• Hey! Guest! The 36th GMC Jam will take place between February 27th, 12:00 UTC - March 2nd, 12:00 UTC. Why not join in! Click here to find out more!

Password nightmares.

Status
Not open for further replies.

gn.fur

Member
So, ok, I get it, passwords are must to be long, secure and stuff, but here it gets just ridiculous. If your password has no capital letters, numbers and special characters, forum refuses to set it. Ok, I saw on other sites protection from too easy lazy passwords like qwerty, but not at this level.
I'm ok with capital letters and digits, all of my regular passwords have it, but what's the deal with special character? Just why? I don't care about 146% security, I just want to login here without need to reset my password every freakin time, because I cannot remember that special character. I'm sure there are many people who have similar problem, just please fix this dumb security overkill and let us set passwords we want to set.
 

RekNepZ

GMC Historian
This has been a huge complaint since this site started. Unfortunately, the admins here don't have much power to change it. It was a requirement by the higher ups because it'll somehow prevent the site from being hacked (I don't understand either).
 

GMWolf

aka fel666
I'm very glad they did!
With modern dictionary attacks, not having a special character makes too many passwords useless. Especially since the LinkedIn leak...
 

gn.fur

Member
It really isn't that hard.

Try working where I work. Fifteen character complex passwords that must be changed every thirty days. :p
At least you are there very often.
I visiting GMC once in 3-4 months, so remembering "what did I typed in half a year ago" is next to impossible.
 

Coded Games

Member
Ya I recommend using a password manager. I use 1Password and all of my passwords are random. I don't even know what my password on this website is.
 

GMWolf

aka fel666
At least you are there very often.
I visiting GMC once in 3-4 months, so remembering "what did I typed in half a year ago" is next to impossible.
As @FrostyCat suggested, use a password manager.
I use LastPass, and it has been working fine, asside from the couple times i derped with multiple profiles: I wouldnt say managing multiple accounts is super easy with it.
 

RekNepZ

GMC Historian
I've said this before, but I'm really not sure how more secure passwords can prevent hacks like the ones we've had. No matter how strong your pass is, it won't really matter if someone gets to the encryption codes.
 

GMWolf

aka fel666
I've said this before, but I'm really not sure how more secure passwords can prevent hacks like the ones we've had. No matter how strong your pass is, it won't really matter if someone gets to the encryption codes.
As @Lonewolff said, its non-reversible. Not really encryption, but hashing. MD5 was a popular choice, but not its dipically SHA256 or 512.
What gets stored on the database is the hash of the password. When you log in, the client side hashes the password, and sends it to the server. The server then compares the stored hash and sent hash. if its matches, you probably got the right password.

What hackers did before, was to simply precompute those hashes on very large tables. reversing them was simple. -> thats why adding special characters means they probably didnt pre-compute it.
because hashes are peppered (mixed with a random key), this no longer works. So hackers will instead bruteforce their way through it: try out a lot of different combinations.
What they will also do, it get lists of commonly used passwords, and go through them, changing each in a number of ways to get through as many likely possibility as possible.
This can be done very quickly, especially on modern graphics hardware.

Thats why using words is a bad idea: they will check for those. even replacing the 'o's with '0's doesnt help, as the algorithms will check these passwords as well.
Adding an exclamation mark at the end is not that helpful either for that same reason.

Password managers will generate passwords that are very hard for those algorithms to find, becuase they will nto show up on dictionaries. They can also generate and remember much longer passwrods, which are far harder to brute force.


this reminds me of my very first login system: all credentials where stored on a single INI file in plain text in the cloude. when a user logged in, it would download the entire INI file and compare the password and username.
Its a very good thing i never published this... oh god.
 
I'm not familiar at all with how hacking could work, but I'm thinking it would be possible to somehow make your way into the server and imitate some sort of authority and "download" the database to a remote location and somehow brute-force the entire database offline in some sort of optimized/speeded up way. Say if it is protected by an algorithm that purposely takes x amount of time to validate then it can just run multiple processes on different databases with different dictionary entries.

