PSA: you should change your RPS password, just in case

Last night, content delivery network and security service Cloudflare reported that a security issue means that it’s possible they accidentally leaked user passwords for websites that use their service. Since RPS is a user of Cloudflare in the operation of our servers, that means that to be on the safe side you should change your RPS website and forum password. We think it’s highly unlikely that any user will be affected but it’s better to be safe than sorry. There’s more information on exactly what’s happened below, along with details of how to change your password.

When you visit RPS in Chrome or Firefox, you don’t actually talk to our servers, you talk to Cloudflare’s. They cache and filter your request, and then pass it onto our servers. They have servers all over the world, which means a lot of the unchanging stuff about the website (images) comes from a server closer to you, rather than it having to cross the ocean to talk to our servers in the UK. Cloudflare helps keep the site fast in distant lands, as well as for providing extra security support.

Unfortunately a problem in Cloudflare’s code basically meant that a request for a broken or badly built website could return data for another, including private information used to authenticate users. Cloudflare estimates it affected 1 in 3,000,000 requests, a tiny proportion, but on the flipside Cloudflare handles billions of requests every day. It’s fairly technical, but you can read Cloudflare’s incident report here. The short version is, a bug in one of their modules meant that a parser module could perform a buffer overflow, and leak data it wasn’t supposed to from the server handing the request involved. The window for the breach was between the 22nd of September 2016 and Monday the 20th of February, when it was fixed.

This may affect you if you logged into RPS, or our forums, because either your password might have been leaked whilst it was being sent to us, or the hashed (encrypted) authentication token we use to ‘remember’ you’re logged in may have been leaked. We deem this to be fairly unlikely, but it is a possibility. There’s currently no evidence of public or en-masse exploitation of the bug and it’s unlikely that anyone has actively exploited it, but through an overabundance of caution we recommend you reset the passwords you use on RPS. You can do that from within your profile page. Please make sure to use a unique password; sharing passwords across sites is dangerous!

While we’re talking about passwords though, we strongly recommend everyone use a password manager, such as LastPass or Dashlane. That way, you can use an automatically generated string of gibberish as your password, activate two or three-step authentication for every site, and it’s no cost to you to reset if it becomes necessary since the manager looks after remembering your passwords for you. Alternatively, use a short sentence of real words you can remember easily.

The issue was found by a security worker with Google’s Project Zero, who try to find security problems as yet unknown or unpatched.

Sorry for the inconvenience caused.

From this site

82 Comments

  1. Tei says:

    My password is a combination of number and letters, a mental image of a process where a corbnunsian agree to have commercial sex with a jklqheerildian, a short dance and it end with a unpronunciable string of numbers. Is 8 characters long.

    link to shapecatcher.com
    I recommend using this tool to draw unicode characters that are only rarelly used in some sects on urdu so your password really use Special Characters and not the poser characters mere password hipster use.

    Alchemical symbol for borax:
    🝄

    (1 character long password)

    • ramirezfm says:

      shit, you have the same password as me. Damn, have to change it now :/

    • GenialityOfEvil says:

      That’s not really necessary. Brute forcing passwords isn’t efficient anymore, especially with data dumps, so using exotic characters doesn’t offer any real security over a long password (>=16) with different alphanumerical characters.

      • Tei says:

        No?, I am curisous to ask, but maybe is not a good idea, since this is a gamming website. Way too off-topic.

        • GenialityOfEvil says:

          Brute force attacks use dictionaries of words, combinations and wildcards that are commonly used to work out a password. If you don’t use words (substituting o for 0 is included) it becomes exponentially harder to brute force a password with each unique letter.

          • ramirezfm says:

            Brute force attack != dictionary attack != mixed dictionary attack.

            Basically bruteforcing almost everything is possible as long as you do it offline. If I remember correctly you can be kind of safe if your password is at least 24 characters long and truely random, which is actually not that easy. Basically if you think you’re safe and your password is great you’re just uninformed.

            Bruteforcing anything online is almost impossible as 99% of the time websites have a set time that has to pass between requests.

          • GenialityOfEvil says:

            Yeah, and guessing passwords with a piece of paper and a pencil is always possible, doesn’t mean anyone’s doing it. We’re not talking about plaintext passwords here. It’s impractical to crack an entire database of hashed passwords. You seem to be looking at this from an entirely theoretical hack of one user.

