named ‘sausage’.

      • stupid_mcgee says:

        Behold! My new security algorithm! I call it, “scrambled eggs and toast!”

  2. navik says:

    Booo… But it is on incidents like this I’m glad over my (otherwise tedious) system of 1 pass 1 account…

    • The Random One says:

      I’m pretty amazed that they didn’t change their warning text so after saying “change any passwords which where the same as Ubisoft’s” they added “and by the way don’t do that because of this very reason, dumpkoff”.

  3. NaN says:

    If they could just invest more resources in security and less in stupid DRM……

    BTW , RPS, no news about cube world release yesterday? :?

    • Belsameth says:

      Cube World is released?!?!?

    • Kadayi says:

      They quit with the DRM some time back according to RPS

      As regards passwords, I recommend using a password manager like lastpass or Keypass. I don’t use the same password for anything these days after all the high profile site hacks a couple of years back.

      • Ross Angus says:

        I’m with Kadayi, but I use Password Safe. I now have no idea what any of my passwords are. It’s refreshing.

      • stupid_mcgee says:

        Ubi didn’t really get rid of the DRM, it’s just much less of a nuisance than before. Before, always-online DRM was the name of the game. Now, they require a single online activation after installation.

        I can’t agree more about Keepass and other password managers. I use Keepass and, whenever I create a new account and save my database, I immediately upload my password databases onto my Google Drive account and onto a thumbdrive.

  4. wsjudd says:

    I get the following message upon clicking that link:

    “Something is technically wrong.

    Thanks for noticing – we’re going to fix it up and have things back to normal soon. Click here to go back to the home page.”

    Is this just me?

  5. Anthile says:

    Hint of the day, use KeePass: http://keepass.info/

    • phuzz says:

      I like LastPass myself, but the message is clear.
      Get some sort of password manager, and use it to keep different passwords for every website etc. And make them long and complex while you’re at it.
      As a bonus, you’ll not have to reset your Steam password every time you re-install, because your password manager will have saved it for you.

      • Sian says:

        I sometimes log in from different computers. I guess these password managers allow me to do this in some way, yes?

        • Faxmachinen says:

          You can put your password database in the cloud, e.g. SpiderOak or DropBox, or on a memory stick. Just make sure to pick a solid master password. There may even be password managers you can run directly from the memory stick.

  6. -Spooky- says:

    *sigh* 010101111100111

  7. rustybroomhandle says:

    So slow, RPS, I already changed mine like yesterday… it’s ‘swordfish’ but like with a 5 instead of an S.

  8. Teovald says:

    Relevant xkcd for password generation : https://xkcd.com/936/

  9. DiamondDog says:

    “Change the passwords of anything you use the same passwords for.”

    At this point you’d have to be certifiable for this to be a problem.

    “I know, I’ll use my online banking password for my Uplay account!”

    • SanguineAngel says:

      yes, those are the only two things i have passwords for

      I have a bad memory. I imagine many people reuse their passwords for various things otherwise they would just continually forget them.

      • Syra says:

        I have about 50 or more accounts for things (sigh modern life does suck) and use a variation around a common theme for them all, in most cases using the simplest form repetitively because they don’t really matter much? I really don’t care enough to remember them all and barely frequent these places more than once every few months for whatever I need from them.

  10. snappycakes says:

    LastPass is a useful too when it comes to this. Can randomly generate passwords and store them securely.

    • -Spooky- says:

      I store them too, with a hipster tablet. You know, it´s called paper & pen .. oh wait! Too retro!

      • snappycakes says:

        Nice sarcasm. Paper is a lot easier to lose. Might as well store them in a plain text file on your PC whilst you’re at it.

      • Solidstate89 says:

        Does it generate completely random passwords, encrypts them locally and allows you to instantly log-in to every website through a browser add-on?

        Oh no wait, you’re just being an idiot.

  11. Crosmando says:

    Look at you hacker…

  12. dE says:

    Well, this is good guy Ubisoft reminding everyone that you really should be changing Passwords every 6 months.

