How about everyone who got their accounts locked get:
5000 cryptic points
4 free additional character slots
2 free retcons
2 choices on becomes
2 choices on travel powers that need to be otherwise purchased.
2 choices on purchased costume sets.
A never depleting 'Don't be stupid like this again' bomb we can throw at bad guys and have em do embaressing random stuff with. A variety style of bowing and scraping will do nicely. :cool:
Forget about the standard canned apologies. How about compensation?
People have had their personal information compromised and in the possession of stranger(s) who are in a position to do whatever they want with it, and for more than a year without the affected people knowing: A whole year and more during which they could have promptly acted.
Yeah some sort of compensation as PR damage control should be in order. I'm not hopeful though.
Agreed. I never received any email notifications. At all.... Needless to say i was a bit surprised when i went to play champions only to be told i had the wrong password. Same as Star Trek Online, and the forums for both games.... While trying to get my password reset i got a nice bit of the runaround since password recovery didn't seem to do anything but load the main page on my Phone. It was a bit of a hassle and i was even more upset to read that this was due to an event that Happened in December of 2010.
A little dilitium/questionite compensation WOULD be a nice touch. Even DCUO gave away a bunch of cool stuff every time they screwed up. Exclusive costume pieces, emblems, stuff like that.
I'd like to know why the email linked to my account was my old one, which thankfully I was able to retrieve so that I could do a password reset, but now when I try to change it back to my current email it is saying that it is already in use by someone else.
My account doesn't seem to have been locked, though i did link my account to Perfect World a month or so ago, with new password and e-mail... I guess that means i'm all good? Or should i still change all my details?
I wonder who at Cryptic had the idea that our accounts will be compromised NOW if nobody had interest in doing that for over a year, so that a forced PW reset now would change anything :rolleyes:
Nice work guys. The only encrypted thing was the password, but the hackers may have accessed the first six and last four digits of our CC numbers? You do realise that only leaves 6 numbers which wouldn't take long to bruteforce through.
Words fail me as to how abysmally stupid you are in not encrypting that data. Someone's head should roll for this.
I think, what most people are annoyed about is that
A: Cryptic/Perfect world did not immediately notify us of this security breach.
I have a big problem with this one, because it's incredibly inaccurate to the situation.
They notified us immediately after noticing that there was a breach. The problem is different then people are assuming it is - the major issue is that nobody noticed it happened for ~16 months and they only just now caught it.
They haven't known this information for that entire period - they just now found out when they were updating their security. Entirely different problems to be upset about, here. If you're going to be upset (and honestly, you have a right to be), at least be upset about the right thing.
First you screw me outa my stormrider ctp with the new patch( i only needed one more item to make it), now you tell me that our account info got jacked two years ago and you didnt know about it till now?!?!
yeah a free pick from the q store would go a long way.
All affected accounts have been password reset. Only the legitimate owner of the email account used to register a Cryptic account will be able to reset the password. Emails to all affected users are being sent out over the coming hours, and if you do not receive one within 48 hours, your account was not affected. Cryptic treats your privacy and account security seriously, and is taking proactive steps to ensure that all accounts are secure.
I sent you a private message.
I am on a work computer that I have not logged out of since last night. I cannot access my old email account so I did not receive the notice and cannot reset my password. Can you please return it to what it was so that I can login? I logged out at home and now cannot log back in.
If you wish to speak to someone on the community team, please do not send a PM, instead, file a community support ticket here. We are no longer able to respond to PMs.
I am on a work computer that I have not logged out of since last night. I cannot access my old email account so I did not receive the notice and cannot reset my password. Can you please return it to what it was so that I can login? I logged out at home and now cannot log back in.
The links are in the very first post of this thread.
Fix your site.
Fix the links.
Fix our passwords.
Improve your customer service from none to something resembling it. Cuz finding out by not being able to get into the game without any kind of message on the login screen? SUCKS!
Do you not give a flying rip about us your paying customers? Cuz this solution of yours ain't.
This bites.!
As far as I know all support is now done by PWE, so there is no longer a distinction.
Under where it says Attach Documents it says Product*, with a dropdown box underneath that says Website. Open that box and select Champions Online.