          • Landiss says:

            Even 16-character long password is enough. You can get a rough estimation here (just don’t put your real password in there, to be safe):

            link to howsecureismypassword.net

          • GenialityOfEvil says:

            Bear in mind that those password strength tests are for quite narrow dictionary attacks. Modern password cracking factors in a lot of behavioural techniques, such as how people tend to distribute numbers and capital letters. 16 characters is about the minimum that should be considered safe.

          • Landiss says:

            I was talking about a randomly generated password. IMO people should just not create their passwords themselves, at all. There is no reason, noone is going to remember that many passwords anyway and if it’s going to be quasi-random, just use generators to get more real random.

        • MiniMatt says:

          As Geniality notes, brute force is simply not necessary most of the time:

          When services are hacked which didn’t properly encrypt user information the hackers are rewarded with several thousand email/password combinations – chances are some of those users have the same email/password combination for their facetube/twitbook accounts. Maybe other even more valuable accounts. So rather than bruteforcing a single username, and coming up against all the server side defences and logging that entails, far simpler to try one username/password combination and if that doesn’t work, move on to the next.

    • syndrome says:

      My password is a combination of number and letters, a mental image of a process where a corbnunsian agree to have commercial sex with a jklqheerildian, a short dance and it end with a unpronunciable string of numbers. Is 8 characters long.
      Is it Ðabnúrkasłe? Because this is how I made mine. Now I have to change it, darn.

    • Otterley says:

      Turns out my grasp of Ethiopic characters is greater than I’d imagined :D

    • April March says:

      That shapecatcher website seems a better deal to me to create ASCII art.

      I mean, look at this Arabic letter: ڝ
      Doesn’t it look exactly like a guy in a large hunter’s cap?

  2. MiniMatt says:

    Please make sure to use a unique password; sharing passwords across sites is dangerous!

    While we’re talking about passwords though, we strongly recommend everyone use a password manager

    Bravo for stressing this advice and thereby handling this unfortunate situation better than 90% of other sites.

  3. Mudashan says:

    Here’s a handy sage image everyone should study.

    I just want to add to RPS’s advice on Password Managers: Lastpass is name you see come up quite a bit. I remember reading a blog post from a security researcher about how Lastpass transmits data that can be potentially used to track when and what websites people visit.

    Here’s an alternative that seems more honest and is *actually* free if you use IOS/Android apps: Bitwarden.

    If you’re super concerned about servers and passwords in general, Keepass is a free alternative. There’s also a secure alternative to Google and Onedrive (and the like) that’s called SpiderOak if you use Cloud Services to upload sensitive files.

    Stay safe and be vigilant!

    • Risingson says:

      My flatmate does use this.

      Which was a nightmare when his phone crashed without any means of recovery.

    • Jason Lefkowitz says:

      Some of these can also be used together: I use KeePass as my password manager, for instance, and then use SpiderOak to securely synchronize my KeePass database across all my computers/devices.

      This approach is a little more work than just having one service like LastPass that rolls password management and synchronization together, but it adds additional security — even if my SpiderOak account were to be compromised, my password database would be useless to anyone who didn’t also have my KeePass credentials.

    • thedosbox says:

      I remember reading a blog post from a security researcher about how Lastpass transmits data that can be potentially used to track when and what websites people visit.

      I would automatically distrust someone rubbishing one password manager (with no citation) while promoting another that few people have heard of.

      Having said that, wirecutter did a piece on various password managers that’s worth reading:

      link to thewirecutter.com

      • Mudashan says:

        Google “LastPass does not Encrypt.” I can’t post the link because RPS seems to consider the URL make-up spam.

        I’m not sure what you’re implying, but if you had Googled “Bitwarden”, which yes, is unknown compared to Lastpass and by the same token has a smaller target on its back in addition to *being open source* and not having at least two major security flaws since its release (Lastpass; you can Google those if you’re interested).

        All the same, trying to argue whether one *online* PW manager (with a modicum of trustworthiness, which Bitwarden has) compared to another is safer, is like trying to argue whether it’ll be safer if you wear a seat belt inside your Mini Cooper, stuck on train tracks, in front of a hurtling streaming train.

        • thatdosbox says:

          Google “LastPass does not Encrypt.” I can’t post the link because RPS seems to consider the URL make-up spam.

          Assuming you’re referencing the hackernoon article, it makes no reference to insecure usernames, passwords or other personal data. Instead, it talks about their use of common service identifiers – the example cited was link to accounts.google.com.

          I don’t consider that a risk – after all, if someone has your google email address, it’s pretty obvious that you’re using google.

