Welcome, Guest. Please login or register.
October 16, 2019, 08:31:09 PM

Login with username, password and session length

Search:     Advanced search
Donate! | Shop: Amazon
*
Home Help Search Login Register
f13.net  |  f13.net General Forums  |  The Gaming Graveyard  |  Diablo 3  |  Topic: Hackers and their hackering hacks 0 Members and 1 Guest are viewing this topic.
Pages: 1 2 [3] Go Down Print
Author Topic: Hackers and their hackering hacks  (Read 9367 times)
Fordel
Terracotta Army
Posts: 8306


Reply #70 on: May 22, 2012, 07:00:44 PM

Back in ancient computing times, there was a reason for limiting the password size.

But now, users should be encouraged to use phrases/sentences that are easy to remember but difficult to brute force dictionary attack. Special requirements (example being my bank) like having passwords no greater than 8 characters, but requiring presence of a digit, capital letter and special character (non-letter and non-digit) just delivers grief to a user.

Correcthorsestapler!

and the gate is like I TOO AM CAPABLE OF SPEECH
Ingmar
Terracotta Army
Posts: 19280

Auto Assault Affectionado


Reply #71 on: May 22, 2012, 07:17:14 PM

I'm thinking of something that actually just truncated rather than restricted you to 8 characters - it would let you think you were using a longer password but I found out later that it was only using the first 8 characters. Killing me that I can't remember what it is now.

The Transcendent One: AH... THE ROGUE CONSTRUCT.
Nordom: Sense of closure: imminent.
Chimpy
Terracotta Army
Posts: 9293


WWW
Reply #72 on: May 22, 2012, 07:36:40 PM

Windows 95 "long" file names?

'Reality' is the only word in the language that should always be used in quotes.
Quinton
Terracotta Army
Posts: 3307

is saving up his raid points for a fancy board title


Reply #73 on: May 22, 2012, 08:23:14 PM

I'm nearly certain I've used some system or another in the past that did truncate to 8 characters, now it is going to bother me all day until I remember what it was.

I heard this recently (was it someone on f13 or some other forum)? -- person had to choose a voicemail passphrase, so they used 10 digits, random order -- when the system required they change their password some months later, it failed because it required that they use a digit that wasn't in the previous password.  Apparently the thought that somebody might use ALL the digits in one password never crossed the mind of the system designer.
proudft
Terracotta Army
Posts: 1228


Reply #74 on: May 22, 2012, 08:36:59 PM

I had something similar happen with an ATM PIN.  As a new bank-account-holder in 1989 I thought I was being clever by using a 12-digit PIN for my Wells Fargo ATM number.  Then it turned out some non-Wells-Fargo ATMs didn't work.  I called Wells Fargo up and they said 'try the first 4 digits only', and ta-da.  I never did just try the first 4 digits at the Wells Fargo ATM to see if it had been truncating to four all along, but I have SUSPICIONS.

Ingmar
Terracotta Army
Posts: 19280

Auto Assault Affectionado


Reply #75 on: May 22, 2012, 08:41:05 PM

I'm nearly certain I've used some system or another in the past that did truncate to 8 characters, now it is going to bother me all day until I remember what it was.

I heard this recently (was it someone on f13 or some other forum)? -- person had to choose a voicemail passphrase, so they used 10 digits, random order -- when the system required they change their password some months later, it failed because it required that they use a digit that wasn't in the previous password.  Apparently the thought that somebody might use ALL the digits in one password never crossed the mind of the system designer.

This is why we need base-16 phones.

The Transcendent One: AH... THE ROGUE CONSTRUCT.
Nordom: Sense of closure: imminent.
rk47
Terracotta Army
Posts: 6236

The Patron Saint of Radicalthons


Reply #76 on: May 22, 2012, 08:47:54 PM

nice comic, if it's true im definitely changing my password habit. like how to cook my favorite food or something.
but the char limitation of some games / websites do prevent it from happening :(

Colonel Sanders is back in my wallet
Quinton
Terracotta Army
Posts: 3307

is saving up his raid points for a fancy board title


Reply #77 on: May 22, 2012, 11:30:04 PM

I'm nearly certain I've used some system or another in the past that did truncate to 8 characters, now it is going to bother me all day until I remember what it was.

I heard this recently (was it someone on f13 or some other forum)? -- person had to choose a voicemail passphrase, so they used 10 digits, random order -- when the system required they change their password some months later, it failed because it required that they use a digit that wasn't in the previous password.  Apparently the thought that somebody might use ALL the digits in one password never crossed the mind of the system designer.