Yes that is what I was referring to. It is a blue shaded box on my screen but does not contain a dropdown list. It does not respond to mouse interface at all (rollover, click, pleading, etc.)
Unfortunatly without filling that section in it will not allow me to place a ticket.
Yes that is what I was referring to. It is a blue shaded box on my screen but does not contain a dropdown list. It does not respond to mouse interface at all (rollover, click, pleading, etc.)
Unfortunatly without filling that section in it will not allow me to place a ticket.
I dunno what to tell you. I tried the page in Chrome and IE, and both times clicking on "Website" opened up a drop box with a list of games.
Well this is very disheartening and upsetting. My account was locked but after visiting the forums and reading this post I was able to reset my password and get back in.
A breach of personal and financial information is shocking. I have been playing since Beta and have an LT account but my financial information was used and, I am sure, stored for the purchase of my LT account.
I must say the lack of adequate security and the lack of timely and readily available information and communication is worrying.
I am happy, however, that when the breach was identified immediate steps were taken to secure our information and accounts. Far too late to do any real good however.
Thank you for pointing out my error. As I think someone else pointed out above, I cannot submit a ticket to Cryptic because I cannot log in. I have have done so for PW and hope to resolve my problem soon.
I appreciate everyone's input and recognize this is partly my fault for not updating my email, but I would also like to point out that I did not request or authorize that my password be reset at this time.
Followed all the advice, but could not get me a password reset email. Kept checking my spam folder to see if it was hiding in a dank corner in their. Couldn't post in forums for further advice as couldn't log in: queue RRRRRAAAAGGEFACE!
What I had to do was log into my ISP's webmail client as they were being SPAM filtered at that level, so never even making it as far as my Opera based SPAM folder.
Well you learn something new every day, but what a way to be educated
PS I also discovered I was missing out on a bunch of ***** enlargement offers, rather presumptuous of my ISP to assume i wouldn't have need of them.
First, I'd like to say that I appreciate Cryptic letting us know that our accounts have been compromised as soon as they discovered it. That at least enables us to move to protect ourselves as quickly as possible. However, I still have some questions:
1. Was this data hacked on an Atari server or on a Cryptic server (was there any difference at that point in time)? Do I need to worry about my old Atari account or was that deleted/transferred when Cryptic was sold to PW?
2. Is there any evidence to suggest that the hackers left anything like a trojan that might have enabled them to mine data from your servers after the 2010 breach?
3. What will Cryptic do to ensure that this particular type of breach can't happen again?
4. What will Cryptic do to ensure that breaches in the future don't go unnoticed for over a year?
I would like to continue playing Cryptic games and I understand that there's always a risk inherent in having personal information stored on commercial servers (which is why I won't be naive and demand that no breach of any kind ever happen again), yet I do demand that Cryptic remedy this situation by at least providing satisfactory answers to my questions above. I don't believe that it is an unreasonable demand to expect more effective security after a breach like this is discovered. If I find that Cryptic has not done enough to safeguard my information, I will close my account and do whatever I need to do to protect my personal information (i.e. have my data erased from your servers, falsify it before I close my account, whatever).
Increased security checks and vigilant customer service revealed a pattern of account hacking that suggested an unauthorized access, which upon further investigation and analysis, apparently occurred in December 2010. As soon as this pattern became clear, Cryptic reset passwords on all affected accounts.
Cryptic is vigilant at protecting your account security and privacy. We have no data to suggest that the unauthorized access continued beyond December 2010, and increased security protections had already been instituted after that time. To protect your account information, we encourage you to be especially aware of e-mail and postal mail scams that ask for personal or sensitive information. Cryptic will not contact you in any way, including by e-mail, asking for your credit card number, social security number, or any other personally identifiable information. We recommend that you use very secure passwords at all times, and not share your account information with anyone.
I am on a work computer that I have not logged out of since last night. I cannot access my old email account so I did not receive the notice and cannot reset my password. Can you please return it to what it was so that I can login? I logged out at home and now cannot log back in.