          Having said that, sure, if you believe Lastpass is going to the effort of tracking your surfing habits, then don’t use them. The question is what evidence do you have that they’re doing so? Do their terms of service mention sharing data with third-parties?


          I’m not sure what you’re implying, but if you had Googled “Bitwarden”, which yes, is unknown compared to Lastpass and by the same token has a smaller target on its back in addition to *being open source*

          Neither obscurity or Open source are necessarily secure. Have you or anyone else audited their code?

          One note to add, @swiftonsecurity approves of the wirecutter article I linked.

  4. Premium User Badge

    Lars Westergren says:

    Day started with Google telling me I have to log in again everywhere because “something changed with your account”. I later heard from colleagues this is something a lot of people got.

    Then the news of Google finding weaknesses in SHA-1, and now this. Good thing I’m not paranoid about security or anything. *nervous laugh*

    And for dogs sake, can people just stop using C for networked applications? I know tooling, raw speed etc isn’t 100% there yet for for instance Go or Rust, but if we could just work some on that and get critical mass of developers and companies behind them…

    • Mudashan says:

      You’re right, a lot did happen yesterday leading into everyone’s mornings today!

      If anyone uses Twitter (and has a mild interest in cyber security and staying safe in general), following security researchers (such as @thegrugq), or cryptography experts, or cryto/security journalists on Twitter can be a handy way of being tapped into the world that informs whether you’re going to wake up to a truly awful morning one day after mainstream news outlets report on the latest data breach.

      • Premium User Badge

        rootfs.ext2.gz says:

        Do you know of any more such people? I’ve recently followed Tavis Ormandy, but for quite a long time I followed Steve Gibson (I know, I know – I didn’t actually know any better until I did a bit of googling) and I want to actually stay properly in the know.

    • Jerb Greffy says:

      Google signed me out yesterday as well on android, and like an idiot I immediately plugged in my password…

      It was legit though in case anyone else is worried.
      link to thenextweb.com

  5. Risingson says:

    There is a moment one says ok take all my passwords and all my money and all my privacy just leave me alone.

  6. alsoran says:

    So how secure is a long password protected 7zip file synced to various places for access and backup?

    Is Diceware lists a useful password generator?

    • Premium User Badge

      Lars Westergren says:

      The encryption strength for 7zip might be strong, but when you unzip the file to edit/read it will likely create an unencrypted copy of it in your Temp directory and leave it there. Password managers don’t do that.

      Syncing your password db using Google, Dropbox or something – it’s safer not to do that of course, but it’s a convenience tradeoff. If you have it on an USB stick you have to plug it in every time, plus you have to be careful to do secure backups in case you lose the stick or it breaks (happens all the time for me). Personally I do sync it online, but not completely happy about it.

      • alsoran says:

        yes I see. I’ve looked at my user temp folder and the little beggars are in there, and legible, they could be deleted with a script I suppose, or I could change the setting for the temp working folder to a different location, like a usb stick.
        Oddly if I just open an encrypted txt document within 7zip, it does not seem to leave a temp folder behind. It appears that I can update passwords this way.

        I’ve been meaning to check out keypass, think I’ll do that now the issue has come to the fore.

        Thanks

        • alsoran says:

          reply to myself
          link to 7-zip.org
          To avoid temp file usage, you can use Extract command of 7-Zip or drag-and-drop from 7-Zip to 7-Zip.

          • Premium User Badge

            Lars Westergren says:

            That’s good, but you might still be vulnerable to keyloggers that sniff the password you enter to 7zip. What you are doing with 7zip is the basic idea of password managers, but they are built from the start with security in mind, so I would still go with one of those.

    • Arathorn says:

      I personally store all of my passwords in a VeraCrypt container. That is a lot more secure than a password-protected archive. I know everyone recommends password managers, but the idea of a single point of failure for all of my passwords somewhere in the cloud gives me the creeps.

      I’m not afraid of anyone abusing my login information here though. Most spammers will probably give up trying to log in to RPS after a couple of tries anyway, and it usually takes me about a dozen tries for the login to finally stick here. :-)

  7. geldonyetich says:

    All this changing of passwords is such a trial. Maybe we can all agree just to use an honor system.

    • April March says:

      I tried that, but I received an honor system virus that asked me to forward it to all my contacts and format my hard drive and had to do so.

  8. Bobtree says:

    I also changed my passwords for Discord and Humble Bundle which both use Cloudflare. There’s a big list of sites here: link to github.com

    • Otterley says:

      Damn, I’m getting to old for this :/
      Thanks for the link though :)

  9. newc0253 says:

    I write my passwords down on a piece of paper which I keep in my house.