Probably far more complicated than I'm making it, I'm not even sure if anything I've assumed is near reality haha.


EDIT:
As @Lonewolff
.... ....
this reminds me of my very first login system: all credentials where stored on a single INI file in plain text in the cloude. when a user logged in, it would download the entire INI file and compare the password and username.
Its a very good thing i never published this... oh god.
Ha! Well you've cleared some things up for me there. Also, sending the entire ini user data base to the client?! And without obscurities?! That is so funny haha.
 

GMWolf

aka fel666
I'm not familiar at all with how hacking could work, but I'm thinking it would be possible to somehow make your way into the server and imitate some sort of authority and "download" the database to a remote location and somehow brute-force the entire database offline in some sort of optimized/speeded up way. Say if it is protected by an algorithm that purposely takes x amount of time to validate then it can just run multiple processes on different databases with different dictionary entries.

Probably far more complicated than I'm making it, I'm not even sure if anything I've assumed is near reality haha.
yeah, its that simple.
just download and brute force with dictionaries.
The reason md5 shouldnt be used is because the algorithm runs too fast on modern hardware (and there are too many tables).
sha256 runs much slower, so its harder to brute force.
Eventually we will need to use sha1024 or something...
 

FrostyCat

Member
I've said this before, but I'm really not sure how more secure passwords can prevent hacks like the ones we've had. No matter how strong your pass is, it won't really matter if someone gets to the encryption codes.
The latest hack on the GMC was a root exploit. The login processing code was modified to skim plaintext credentials from direct form input, and the vector was a reused root password from another compromised server. If you want to talk passwords, proper password management could have prevented it.

Aside from entropy, storage format, non-disclosure and non-presence on dictionaries, non-reuse is another key factor in a password's actual strength in the wild.

Generally passwords are stored in non-reversible encryption. So, it won't matter if the attacker knows how the password is encrypted.
It will matter if the hash is found to be weak, for example an unsalted MD5. Ashley Madison and Yahoo are recent examples of this.

yeah, its that simple.
just download and brute force with dictionaries.
The reason md5 shouldnt be used is because the algorithm runs too fast on modern hardware (and there are too many tables).
sha256 runs much slower, so its harder to brute force.
Eventually we will need to use sha1024 or something...
All variants of SHA are still considered fast hashes, in fact speed was a key criterion during their design. This is where the need for slow hashes with tunable difficulty loads like BCrypt arise. But this is still no excuse to use a low-entropy password readily available in dictionaries.
 
Last edited:

GMWolf

aka fel666
The latest hack on the GMC was a root exploit. The login processing code was modified to skim plaintext credentials from direct form input, and the vector was a reused root password from another compromised server. If you want to talk passwords, proper password management could have prevented it.

Aside from entropy, storage format, non-disclosure and non-presence on dictionaries, non-reuse is another key factor in a password's actual strength in the wild.

It will matter if the hash is found to be weak, for example an unsalted MD5. Ashley Madison and Yahoo are recent examples of this.


All variants of SHA are still considered fast hashes, in fact speed was a key criterion during their design. This is where the need for slow hashes with tunable difficulty loads like BCrypt arise. But this is still no excuse to use a low-entropy password readily available in dictionaries.
@FrostyCat correcting our inaccuracies again ^^ :)
Sometimes I wonder if you are a computer super god's alter ego...
 

RekNepZ

GMC Historian
I didn't understand a word you said, FrostyCat, but I'll take your word for it that there's good reason for the password rules.
 
G

grixm

Guest
Agreed. I must have made hundreds of accounts online over the years but this forum was the first one to ever reject my standard password pattern. It is a strong enough password after every metric I've seen: It is unique for every site, it has a double-digit amount of characters, capital letters, numbers and a non-alphanumeric character, but apparently that non-alphanumeric character doesn't count as a "special character" so it still wouldn't work with this forum.
 