For your security, weve reset the password on your account. You can recover your password via the forgot password link on the official Star Trek Online or Champions Online web sites:
Email notifications are being sent out, but if your account was potentially affected, please reset your password via the links above to continue to enjoy uninterrupted access to your accounts.
Please note: You will need to be logged out of the website in order to use those links.
Nice work guys. The only encrypted thing was the password, but the hackers may have accessed the first six and last four digits of our CC numbers? You do realise that only leaves 6 numbers which wouldn't take long to bruteforce through.
Words fail me as to how abysmally stupid you are in not encrypting that data. Someone's head should roll for this.
We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user. It is possible that the intruder was able to access additional account information, but we have no evidence of this. If they did so, the first and last name, e-mail address, date of birth (if provided to Cryptic Studios), billing address, and the first six digits and the last four digits of credit cards registered on the site may have been accessed.
Increased security checks and vigilant customer service revealed a pattern of account hacking that suggested an unauthorized access, which upon further investigation and analysis, apparently occurred in December 2010. As soon as this pattern became clear, Cryptic reset passwords on all affected accounts.
Cryptic is vigilant at protecting your account security and privacy. We have no data to suggest that the unauthorized access continued beyond December 2010, and increased security protections had already been instituted after that time. To protect your account information, we encourage you to be especially aware of e-mail and postal mail scams that ask for personal or sensitive information. Cryptic will not contact you in any way, including by e-mail, asking for your credit card number, social security number, or any other personally identifiable information. We recommend that you use very secure passwords at all times, and not share your account information with anyone.
Thank you for your reply and the additional information, StormShade. I'm glad to know that security has been upgraded since then and that it was only a 'smash and grab' attack.
So you want me to ask the same questions here instead of elsewhere? Fine. I can copy and paste my post:
If you had your site hacked and data stolen, then I think you owe it to tell us exactly what got stolen. To some degree, Cryptic doesn't know exactly what the hacker got. But they can know that the hacker didn't steal data that wasn't there to steal.
More specifically, I have three questions:
1) Were the passwords merely encrypted, or were they hashed?
The official announcement talks about "encrypted passwords", but I'm hoping that's merely a colloquial way to put it. Because if it really means that Cryptic only encrypted passwords and didn't hash them, then whoever made that decision ought to be fired for incompetence.
The trouble with encrypting things is that they can be decrypted. If the hacker stole the key as well as the encrypted information, then he's got all of the passwords in the clear. There's no excuse to make it that easy. Cryptic doesn't need to know our passwords. They only need to be able to determine whether we know them.
2) If the passwords were hashed and not merely encrypted, then did you salt it to protect against rainbow table attacks?
This is perhaps less important than hashing the passwords in the first place, as it really only provides extra protection to players who chose moderately weak passwords. But there's still no excuse not to.
3) Was all data other than passwords stored in the clear?
The announcement makes it sound like the passwords were the only thing that was encrypted. I suppose you can't really hash anything else, as Cryptic needs to know other data, not merely verify that the user knows his own password.
I posted this in a new thread in a different forum, and StormShade locked the thread without answering the questions. If this is the right place to ask, that's fine with me. But I want answers. It's likely that forum moderators don't know the answers to the questions above. But whoever is in charge of security surely does, and should answer them.
StormShade has been copying and pasting from the official announcement. And honestly, I don't blame him. You can only post what you know. But my point is that there are major, important details that the official announcement doesn't mention. If forum moderators don't know if the passwords were hashed and salted or merely encrypted, then you should ask someone who does and get back to us.
There is an enormous difference between "some hacker has a properly hashed and salted version of a pretty strong password" (not much risk to me unless the hacker has a vendetta against me in particular) and "the hacker might have a list of clear text passwords if he found the decryption key" (which is a much bigger problem, and at minimum, I should never use the same password again).
From the other thread:
It does not make sense that this would be possible if the passwords were properly stored as salted hashes. Or if they were then the hashing algorithm would have to be flawed, which is just as bad.
When you salt passwords before hashing them, you have to salt them in exactly the same way every single time. Otherwise the hash won't match when a user enters his password later. For example, instead of just hashing the password by itself, you concatenate it with the username and then hash that.
