ChocoMousse wrote:Hi, I just want to update you regarding the payment information statement.
From some of my sources, it appears that the Payment informations leakead includes :
Email, Full Names, Billing & Shipping addresses, IP Information, payment amount, and other details. No Credit Card numbers.
ObiWanCumnobi wrote:
Phew, at least my ssn and dna sequence are safe, for now.
This doesn't account for the time it will take to write the email (deciding what to say and how to say it, especially since this message is kinda critical) which may add hours or more to the ETA.NateNate60 wrote:I don't think it takes very long to send out 8 million emails, especially if they all essentially say the same thing
10 KB message multiplied by eight million is 80 GB. At 100 megabytes (800 megabits per second) per second, it'll take 800 seconds to send 80 GB, in theory. If we assume they're sending at 20% the maximum capacity because of slow-running code or something, then it'll still take only about one hour.
Also, 10 KB is a pretty large email, especially considering the usual payload of the forum emails they send.
we can't easily update everyones hashes to a new algorithm
4DEATH wrote:Achilles wrote:Passwords were stored as a salted MD5 hash and not plaintext, but it appears that these hashes can still be brute forced to get the plain text password if it wasn't a very secure password.
Just in two clicks i have found some info about MD5.Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities.MD5 and SHA-1 are emphatically poor choices for storing passwords.
But you guys used "SALTED MD5" so i spent another click. You know, internet is full of how MD5 can be brute forced and such. BUT YOU GUYS USED SALTED MD5 HASH! That must be more secure than MD5, right, you guys wouldnt just plainly use unsecure cryptography.There is, in fact, no such thing as "salted MD5" or "salted SHA-1". MD5 and SHA-1 are well-defined hash functions, which take as input a sequence of bits of (almost) arbitrary length, and output a sequence of bits of fixed length (128 and 160 bits, respectively). There is no salt anywhere in the definitions of MD5 and SHA-1; no password either, for that matter.
VoidRuler wrote:I'm pretty sure someone's already said this on the last thread about this but there really should be a large warning at the top of the login screen for the game itself, if there isn't one already, for the people who don't check their email a lot.
bkyblyat wrote:James that is completely false, GDPR applies to any business that stores EU citizen data, no matter where the business is residing.
TheRetroPionner wrote:Is anybody else having problems? My forum password changed, but my in-game password is the same
TheRetroPionner wrote:Is anybody else having problems? My forum password changed, but my in-game password is the same
4DEATH wrote:But you guys used "SALTED MD5" so i spent another click. You know, internet is full of how MD5 can be brute forced and such. BUT YOU GUYS USED SALTED MD5 HASH! That must be more secure than MD5, right, you guys wouldnt just plainly use unsecure cryptography.There is, in fact, no such thing as "salted MD5" or "salted SHA-1". MD5 and SHA-1 are well-defined hash functions, which take as input a sequence of bits of (almost) arbitrary length, and output a sequence of bits of fixed length (128 and 160 bits, respectively). There is no salt anywhere in the definitions of MD5 and SHA-1; no password either, for that matter.
hope64 wrote:4DEATH wrote:But you guys used "SALTED MD5" so i spent another click. You know, internet is full of how MD5 can be brute forced and such. BUT YOU GUYS USED SALTED MD5 HASH! That must be more secure than MD5, right, you guys wouldnt just plainly use unsecure cryptography.There is, in fact, no such thing as "salted MD5" or "salted SHA-1". MD5 and SHA-1 are well-defined hash functions, which take as input a sequence of bits of (almost) arbitrary length, and output a sequence of bits of fixed length (128 and 160 bits, respectively). There is no salt anywhere in the definitions of MD5 and SHA-1; no password either, for that matter.
This might be the stupidest thing I’ve ever read, and the fact that you coincidentally cut off the rest of what your source said leads me to believe you said it out of malice rather than ignorance.
For anyone genuinely concerned, what I’m sure the devs mean when they said they salted your passwords is that they add a random string of characters somewhere in your password every time it’s entered and then hashes that modified version.
For example, password might turn into pass7$&@-word and then be hashed. You can find MD5’s algorithm online and enter that into it to see what it turns into from there.
But this won’t save you if you have a weak password because it’s always in the same spot for everyone and it’s always the same random characters. So if whoever breached the data knows the token, your password will be cracked in the same amount of time as it would be if there was no salt.
And this doesn’t excuse using such a mediocre hashing algorithm and failing to secure the data in the first place.
HellnoRO wrote:You still haven't addressed the hashing issue.
I assume you're gonna immediately switch to a different algorithm, like bcrypt and not use the old and insecure md5, right?
Users browsing this forum: No registered users and 28 guests