This is why we need base-16 phones.

If only the original 16 key DTMF design were widely deployed!

(see: http://en.wikipedia.org/wiki/Touchtone)
Zetor
Terracotta Army
Posts: 3093


WWW
Reply #78 on: May 23, 2012, 12:40:05 AM

Yes, that comic is amusing, but passphrases don't actually work in reality due to a lot of the providers truncating passwords (either silently or just by restricting the size of the entry box), plus it's kind of a pain to enter long-ass passwords every time; passphrases need to be really at least 20-25 characters long to be effective. Try using a 25-character (or even just 14) passphrase in COH and see how well it works.

If you're paranoid, use random (not dictionary-derived) ~14-character passwords stored in a password manager (keepass, etc), and use a strong passphrase to protect the password manager file itself. Or use an authenticator.  awesome, for real

Cyrrex
Terracotta Army
Posts: 8637


Reply #79 on: May 23, 2012, 01:54:16 AM

We seem to be dancing around, but never quite getting to, the biggest problem with passwords:  The sheer number of them the average human being has to deal with.  Couple that with the fact there is no standard system for them (what with upper/lower, numbers and symbols, etc.), and what you get is that people tend to come up with extremely simple passwords that just meet the minimum standard, and then they use those same passwords (or simple variations on them) all over the place.  How many different places do I have to use a password?  Hell, easily a hundred, and it is made worse by the fact that some of those places I only visit rarely, which makes the use of distinct passwords a fairly ridiculous suggestion.

You can set up all the crazy requirements you want for passwords...whether it's Battlenet, your online banking, F13.net, or whatever.  We're still going to find the minimum requirement and use that same password or group of passwords everywhere.  The human brain can't manage much more than that.  Unless, of course, we are writing them all down somewhere, which presents its own obvious problems.  At the end of the day, regardless of how much we want to bitch about it, it is far easier to deal with the potential danger of a hacked Battle.net account than it is to deal with trying to remember all those different passwords.

Authenticators go some way in addressing the problem, but are you going to have a different authentication system for each of these hundred places you go to?  Yikes, screw that.  A harmonized system would be ideal, but then the system itself becomes the threat.

Somebody out there is going to make a trillion dollars on a safe, universal system that doesn't use passwords at all (or only uses them as a supplemental safeguard) and implements it into everyday use like an authenticator.  Finger printing.  Retina scanning.  Voice recognition.  Microchip/Barcode scanning.  DNA wizardry.  Some combination of these kinds things, and hell, throw in a simple password and/or pin code as an extra layer.



"...maybe if you cleaned the piss out of the sunny d bottles under your desks and returned em, you could upgrade you vid cards, fucken lusers.." - Grunk
Merusk
Terracotta Army
Posts: 27447

Badge Whore


Reply #80 on: May 23, 2012, 06:50:47 AM

What about some kind of chip.. implanted in your head..

SIGN OF THE BEAST OMG U R THE ANTICRHIST

The past cannot be changed. The future is yet within your power.
Cyrrex
Terracotta Army
Posts: 8637


Reply #81 on: May 23, 2012, 06:57:47 AM

Heh, yeah.  WELL WE ARE TALKING ABOUT THE GAME DIABLO WHICH MEANS DEVIL OMG.

"...maybe if you cleaned the piss out of the sunny d bottles under your desks and returned em, you could upgrade you vid cards, fucken lusers.." - Grunk
Outlawedprod
Terracotta Army
Posts: 454


Reply #82 on: May 23, 2012, 07:48:14 AM

Blizzard account passwords are not case sensitive.
http://us.battle.net/d3/en/forum/topic/5152409863?page=1#4

Maybe this is a company wide IT policy and affects internal servers besides their customers. =p
Thrawn
Terracotta Army
Posts: 3089


Reply #83 on: May 23, 2012, 08:34:12 AM

Blizzard account passwords are not case sensitive.
http://us.battle.net/d3/en/forum/topic/5152409863?page=1#4

Maybe this is a company wide IT policy and affects internal servers besides their customers. =p

Posted ONE page back and still being semi-discussed at the top of this page.  Ohhhhh, I see.