Even if passwords are salted and hashed, if the hacker knows how they are salted, then he can try a brute force attack and see if it works. For example, guess a thousand common passwords, salt and hash them all, and see if any of them match the hash that he stole from Cryptic. If any of them do, then he now has that user's password. There isn't that much that Cryptic can do to defend against people picking stupid passwords.
The point of salting passwords is to defend against a rainbow table attack. The idea of a rainbow table attack is that you take a billion or so guesses of what you think the most common passwords will be (e.g., real words in a bunch of languages, with a 1- or 2-digit number on the end of English words, words with substitutions like 0 for o, short passwords, etc.) and hash them all. You sort the hashes to make it easy to tell whether a particular hash result is in your list.
After that, if the passwords are hashed but not salted, you pick a user's hashed password and see if the hash is on your list. If it is, then you know his password. If not, then you skip it and go on to the next hashed password. This effectively lets you guess one password and see if anyone in the entire database used that password all at once.
If the passwords are salted, then even if two different people used the same password, they'll be salted differently, and so they'll have different hashes. Thus, the relevant table of hashes would be different for every user. If you have a million hashed and salted passwords, rather than computing the hashes of all of your guesses just once, you have to do it separately for every single user.
If there are a million registered accounts, then that means it's a million times as much work to be as effective as before in stealing password. That might be the difference between letting your computer run for a day and not having it finish in your lifetime. Instead of taking a billion cracks at guessing each user's password, the hacker only gets a thousand or so. If your password is on this list (or some other comparable list; I just happened to find this with a quick Google search), you're still dead:
But if you've chosen a modestly secure password that would take the hacker a few million guesses, you're again dead if the passwords are merely encrypted or hashed. But if it takes the hacker guessing your password in particular, then he'll give up before he gets it and move on to the next one.
If you've chosen a strong enough password that the hacker wouldn't get within a trillion guesses, then you're safe against even rainbow table attacks, even if the passwords here hashed but not salted. The trouble with such passwords is that they're hard to come up with and remember. If you have to write your password down, then there's a security risk that someone will find it. And if the hacker gets a plain text list of passwords (or finds the decryption key to passwords that were encrypted but not hashed), then no amount of password cleverness can save you. Furthermore, even your previously strong password will be added to the hacker's list of passwords to check sooner for future hacking attempts.
I reset and changed my password though I didn't had any issues before, except maybe logging in sometimes. It works well for 2 days; now it's not working well at all!!
Invalide username or password.
Why the hell can't I be able to authenticate me in the launcher !!!? Yesterday, it worked well, I didn't do any changes at all and now... that!? I just changed my password again (fortunately I'm able to log in the site) but it's not enables me to launch the game.
Holy cow. Really, it took them nearly two years to discover they had a security breach, its pretty damn dissappointing. This is the second time I've had an account with an online company exposed, the first was Sony. Man I feel gutted that these people will try anything to get you to join them, then they cant even protect the information that you provide them with. I know they claim to have no evidence of any other details being taken, but list possible things, including credit card details that could have been compromised. Its F'ed up, at least with Sony, I had no credit card details on file, this just takes the ****. Its all good they have no evidence of the extra information being taken, but maybe we have to wait another two years before they say actually, we have evidence that they took you credit card details. Now I need to go over my bank statements for the last two years to see if any unauthorised access has taken place. At least my bank have security measures that could defend me against this monumental F' up. I feel like I should leave the game, and ask that they delete my details from their system, but its already too late. I just dont think ill be paying them anymore, actually, I will ask for my details to be erased, never know when their database will be hacked again. DAMMIT IM ANGRY!!!
Holy cow. Really, it took them nearly two years to discover they had a security breach, ...
Yes if you read StormShades post up at 85 you'll note that it happened in Dec 2010 and didn't continue beyond Dec 2010.
Basically it appears Perfect World and or Cryptic is doing a security audit of their old access logs and in doing that they caught a pattern of access that indicated the breach had occurred. From this I gather they have new security audit software and wanted to test it so fed it the old records and surprisingly it found something.