    My house has been burgled. They took my DVD player and my Xbox and a bunch of other valuables. Oddly enough, they did not take the piece of paper.

    Piece of paper = more secure than any of your password manager bullshit.

    • Premium User Badge

      Lars Westergren says:

      That’s being lucky, once. I think I’ll rather put my trust in Kerckhoffs’s principle.

    • jmtd says:

      It’s not clear to my how your story is somehow something negative towards password managers.

    • Otterley says:

      Your piece of paper: you need to care if it’s stolen
      My password file: couldn’t care less if it’s stolen
      It is always worth doing the math with anything halfway important :)

  10. M0dusPwnens says:

    The advice in the linked article is dangerously wrong.

    “this is fun” does not have anywhere near the entropy of three random words, which is the metric erroneously used to calculate the dictionary attack’s time to break the password.

    The problem is similar to the problem of using words about your life in the password. If you use a word that an attacker could know from your life, the word becomes predictable. If you use “this is fun”, after they guess “this”, they can predict that “is” is vastly more likely than “fun” from normal English syntax (here’s an estimate of the difference). Normal word order is not random, so using actual sentences allows attackers a profound advantage when making dictionary attacks.

    Compare XKCD’s wonderful advice, which uses random words.

    If using the “three or four random word” method of password generation, it is absolutely essential that the words be random (it’s best not to come up with them yourself, use a generator) and also randomly ordered, not in normal English order.

    • Landiss says:

      IMO everyone should just use password managers with random password generators. Nothing beats a random string of characters (made with generator it will always be better than what you can come with, even if you think you are doing it randomly, because human mind have some tendencies like avoiding using the same character a few times in row, but with real random that can happen and is not even that rare). And the convenience of not having to remember anything is really great.

  11. Pogs says:

    If you are that worried you should force a user password change on people and not leave it up to us. You’ll have many people who don’t realise that their/your security has potentially has been compromised and don’t change their passwords.

    • Landiss says:

      Or at least send an e-mail… But on the other hand, it’s just a gaming site, what could happen if someone get access here? The only true vulnerability here is if someone uses the same PW in other, more important places, but that person is screwed anyway.

    • Premium User Badge

      Kirrus says:

      Password resets in this instance are for good measure, not because there’s in any way evidence of active breach of misuse. Hence not requiring them!

  12. Sin Vega says:

    The internet is still using a positively medieval blind password system and it’s ridiculous. Of all things, it’s windows 8 that was actually ahead here:

    GIVE US A BLANK PROMPT FIELD SO WE CAN SET OUR OWN REMINDER.

    There is no way I’m ever going to remember dozens of passwords hard enough to crack, let alone which one goes with which site. But writing them all down defeats the point. A prompt we can set ourselves lets us choose any old random gibberish but still leave a clue that will be meaningless to anyone else but guarantee we won’t forget.

    There are sites that I reset my password for several times a month because I’ve no chance of remembering what permutation of passwords I’ve used this time. Meanwhile, if I ever forgot my password for Windows 8, the phrase “l, d, j, and what?” is absolutely impossible for anyone other than me to ever recognise, but will remind me instantly.

    Oh, that reminds me: if anyone DID hack my password, please let me know what it is, ta.

    • jmtd says:

      Don’t try to remember passwords at all. Use a password manager.

      • Sin Vega says:

        Which wouldn’t be necessary if we could use prompts.

        Generally, when your design requires a third party to step in and provide a solution, you messed up.

        • jmtd says:

          Prompts won’t help me to remember hundreds of distinct, 20+ character random passwords. You need a password manager.

  13. BockoPower says:

    I swear RPS has the most inconvenient and user-UNfriendly profile manager in the internet. Can’t write my own password? When I re-install my OS or use another PC or phone I have to reset the stupid 34536 characters randomized password every time just to login. My first account every time gets the retarded message “Your password reset link appears to be invalid. Please request a new link below.” and I cannot log with it for 4 years now. To change a simple avatar I have to login through another site where I use the current disastrous pass and receive “Invalid username or password.” so have to reset it again. I don’t understand how and why something so simple can be made so stupidly complicated.

    • Premium User Badge

      JiminyJickers says:

      You can write your own password, when you click generate, just enter your own one in that box.

      • BockoPower says:

        Well, it doesn’t say anywhere that I can put my own password or that it changes it. I changed it now, thanks, but this is another stupid interface decision in this site. And I was too scared to change the password to not get this account stuck just like my first one that stays with some random shit password that I can’t reset no matter what.