    • Gnoupi says:

      More than that, it’s about not using the same password on two places.

  13. Syra says:

    If anyone wants to hack my ubi account my new password is ubisoftsucksdick…

  14. cunningmunki says:

    I didn’t even realise I had a Ubisoft account until they emailed me and told me to change my password. “Why the hell would I need a Ubisoft account?” I asked myself. Then I remembered and did a loud inward sigh.

    • Syra says:

      This.

      I don’t even remember what my ubisoft password is, but looking at my email history with them I’ve tried to recover it on about 5 occassions months apart so when I launch a Ubi gameI bascally don’t care what it was.

      • Apocalypse says:

        That is the best system for such passwords, hit keyboard with your head, or your head with your keyboard a few times. Copy and paste this, and than don´t forget that “remember me” checkbox.

        If you ever need that password again, just request a reset. Works like a charm, and is super safe, until someone steals your mailbox ;-)

    • Gap Gen says:

      I am shocked and appalled that a hacker could conceivably play Raven Shield with the zero people currently online while masquerading as me.

    • analydilatedcorporatestyle says:

      Neither did I and I can’t think why they needed my bank account number and pin but as they are a trustworthy company I obliged! I didn’t realise they ran their support operation from Nigeria either.

  15. zergl says:

    I’ve never been happier that I’ve immediately asked for (and received) the refund for For Dust before activating it when I mistakenly bought it on Steam under the assumption that it didn’t have the stupid UPlay DRM (which they later defused after the outrage).

  16. Buckermann says:

    I recently tried to play Anno 2070 again, but it seems they changed their uPlay system quite a lot since I played it last, and now you need to log-in using your email instead of a username.

    And they don’t accept any of my email addresses.

    And their support tells me I never had an account.

    And when using my activation codes the system tells me that they are already in use.

    So, “Fuck you Ubi” and “Hello Piratebay”. And as an added bonus I’ll probably get the latest expansion too.

  17. kyrieee says:

    If I could only remember my login…

  18. Solidstate89 says:

    Here’s your regular reminder than anyone who cares about proper password security should be using a password manager by now. You can’t rely (even though you should be able to) on the database managers for shit. They’re all utterly worthless at performing proper security sanitizing.

    • HothMonster says:

      You can only design a system so good that you yourself can not hack it, however someone is always smarter than you.

  19. Terror Teddy says:

    Well, I’m now fucked. My old email address got hacked, I tried to change the email address that uplay uses, but every time I went to change my email, it told me that part of the account thing was in maintenance mode or something like that.
    And now this happens. I can’t change password because it’s sends the information to the stolen email account and i can’t change email because it want’s me to change password.

    sigh. It looks like it will be the same thing as GFWL, but this time I will lose more than 1 game.

    ps. fucking shit

    • phuzz says:

      Reset your password on your email account?

      Oh, and get some kind of password manager, you’ll thank me later.

    • dr.castle says:

      yeah, i’m in the same situation. the uplay website forces you to change your password immediately upon logging in, and there’s 1) no way to change your password without being able to access the email with which you log in and 2) no way to change that email without first changing your password.

      so if you no longer have access to the email you used to register your Uplay account, all you can do is contact customer service from a different email and pray, I guess.

      luckily i don’t have any games activated to my account (i think i had the account because from dust initially required it?). and after this debacle i most certainly never will.

  20. SIDD says:

    Request a password reset 4 times now … first one 6 hours ago … still haven’t received any reset emails so I guess everything is working brilliantly as usual @ Ubisoft

  21. edam says:

    Anyone else think Ubisoft sounds like a company made up of erectile dysfunction sufferers? Ubisoft…you be soft…. someone didn’t think it through.

    It’s taken me 15 years or so to have this thought.

  22. Maybeline says:

    The list of passwords and emails already leaked..

    http://emeraldfiles.com/ubisoft-database-hacked-passwords/