Comments
5000 cryptic points
4 free additional character slots
2 free retcons
2 choices on becomes
2 choices on travel powers that need to be otherwise purchased.
2 choices on purchased costume sets.
A never depleting 'Don't be stupid like this again' bomb we can throw at bad guys and have em do embaressing random stuff with. A variety style of bowing and scraping will do nicely. :cool:
Agreed. I never received any email notifications. At all.... Needless to say i was a bit surprised when i went to play champions only to be told i had the wrong password. Same as Star Trek Online, and the forums for both games.... While trying to get my password reset i got a nice bit of the runaround since password recovery didn't seem to do anything but load the main page on my Phone. It was a bit of a hassle and i was even more upset to read that this was due to an event that Happened in December of 2010.
A little dilitium/questionite compensation WOULD be a nice touch. Even DCUO gave away a bunch of cool stuff every time they screwed up. Exclusive costume pieces, emblems, stuff like that.
So the Cyborg Costume would be nice reward also. Like all that cyberpunk, net cowboy stuff and all...
-_-
Words fail me as to how abysmally stupid you are in not encrypting that data. Someone's head should roll for this.
I have a big problem with this one, because it's incredibly inaccurate to the situation.
They notified us immediately after noticing that there was a breach. The problem is different then people are assuming it is - the major issue is that nobody noticed it happened for ~16 months and they only just now caught it.
They haven't known this information for that entire period - they just now found out when they were updating their security. Entirely different problems to be upset about, here. If you're going to be upset (and honestly, you have a right to be), at least be upset about the right thing.
yeah a free pick from the q store would go a long way.
I got the e-mail yes, but it was on an account that hasn't been used for champions in over a month.
FYI: GMAIL FLAGS PASSWORD RESET EMAIL AS SPAM.
:
I sent you a private message.
I am on a work computer that I have not logged out of since last night. I cannot access my old email account so I did not receive the notice and cannot reset my password. Can you please return it to what it was so that I can login? I logged out at home and now cannot log back in.
Stormshade's sig says:
The links are in the very first post of this thread.
Yours may not have, but mine did. I am just warning people if they dont see the email to check their junk/spam foolder on their gmail account.
Concurrence from a former STO paying customer.
:rolleyes:
You file a support ticket and then go thru all the other games you play and make sure your email address is up-to-date.
Depending on the age and service you may be able to recreate your old email address. Worth a shot if you don't want to wait for support.
How do you file a ticket if you cant log-in though?
Use the support links on the main page. You don't need to be logged in to file a ticket. Just make sure you give them all the info they'll need.
EDIT: here's the link https://support.perfectworld.com/app/ask_login/iss/log
I tried that link before and it would not let me proceed until I pickeda product but it gave no options for selection.
Also I am trying to recover a Cryptic account not a Perfect World one.
Is there an alternate option?
As far as I know all support is now done by PWE, so there is no longer a distinction.
Under where it says Attach Documents it says Product*, with a dropdown box underneath that says Website. Open that box and select Champions Online.
Yes that is what I was referring to. It is a blue shaded box on my screen but does not contain a dropdown list. It does not respond to mouse interface at all (rollover, click, pleading, etc.)
Unfortunatly without filling that section in it will not allow me to place a ticket.
Not cool.
My password was reset so I assume (from SS's post) that measn I was affected....and had to find out from another company.
VERY not cool.
I don't blame Cryptic for being hacked..it happens.
It is unfortunate that Cryptic's security/review systems are insufficient to detect breaches in a timely manner. But again, it happens.
But...
This statement describes an impossibility. You cannot be proactive about something after it has occurred.
I dunno what to tell you. I tried the page in Chrome and IE, and both times clicking on "Website" opened up a drop box with a list of games.
If you still can't get it to work write up an email and send it to customerservice@perfectworld.com
I dont mean to be a problem-child but I appreciate your assistance. I will try sending an email to them and see what kind of response I'll get.
Thank you again
No problem. Good luck!
A breach of personal and financial information is shocking. I have been playing since Beta and have an LT account but my financial information was used and, I am sure, stored for the purchase of my LT account.
