Ubisoft website hacked

[KallDrexx]

Anyone who uses Uplay might want to change your passwords just in case:

http://www.polygon.com/2013/7/2/4486856/ubisoft-website-hacked-usernames-and-encrypted-passwords-exposed

[Fordel]

What the hell is Uplay?

[koro]

What the hell is Uplay?

That thing you used to have to run and remain connected to at all times in order to play any Ubisoft game on the PC and is now just the service you have to sign up for when you want to play any Ubisoft game on the PC.

[Yegolev]

What the hell is Uplay?

It's the french word for "origin".

[Maledict]

I know I'll get shouted at for this, and probably rightly so, but this sort of thing really pisses me off. I will now need to changes whole inch of passwords across my system.

And yes, I know each site should have a different password but when every single service in existance requires a password it is beyond my capacity to remember them all. Last time I looked at my list I have over 60 different log ins and passwords - thats utterly insane.

Not that you get a choice anymore either - if you want to play a Ubisoft game you have to use uplay. And I love Might and Magic too much to stop playing those games... :-(

[KallDrexx]

I know I'll get shouted at for this, and probably rightly so, but this sort of thing really pisses me off. I will now need to changes whole inch of passwords across my system.

And yes, I know each site should have a different password but when every single service in existance requires a password it is beyond my capacity to remember them all. Last time I looked at my list I have over 60 different log ins and passwords - thats utterly insane.

Not that you get a choice anymore either - if you want to play a Ubisoft game you have to use uplay. And I love Might and Magic too much to stop playing those games... :-(

If you trust the "cloud" I would recommend LastPass, it's amazing.  Data cannot be decrypted on their servers (it's always encrypted client side with your password prior to being sent).
If you don't trust the cloud, get 1Password or KeePass.
If you somewhat trust the cloud you can use Keepass with dropbox.

It will make your life much nicer not having to remember 50 billion passwords and not having to change your passwords once one site gets hacked.

LastPass (which i use) has the advantage of the other two that it supports 2 factor authentication.  They have had at one security breach but nothing came of it because it's impossible to decrypt the data on the server without your password.

[Miasma]

If you don't trust the "cloud", or people who use phrases like "impossible to hack" there are plenty of client only programs like Password Safe.  If you have to go through and reset all your passwords anyways you may as well spend a little more time and do it right.  If you use a client side program be damn sure to backup the password file.

[Lantyssa]

Password Safe is my pick.

Really annoying since I signed up for Uplay THIS VERY WEEKEND to try and play Anno2070.  That didn't even work because it wanted me to download the game again, even though Steam had it all.

[Trippy]

1Password works with Dropbox too. That's what I use now. UI is pretty shitty but it does do what I need.

[Fordel]

I guess I don't actually play any Ubisoft games, I don't remember ever seeing this thing. 

[Baldrake]

The trouble with all of these solutions (lastpass, etc.) is that they don't work with iOS. So your PC happily breezes past the login page with your incomprehensible password unique to that site, but good luck getting into the same site on your iPhone.

[Chimpy]

The trouble with all of these solutions (lastpass, etc.) is that they don't work with iOS. So your PC happily breezes past the login page with your incomprehensible password unique to that site, but good luck getting into the same site on your iPhone.

I use a program called Strip (which I had to pay like 5 bucks for the iPhone version and I think 10 for the pc ) syncs over Dropbox or wifi if on the same network, works pretty well and they are being really good about fixing shortcomings in each release.

[Trippy]

The trouble with all of these solutions (lastpass, etc.) is that they don't work with iOS. So your PC happily breezes past the login page with your incomprehensible password unique to that site, but good luck getting into the same site on your iPhone.

1Password is available for iOS and Mac OS X and Windows as is Dropbox. Which is why I use them together.

[Rendakor]

Anything that works for Android and Windows?

[Trippy]

1Password works for Android too.

[apocrypha]

LastPass also works on Android & Windows, but you have to subscribe to use the Android app which is about $1/month.

I got the email from Ubi about this hacking, went to their site to change my password and then remembered that it still had an old, manual password from before I started using LastPass because I never use it and have no intention of ever buying a UbiSoft game again anyway do fuck it, I didn't bother. They can have that password!

As an aside, has there been any indication from Ubi of how these stolen passwords were encrypted? Because if they're another unsalted MD5 set then the encryption is worthless.

[bhodi]

I use KeePass, which not only runs on everything but has a bunch of autocomplete plugins so I hit ctrl-alt-a and it types my login even in-game like blizzard.

I've also got it set up so that putty pulls in passwords from it, too.

[Kageru]

I use a text file and my standard encryption utility that came with the os (bcrypt).

[Sophismata]

KeePass. It has the advantage of using a double-input style autotype, which is almost impossible to pick up via keylogger. I've used it when traveling to access my bank information and such.

Just don't... um... store your password database on a service that needs the password database to access.  

[Furiously]

Anything that works for Android and Windows?

A sheet of paper next to your computer in a safe? Or just a sheet of paper next to your computer if you are not too scared of someone breaking into your house stealing a sheet of paper next to your computer.

[ezrast]

I have a quick mental hash (something like "number of characters in website name followed by number of vowels", though that's not what I use of course) that I incorporate into an otherwise mostly-static password. Not the most cryptographically secure method, but it at least makes everything unique and I don't have to trust shit.

Of course you could argue that I'm more likely to contract amnesia or have the information tortured out of me (or, you know, get keylogged) than KeePass is to have its database hacked. You'd be right. But at least it's one less tech system for me to keep track of.

[Rendakor]

Anything that works for Android and Windows?

A sheet of paper next to your computer in a safe? Or just a sheet of paper next to your computer if you are not too scared of someone breaking into your house stealing a sheet of paper next to your computer.

A sheet of paper I keep at my house is totally useful for my Android mobile devices. 

[Furiously]

Put it in your wallet then?

[Hawkbit]

There's a fairly good chance the data from this hack is being used.  I just got an unauthorized use email from blizzard.  That's the first time I've ever seen one from them before today.  Unless its a crazy coincidence.

[Hayduke]

I didn't even realize I had a Ubisoft account till I got the email.  I guess it was from Shadowbane.

[Kageru]

Thankfully I consider uplay and origin to be reasons not to buy a game, though Arkham keeps tempting me every steam sale, so I doubt I have any info for them to lose.