    • Premium User Badge

      Kirrus says:

      If you’ve lost access to your account, please post here; link to rockpapershotgun.com

      (And yes, forums use separate user/pass to main site)

      • GenialityOfEvil says:

        I’ve been a member for years, I honestly didn’t know there were forums until just now.

      • BockoPower says:

        Why do I even have to create a username at first place if I have to create 6373 different ones for branch of it? Come one, this is ridiculous… Thank you for the suggestion but won’t bother anymore trying to get my first account. This is too much of a nuisance.

        Sorry If I may sound grumpy or spoiled but I think it’s the 21st century already and such things should be simple and easy. I browse the site almost every day for the last 4-5 years and I love most articles but a lot of the UI and structure just gives me headache. It’s totally ironic too when you see a lot of the complains from the authors about some games are how inconvenient, bugged or lagged they are (most recently For Honor and Conan The Exiles).

        • Premium User Badge

          Kirrus says:

          If no-one complains, how do they know there’s a problem?

          • BockoPower says:

            Probably because:
            1. The RPS staff rarely check the comments in the articles.
            2. There are like 20 people who use the forum.
            3. No “Complains & Suggestions” section anywhere.
            4. People “get used to it” just like my neighbor and his unoiled screeching metal front door.

          • Landiss says:

            RPS in general feels like XIX century website in some regards :p. To be fair, I don’t expect that to change any time soon. Everything has costs and it cost a lot, if you want to have good quality. I actually prefer if they spend the money on writers instead.

          • Premium User Badge

            Kirrus says:

            You mean.. the RPS feedback discussion thread right here, that the staff do read? They do read the comments as well…
            link to rockpapershotgun.com

  14. jmtd says:

    As is becoming traditional for me when this topic comes up, I’d like to recommend 1Password as a password manager. I settled on it a few years back after evaluating it and last pass. It is *excellent*. I’m continually surprised that RPS never mention it in such posts.

  15. Grizzly says:

    I do like how you’ve excellently explained the problem here, kudos :-)

  16. Premium User Badge

    JiminyJickers says:

    Noted, have changed from Passw0rd1 to P@ssw0rd1. :P

  17. Rainshine says:

    For those who use password managers… are you always on the same machine or with the same device? I’m curious, because while I use them in certain places in my life, personal is not an area that I’ve picked up on using it. Partly because I have a small set of passwords I use for things that I don’t especially care about (forums, commenting, etc) so if they get hacked or whatever, I don’t really care. But given I may log onto a given site/application from any one of twenty or thirty devices across different platforms, I’m not sure how efficient it would have to be to presumably install a manager on each device and download a copy of the database and then remove the manager and delete the copy just to get into one site. Maybe I’m just an abnormal user?

    • Premium User Badge

      Kirrus says:

      You can use a website with some, lastpass for sure you can access with a website, and with a browser plugin. I personally use Keepass, with a database synced via dropbox, but that’s just because it’s what I picked back in the day. Doesn’t seem to be an issue, having it installed on multiple machines, and it makes remembering passwords so much easier. Think my db is over 100 entries now…

      • GenialityOfEvil says:

        KeePass also has numerous plugins for syncing with different services, Amazon S3, Google drive, OneDrive. If you have a secure server of your own you can even link to that.
        You can actually do all of this already in KeePass, but the plugins make it easier.

    • jmtd says:

      Generally I am on one device. Most offer cloud sync, if you’d trust your passwords to the cloud. I don’t. 1Password offers local sync between devices in my home.

    • Landiss says:

      Well, if you are using 20-30 different devices, I’m guessing most of them are used by other people as well, than in general you are screwed when it comes to security. You can’t know what malware is installed on those devices and no matter what password you have, it might be stolen. I would definitely not advise you to login to any important place (like banking) from anything but your own device.

      As to your original question, like the other commenter, I’m using keepass + dropbox and additionally keefox, a plugin for automatically inserting passwords in firefox.

      I believe you could also keep KeePass and your passwords file on USB stick, but again, plugging it into unknown devices would be a security risk in itself.

  18. Be_reasonable says:

    It seems like every month some big company has a leak with our data, and there’s nothing we can do about it. Companies can be irresponsible with our information, and there is no recourse. Just, “change your passwords folks!”

  19. Skandranon says:

    Eh, if someone wants to hack my RPS account, more power to ’em.

    I guess they could make extra-saucy comments in my name?