I must say the lack of adequate security and the lack of timely and readily available information and communication is worrying.
I am happy, however, that when the breach was identified immediate steps were taken to secure our information and accounts. Far too late to do any real good however.
Sigh~
I appreciate everyone's input and recognize this is partly my fault for not updating my email, but I would also like to point out that I did not request or authorize that my password be reset at this time.
Followed all the advice, but could not get me a password reset email. Kept checking my spam folder to see if it was hiding in a dank corner in their. Couldn't post in forums for further advice as couldn't log in: queue RRRRRAAAAGGEFACE!
What I had to do was log into my ISP's webmail client as they were being SPAM filtered at that level, so never even making it as far as my Opera based SPAM folder.
Well you learn something new every day, but what a way to be educated
PS I also discovered I was missing out on a bunch of ***** enlargement offers, rather presumptuous of my ISP to assume i wouldn't have need of them.
Increased security checks and vigilant customer service revealed a pattern of account hacking that suggested an unauthorized access, which upon further investigation and analysis, apparently occurred in December 2010. As soon as this pattern became clear, Cryptic reset passwords on all affected accounts.
Cryptic is vigilant at protecting your account security and privacy. We have no data to suggest that the unauthorized access continued beyond December 2010, and increased security protections had already been instituted after that time. To protect your account information, we encourage you to be especially aware of e-mail and postal mail scams that ask for personal or sensitive information. Cryptic will not contact you in any way, including by e-mail, asking for your credit card number, social security number, or any other personally identifiable information. We recommend that you use very secure passwords at all times, and not share your account information with anyone.
For your security, weve reset the password on your account. You can recover your password via the forgot password link on the official Star Trek Online or Champions Online web sites:
www.startrekonline.com/user/password
www.champions-online.com/user/password
Email notifications are being sent out, but if your account was potentially affected, please reset your password via the links above to continue to enjoy uninterrupted access to your accounts.
Please note: You will need to be logged out of the website in order to use those links.
Thanks,
Stormshade
We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user. It is possible that the intruder was able to access additional account information, but we have no evidence of this. If they did so, the first and last name, e-mail address, date of birth (if provided to Cryptic Studios), billing address, and the first six digits and the last four digits of credit cards registered on the site may have been accessed.
Thank you for your reply and the additional information, StormShade. I'm glad to know that security has been upgraded since then and that it was only a 'smash and grab' attack.
If you had your site hacked and data stolen, then I think you owe it to tell us exactly what got stolen. To some degree, Cryptic doesn't know exactly what the hacker got. But they can know that the hacker didn't steal data that wasn't there to steal.
More specifically, I have three questions:
1) Were the passwords merely encrypted, or were they hashed?
The official announcement talks about "encrypted passwords", but I'm hoping that's merely a colloquial way to put it. Because if it really means that Cryptic only encrypted passwords and didn't hash them, then whoever made that decision ought to be fired for incompetence.
The trouble with encrypting things is that they can be decrypted. If the hacker stole the key as well as the encrypted information, then he's got all of the passwords in the clear. There's no excuse to make it that easy. Cryptic doesn't need to know our passwords. They only need to be able to determine whether we know them.
2) If the passwords were hashed and not merely encrypted, then did you salt it to protect against rainbow table attacks?
This is perhaps less important than hashing the passwords in the first place, as it really only provides extra protection to players who chose moderately weak passwords. But there's still no excuse not to.
3) Was all data other than passwords stored in the clear?
The announcement makes it sound like the passwords were the only thing that was encrypted. I suppose you can't really hash anything else, as Cryptic needs to know other data, not merely verify that the user knows his own password.
I posted this in a new thread in a different forum, and StormShade locked the thread without answering the questions. If this is the right place to ask, that's fine with me. But I want answers. It's likely that forum moderators don't know the answers to the questions above. But whoever is in charge of security surely does, and should answer them.
StormShade has been copying and pasting from the official announcement. And honestly, I don't blame him. You can only post what you know. But my point is that there are major, important details that the official announcement doesn't mention. If forum moderators don't know if the passwords were hashed and salted or merely encrypted, then you should ask someone who does and get back to us.