(It's not really a big deal, but it does look very bad to non-IT people who don't get that MyName2000 isn't much more secure than myname2000.)
« Last Edit: May 23, 2012, 08:35:57 AM by Thrawn »

"Sometimes I think the surest sign that intelligent life exists elsewhere in the Universe is that none of it has tried to contact us."
Lakov_Sanite
Terracotta Army
Posts: 7590


Reply #84 on: May 23, 2012, 08:36:20 AM

As said before, doesn't matter how complicated you allow people to make passwords, people will always pick simple ones. Just waiting until we can all jack in.

~a horrific, dark simulacrum that glares balefully at us, with evil intent.
kildorn
Terracotta Army
Posts: 5014


Reply #85 on: May 23, 2012, 08:49:15 AM

As said before, doesn't matter how complicated you allow people to make passwords, people will always pick simple ones. Just waiting until we can all jack in.

There was an old speech by an MS dude that basically boiled down to "stop with the X upper/lower/special remember last 12 change every 30 shit, it's just making people write the fuckers down" and was very well argued.

I don't think everything needs an authenticator, but I think companies need to be honest about what they provide and need. My bank? Should have an authenticator app or something else that isn't just a series of shit I know. Web forums? Should never ask for more than a username/pass and maybe an email address. The best system I've seen for dealing with the 100 passwords problem is tiering them by what they know and what harm the login can do. So you have unique passwords for your bank/mortgage shit. You have a few gaming passwords for things that in theory can cause you drama if they get hacked. And you have a throwaway or two for random sites that insist on a login for no sane reason. That way if some third party gets hacked, it's not getting everything and you're not relying on something like keepass (which simply creates a new attack vector: steal the entire vault) to know a hundred unique passwords.

I don't really see an end game for this though, the problem is that you're essentially trying to outsmart folks who are far more likely to be either exploiting a flaw in the company's security systems, or just social engineering the shit out of password recovery policies.
Ingmar
Terracotta Army
Posts: 19280

Auto Assault Affectionado


Reply #86 on: May 23, 2012, 01:31:19 PM

We seem to be dancing around, but never quite getting to, the biggest problem with passwords:  The sheer number of them the average human being has to deal with.  Couple that with the fact there is no standard system for them (what with upper/lower, numbers and symbols, etc.), and what you get is that people tend to come up with extremely simple passwords that just meet the minimum standard, and then they use those same passwords (or simple variations on them) all over the place.  How many different places do I have to use a password?  Hell, easily a hundred, and it is made worse by the fact that some of those places I only visit rarely, which makes the use of distinct passwords a fairly ridiculous suggestion.

You can set up all the crazy requirements you want for passwords...whether it's Battlenet, your online banking, F13.net, or whatever.  We're still going to find the minimum requirement and use that same password or group of passwords everywhere.  The human brain can't manage much more than that.  Unless, of course, we are writing them all down somewhere, which presents its own obvious problems.  At the end of the day, regardless of how much we want to bitch about it, it is far easier to deal with the potential danger of a hacked Battle.net account than it is to deal with trying to remember all those different passwords.

Authenticators go some way in addressing the problem, but are you going to have a different authentication system for each of these hundred places you go to?  Yikes, screw that.  A harmonized system would be ideal, but then the system itself becomes the threat.

Somebody out there is going to make a trillion dollars on a safe, universal system that doesn't use passwords at all (or only uses them as a supplemental safeguard) and implements it into everyday use like an authenticator.  Finger printing.  Retina scanning.  Voice recognition.  Microchip/Barcode scanning.  DNA wizardry.  Some combination of these kinds things, and hell, throw in a simple password and/or pin code as an extra layer.




My laptop has a fingerprint scanner, trust me, they are awful. It seems great in theory until the scanner has a problem.

The Transcendent One: AH... THE ROGUE CONSTRUCT.
Nordom: Sense of closure: imminent.
Phred
Terracotta Army
Posts: 2025


Reply #87 on: May 23, 2012, 02:10:06 PM

I'm thinking of something that actually just truncated rather than restricted you to 8 characters - it would let you think you were using a longer password but I found out later that it was only using the first 8 characters. Killing me that I can't remember what it is now.

SCO Unix 4.2  used to have a max password length of 8 chars. Developed by Microsoft of course.

http://scofaq.aplawrence.com/FAQ_scotec1passwordlen.html

avaia
Terracotta Army
Posts: 513


Reply #88 on: May 23, 2012, 02:13:49 PM

I'm nearly certain I've used some system or another in the past that did truncate to 8 characters, now it is going to bother me all day until I remember what it was.