Rusty

Member
The password system on this site is completely undermined by my ability to reset it and authourise the reset through my email address anyway. I just bash my head against the keyboard once every 30 days and then reset it through my email address when the "remember me" option wears out.

I ain't ever used a password this strong to use a free website and I don't really intend to start now. Or ever.
 

GMWolf

aka fel666
The password system on this site is completely undermined by my ability to reset it and authourise the reset through my email address anyway. I just bash my head against the keyboard once every 30 days and then reset it through my email address when the "remember me" option wears out.

I ain't ever used a password this strong to use a free website and I don't really intend to start now. Or ever.
you do realise just one password crack is bad enough.
You could have used a simmilar password, for instance.
Even if you didnt, its enough for identity fraud, for instance.

I used to think the same way, but trust me, when you start looking into how hackers get around, you can never be too careful with passwords.
 

gn.fur

Member
Thats why using words is a bad idea: they will check for those. even replacing the 'o's with '0's doesnt help, as the algorithms will check these passwords as well.
I like to use Russian words transliterated to latinic alphabet in my own way. It's pretty unlikely that stuff like this will be included in bruteforce dictionaries.

Also, I really don't like idea of using password manager. It seems even more unsecude and unconvenient.

...but apparently that non-alphanumeric character doesn't count as a "special character" so it still wouldn't work with this forum.
Also had the same problem when first registrated. It's freakin retarded to not include some of the special characters, but ask for them anyway.
 

Rusty

Member
you do realise just one password crack is bad enough.
You could have used a simmilar password, for instance.
Even if you didnt, its enough for identity fraud, for instance.

I used to think the same way, but trust me, when you start looking into how hackers get around, you can never be too careful with passwords.
Yes but the thing is, I don't care.

I use a strong password for my paypal, because that has money on it. If somebody gets into that, I'm in real trouble. All my accounts connected to that or that give access to that are protected by a password code I have had to write myself a mental poem to remember. If somebody gets into my accounts, the accounts that matter to me, then I know it's a security fault on their side, not mine.

If somebody wants to wear my face for a bit and dance around in a Rusty suit then they're welcome to do so. I never keep any confidential data on forums, so the most damage they can do is make me look like an ass for an hour or so and honestly, I couldn't care less.

Edit:
In fact, if anybody can crack any of my 18 poem puzzle codes, take £50. On me. You've earned it. And that's all there is in my account right now so you've probably wasted your time too.
 

Xer0botXer0

Senpai
I have so many different passwords..
I dont keep the same password over multiple sites/accounts etc,
so for example when ever I like now am on a shared computer I have to login to the forum.. I go through 3/4 passwords before finding the one that works. I know the password I used for this site is one of them..
eventually I do remember because I spend time here, but because I'm spending time here I'm not on twitter etc.. so when I get back over to twitter it's the same thing all over again.. what password did I use.

I think I need to add my passwords to a dictionary list and commence a dictionary attack on my login. will be faster.
 

chance

predictably random
Forum Staff
Moderator
Look on the bright side.... At least we haven't forced you all to use 2-factor Auth (yes, this nearly happened). :)
But two factor auth is great. I wish more websites had it.
It's becoming more common with financial sites. One of my banks uses it. And one of my credit card providers as well. Not perfect security, of course, but it adds another layer.
 

GMWolf

aka fel666
It's becoming more common with financial sites. One of my banks uses it. And one of my credit card providers as well. Not perfect security, of course, but it adds another layer.
My dutch bank uses this device to identify you with your card.
Best 2 factor auth I've seen, since phones can be stolen and hacked.
 

Ethanicus

Ethan L!
But this isn't a banking website, two-factor is nothing but a giant inconvenience for something that frankly isn't worth the security.
 