There is an enormous difference between "some hacker has a properly hashed and salted version of a pretty strong password" (not much risk to me unless the hacker has a vendetta against me in particular) and "the hacker might have a list of clear text passwords if he found the decryption key" (which is a much bigger problem, and at minimum, I should never use the same password again).
From the other thread:
When you salt passwords before hashing them, you have to salt them in exactly the same way every single time. Otherwise the hash won't match when a user enters his password later. For example, instead of just hashing the password by itself, you concatenate it with the username and then hash that.
Even if passwords are salted and hashed, if the hacker knows how they are salted, then he can try a brute force attack and see if it works. For example, guess a thousand common passwords, salt and hash them all, and see if any of them match the hash that he stole from Cryptic. If any of them do, then he now has that user's password. There isn't that much that Cryptic can do to defend against people picking stupid passwords.
The point of salting passwords is to defend against a rainbow table attack. The idea of a rainbow table attack is that you take a billion or so guesses of what you think the most common passwords will be (e.g., real words in a bunch of languages, with a 1- or 2-digit number on the end of English words, words with substitutions like 0 for o, short passwords, etc.) and hash them all. You sort the hashes to make it easy to tell whether a particular hash result is in your list.
After that, if the passwords are hashed but not salted, you pick a user's hashed password and see if the hash is on your list. If it is, then you know his password. If not, then you skip it and go on to the next hashed password. This effectively lets you guess one password and see if anyone in the entire database used that password all at once.
If the passwords are salted, then even if two different people used the same password, they'll be salted differently, and so they'll have different hashes. Thus, the relevant table of hashes would be different for every user. If you have a million hashed and salted passwords, rather than computing the hashes of all of your guesses just once, you have to do it separately for every single user.
If there are a million registered accounts, then that means it's a million times as much work to be as effective as before in stealing password. That might be the difference between letting your computer run for a day and not having it finish in your lifetime. Instead of taking a billion cracks at guessing each user's password, the hacker only gets a thousand or so. If your password is on this list (or some other comparable list; I just happened to find this with a quick Google search), you're still dead:
http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time
But if you've chosen a modestly secure password that would take the hacker a few million guesses, you're again dead if the passwords are merely encrypted or hashed. But if it takes the hacker guessing your password in particular, then he'll give up before he gets it and move on to the next one.
If you've chosen a strong enough password that the hacker wouldn't get within a trillion guesses, then you're safe against even rainbow table attacks, even if the passwords here hashed but not salted. The trouble with such passwords is that they're hard to come up with and remember. If you have to write your password down, then there's a security risk that someone will find it. And if the hacker gets a plain text list of passwords (or finds the decryption key to passwords that were encrypted but not hashed), then no amount of password cleverness can save you. Furthermore, even your previously strong password will be added to the hacker's list of passwords to check sooner for future hacking attempts.
You were talking about bacon, right?
Holy cow. Eighteen MONTHS? For REAL?
And they probably haven't even identified the person(s)/entity who did hack the system. :rolleyes:
Some form of compensation really is in order. If they only had a braaaaaiiinnnnssssss.
I know I usually don't get frothy at the mouth, but jiminy crickets on a pogo stick. If any situation calls for a bit of frothiness, this does.
Why keep posting a link that doesn't work? (www.champions-online.com/user/password)
We all know you have to use the STO link to reset our passwords as the CO one takes us to a different page.
Why not either:
You must have missed this part:
Want to go for a hat trick?
Dunno, works for me just fine. What page is it bringing you to?
Why the hell can't I be able to authenticate me in the launcher !!!? Yesterday, it worked well, I didn't do any changes at all and now... that!? I just changed my password again (fortunately I'm able to log in the site) but it's not enables me to launch the game.
It's seriously boring me!
Yes if you read StormShades post up at 85 you'll note that it happened in Dec 2010 and didn't continue beyond Dec 2010.
Basically it appears Perfect World and or Cryptic is doing a security audit of their old access logs and in doing that they caught a pattern of access that indicated the breach had occurred. From this I gather they have new security audit software and wanted to test it so fed it the old records and surprisingly it found something.