That would be anything using DES, likely.
Lantyssa
Terracotta Army
Posts: 20848


Reply #89 on: May 23, 2012, 02:35:15 PM

My laptop has a fingerprint scanner, trust me, they are awful. It seems great in theory until the scanner has a problem.
Or you have virtually unreadable fingerprints.  (pun not intended, but welcomed)

Hahahaha!  I'm really good at this!
Mrbloodworth
Terracotta Army
Posts: 15148


Reply #90 on: May 23, 2012, 02:35:50 PM

So like, Conjecture aside. Was this resolved?

Today's How-To: Scrambling a Thread to the Point of Incoherence in Only One Post with MrBloodworth . - schild
www.mrbloodworthproductions.com  www.amuletsbymerlin.com
Ingmar
Terracotta Army
Posts: 19280

Auto Assault Affectionado


Reply #91 on: May 23, 2012, 02:37:19 PM

MrB: As it turns out there's no particular evidence that there was ever a real, new problem in the first place (other than "normal" password getting stolen sort of stuff.)

The Transcendent One: AH... THE ROGUE CONSTRUCT.
Nordom: Sense of closure: imminent.
Trippy
Administrator
Posts: 21476


Reply #92 on: May 23, 2012, 02:50:08 PM

My laptop has a fingerprint scanner, trust me, they are awful. It seems great in theory until the scanner has a problem.
Or you have virtually unreadable fingerprints.  (pun not intended, but welcomed)
Random anecdote: My godmother has played Mahjong so much for so long that she long ago worn down her thumbprints. Skilled players use their thumbs to feel the patterns on the tiles they have received so they don't need to take their eyes off the opposing players and that can wear down your thumbprints.

Outlawedprod
Terracotta Army
Posts: 454


Reply #93 on: May 23, 2012, 06:03:26 PM

MrB: As it turns out there's no particular evidence that there was ever a real, new problem in the first place (other than "normal" password getting stolen sort of stuff.)

The rumor going around was:
session spoof exploit and then they would ddos you to prevent you from reconnecting.
Venkman
Terracotta Army
Posts: 11536


Reply #94 on: May 23, 2012, 07:53:05 PM

I don't think everything needs an authenticator, but I think companies need to be honest about what they provide and need. My bank? Should have an authenticator app or something else that isn't just a series of shit I know.
Exactly. I was just joking about this with folks the other day. Just by having the authenticator at all, Blizzard games have higher security than my freakin bank.

There's too many sites/systems with too many standards to have people really remember all their passwords. Most rely on their browsers and email programs to do the remembering for them. I do not. I reset browsers on exit. But my password list (about 200 long now) is encoded and the multiple keys are only written in my head. I'm shit outta luck if I ever have memory loss :P

Not NSA-proof, and certainly not brute-force proof. But the really important accounts have customer service staffs to remedy situations and the rest the hackers can have if they really want it.
Thrawn
Terracotta Army
Posts: 3089


Reply #95 on: May 24, 2012, 09:54:04 AM

So like, Conjecture aside. Was this resolved?

Quote
Battle.net®/Diablo III Security Concerns

Over the past couple of days, players have expressed concerns over the possibility of Battle.net® account compromises. First and foremost, we want to make it clear that the Battle.net and Diablo III servers have not been compromised. In addition, the number of Diablo III players who’ve contacted customer service to report a potential compromise of their personal account has been extremely small. In all of the individual Diablo III-related compromise cases we’ve investigated, none have occurred after a physical Battle.net Authenticator or Battle.net Mobile Authenticator app was attached to the player’s account, and we have yet to find any situation where a Diablo III player's account was accessed outside of “traditional” compromise methods (i.e. someone logging using an account's login email and password).

To that end, we’ve also seen discussions regarding the possibility of account compromises occurring in ways that didn’t involve these “traditional” methods -- for example, by “session spoofing” a player’s identity after he or she joins a public game. Regarding this specific example, we’ve looked into the issue and found no evidence to indicate compromises are occurring in this fashion, and we’ve determined the methods being suggested to do so are technically impossible. However, you have our assurance that we’ll continue to investigate reports such as these and keep you informed of important updates.

The best defense against account theft still includes smart password management (e.g. using a unique password for every site/service and keeping your password to yourself) and scanning for malware and viruses regularly, as well as following additional preventative steps found here. In the end, while no security method is 100% foolproof, the physical Battle.net Authenticator andBattle.net Mobile Authenticator app are great ways to provide your account with an extra layer of protection.