RekNepZ

GMC Historian
I love how people are giving out details about theirs passwords in this topic. Will make it much easier to hack later ;)
 

renex

Member
I understand admin and moderator accounts having enough complexity to keep brute force away... That's a good thing...

But I do not see how regular user accounts need such mess. Just makes it hella inconvenient for everyone else. I've had to reset my password more times than I'd care to count.
 

Rusty

Member
I've had to reset my password more times than I'd care to count.
That you can reset using an email address that doesn't have such a strict password requirement. Making the entire point of the forum's strict password system pointless. Playtech's strict password policy on the forums is pointless.
 

Joe Ellis

Member
Oh? So, uh, outta curiosity, what characters do you put in the middle and beginning? In order and correct capitalization, please.
I put a capital letter at the start, lower case letters in the middle, a few numbers at the end followed by an exclamation mark
 

Mike

nobody important
GMC Elder
Look on the bright side.... At least we haven't forced you all to use 2-factor Auth (yes, this nearly happened). :)
Not to mention being forced to change it ever "x" days.... yes... that was on the cards as well.

Remember, since Playtech are a gambling firm, they take ALL hacking extremely seriously. This was a requirement from them, we just have to live with it.
 

Llama_Code

Member
Unfortunately we live in a time when people need saving from themselves. You guys might ensure your passwords are secure but the average person does not. People consistently use the same easy to guess pass words for everything. In fact the password 123456 is consistently the #1 used password.

Thing is, your right, nobody probably cares about your passwords for here, unless your an Admin and they have a grudge. But all your passwords here would be am excellent addition to a dictionary of passwords, and, there is a chance you used the same password for something else more important like your bank account or credit card. That's the primary reason to ensure ALL websites enforce security standards regardless of what content.

Hell most browsers will now tell you a site that collects passwords is insecure if doesent have HTTPS, regardless of what the site is, and this is one of the reasons.

More and more sites are moving to the special character requirement, so it won't be long before its the normal.

I mean I get it, I could care less if some idiot wants to use the same password for a porn site he uses for is bank, that should be on him. Unfortunately it doesent work that way.

Password managers are the most secure, and easiest way to manage your passwords for all websites you visit. Don't visit here for 3 or 4 months at a time? No problem your password manager will remember your password when you don't. You can generate safe, individual, secure passwords for every site and you only need to remember one master password.
 

GMWolf

aka fel666
As a note about password managers, many people believe they are unsafe because you only need to crack one password.

This is bkt the case as many password managers will simply encrypt your database with your password. Meaning there is nowhere to get a copy or hash of your password. The only way is to brute force heavy encryption. That really isnt feasible with a good password.
 

Rusty

Member
I mean I get it, I could care less if some idiot wants to use the same password for a porn site he uses for is bank, that should be on him. Unfortunately it doesent work that way.
That's exactly how it works. It is on him. He's a moron. I don't need babysitting because morons exist.

If one idiot uses his year of birth as his PIN number and his bank account gets hacked into, you don't force people to start using 12 digit PIN numbers (with special characters, of course). You tell the moron not be a moron next time.

If your password has been brute forced, it's your fault for setting it so easy. If you're using a low end security password to protect important data, it's your fault for not protecting your data. If that one password gives access to your entire being on the internet, you are a moron. No matter which way I look at it, it is not the fault of YoYoGames, Playtech, the Community, me or anybody else but yours if your account gets hacked by a user-end issue. If passwords are stolen from the site or server, it is the fault of YoYoGames site management and that is what Playtech's security priority should be with, not how I decided to set my password.

My current password for this site is honestly a bunch of random letters and numbers with some special characters that I bashed onto a notepad, entered into both the password reset fields and then deleted the notepad. The only way to realistically get onto my account is if you get onto my email address. An email address that is hosted by Microsoft, a company that does not require me to use such a complex password because they understand a lot more about internet security than Playtech.
 
Status
Not open for further replies.
Top