We hope this update has addressed some of the concerns you’ve had. In the end, we simply want all of our players to be able to fully enjoy Diablo III, and we’ve been working around the clock to address issues as quickly and efficiently as possible. We appreciate your continued support and enthusiasm, and we hope you and your friends are having a blast slaying Sanctuary’s demons.

TLDR - Diablo 3/Battle.net was not compromised in any way and their was no session spoofing problem, end user failures as most people assumed.  Not a single account with a proper authenticator has been "hacked".

"Sometimes I think the surest sign that intelligent life exists elsewhere in the Universe is that none of it has tried to contact us."
Mrbloodworth
Terracotta Army
Posts: 15148


Reply #96 on: May 24, 2012, 09:57:12 AM

Ok then. Thanks.

Today's How-To: Scrambling a Thread to the Point of Incoherence in Only One Post with MrBloodworth . - schild
www.mrbloodworthproductions.com  www.amuletsbymerlin.com
Bann
Terracotta Army
Posts: 448


Reply #97 on: May 24, 2012, 12:28:27 PM

Hrmm. Just got one of these in my email.

"Due to suspicious activity, the Battle.net account Bann@bann's_email has been locked. To restore access to this account, please follow these steps:

Step 1: Secure Your Computer

In the event that your computer has been infected with malicious software such as a keylogger or trojan, simply changing your password may not deter future attacks without first ensuring that your computer is free from these programs. Please visit our Account Security website to learn how to secure your computer from unauthorized access.

Step 2: Secure Your E-mail Account

After you have secured your computer, please create a new password for your e-mail account since it may also be compromised. Be sure to check your e-mail filters and rules and look for any e-mail forwarding rules that you did not create. For more information on securing your e-mail account, visit this Support page.

Step 3: Choose a New Password

You must change your password in order to resume using this Battle.net account. Please click this link to choose a new password:

Link Redacted

*Note that your former password no longer grants access to Battle.net account management, World of Warcraft, or any other login-protected Battle.net account service.

If you still have questions or concerns after following the steps above, feel free to contact Customer Support at Link Redacted

Sincerely,
The Battle.net Account Team
Online Privacy Policy"


Any bets as to legitimacy? I've not logged in since probably Saturday or Sunday.
kildorn
Terracotta Army
Posts: 5014


Reply #98 on: May 24, 2012, 12:32:22 PM

I'd probably go to bnet manually and see what's up. Or more accurately when you get home try and log in to D3. If you can, the email is full of shit. If you cannot.. password changing time.
sickrubik
Terracotta Army
Posts: 2967


WWW
Reply #99 on: May 24, 2012, 12:35:21 PM

Yeah, that sounds exactly like a phishing email. hover over the link and see where it actually goes.

beer geek.
murdoc
Terracotta Army
Posts: 3036


Reply #100 on: May 24, 2012, 12:39:17 PM

Why would you click a link in any email when you can go straight to battle.net and see for yourself?

Have you tried the internet? It's made out of millions of people missing the point of everything and then getting angry about it
kildorn
Terracotta Army
Posts: 5014


Reply #101 on: May 24, 2012, 12:56:04 PM

Why would you click a link in any email when you can go straight to battle.net and see for yourself?

This. Never trust mouseovers on links, either. Type it yourself and fuck anyone trying to put session information in their email tracking links.
sickrubik
Terracotta Army
Posts: 2967


WWW
Reply #102 on: May 24, 2012, 12:59:15 PM

I didn't say to ever click. Just saying you can at least tell if the href is going to someplace other than the displayed link. You should always go to the site.

beer geek.
Bann
Terracotta Army
Posts: 448


Reply #103 on: May 24, 2012, 06:27:39 PM

Well, it seems my account was compromised, but in a weird way. My highest level character, a normal 32 witch doctor, was stripped of all gear. The weird thing is that he was the only character touched, and my normal stash was untouched as well. The stash didnt have much gear of note, just alot of gems. Still, I'm surprised they didnt yank anything from HC chars. I had been playing the AH a bit buying decent higher level gear with stupid low buyouts.

Anyway, password changed and whatnot. Makes me wonder if I did somehow get hit over the weekend w/ whatever people were speculating about above, and the email I got was a trap to try and compromise other info.
Pages: 1 2 [3] Go Up Print 
f13.net  |  f13.net General Forums  |  The Gaming Graveyard  |  Diablo 3  |  Topic: Hackers and their hackering hacks  
Jump to:  

Powered by SMF 1.1.10 | SMF © 2006-2009, Simple Machines LLC