II do find it troubling that the perpetrator was able to break the encryption, though without knowing what kind of encryption was used on the passwords, it's hard to tell if it's worth a sigh, an eyeroll, or pitchforks and torches.
In many database systems, the encryption is only as strong as the password itself. If you have a simple password, it would not matter how good the encryption is because you could brute force it easily.
Indeed. Discovering a security breach this long after the fact is... atypical, a bit longer than normal, but not too far off the mark.
That depends on the nature of the intrusion and the method used to discover it. If traditional logging didn't detect it, and it may not, discovering that there was a compromise may be infinitely harder to confirm. Each database has their own rules and logging methods. Indeed, none of the big (or little ones) has a standard log format or alerting system. For that matter, even if a legitimate user or process connects, not all follow the ANSI99 SQL standards uniformly or consistently.
There's no evidence that the passwords were in the clear. Indeed, the link says the passwords themselves were encrypted. For this alone, we can at least thank our lucky stars that someone at Cryptic had the good sense to think of this in advance.
However, as I said in my previous post, once the data is received, a hacker can eventually decrypt the password through either brute force or using a program to sequentially guess the password. The stronger one's password is (mixed cases of lettering, numbers, optional characters, and length), the longer it takes to brute force that password. A sufficiently strong password will take a lot longer than one that can be found in a dictionary of passwords to guess.
Edit to add: Consider for a moment the complexity of the passwords increases the time to crack them and decreases the chances that your password will be guess immediately.
The formula goes something like this:
10 numbers
16 first row symbols that aren't numbers.
26 lower case letters
26 upper case letters
16 other symbols on a typical American 101 or 105 key keyboard.
That's 94 possible combinations per character in the password - if you use a strong password. Let's say the password is 13 characters long and is a 'strong' one in terms of mixed cases, numbers, and special characters.
94^13 = 44,736,509,592,539,817,388,662,784 possible combinations to find the password.
If you use only lower (or only upper) case passwords and numbers and stick to an 8 character password:
(10+26) ^ 8 = 2,821,109,907,456 possible combinations.
You can see that there is roughly 15,857,769,126,365.580717887 times as many characters to go through with a strong password. It's always better to have a strong password.
I guess its better to know now then never. I would think if anything crazy was going to happen with the information it would have happened already. The breach was like a year and a half ago.
Yet I can't help but feel unsettled be this whole event.
Why isn't this mass password reset on the main site news page? I went there to see if this was a scam and nothing! BS!
Only one of the databases was determined to be compromised. Presumably, only users who were in said database got an email about it. I didn't get one, but I reset my password anyway.
It's been nearly two years. Whatever damage could be done with that info has already been done.
And yet we can't just pretend nothing will happen, just because probabilities say one thing doesn't mean we ignore any other. As unsettling as this all is, it proves that they do care. Otherwise it would have taken less work to simply hope for the best. But they took the high road and reset the password and gave us notification.
I'm constantly surprised by the vitriol that the forums can sometimes provide. They just found out about a security risk due to the security upgrades they mentioned in the notice, and so they took action *and* gave us all notification. Meanwhile Brandon is stuck with the job of trying to rein in the storm of superfluous threads. What's done is done, what more could we ask for?
There is only one word to define it, you are incompetent
As a result of routine security checks and upgrades, we have discovered that certain of your account information, including your password, may have been accessed by an unauthorized party.
For your security, we've reset the password on your account. You can recover your password via the "forgot password" link on the official Star Trek Online or Champions Online web sites:
If you have used your account name and password for other accounts, especially financial accounts or accounts with personal information, you should consider changing your password on other services as well.
For full details on the unauthorized access, please read the notification here.
Ok, neither password page works, just linked me to the front pages.
Like always, you guys are right on top of things. Nothing like sending out an email to the tens of thousands of people to play over the last two years and telling them to come reset passwords.
It's almost like they just wanted people to make the trip back to these websites...even if they stopped playing long ago. Sounds more like a PR trick than a security breach. Like I said before after 18+ months whatever would have been done HAS been done. It's hard to believe your security checks are so bad that they couldn't notice this breach sooner but that your security codes are so good that these people couldn't crack them before recently...
I'm having problems logging in & I didn't recieve a email. yes I checked both my Inbox & my Junk mail. Yes I checked to see if the email was spelled correctly. Go to the website & find out I will have to wait 6 hours to log on. Lovely, just lovely. It incidents like these that keep me from being a subscriber or lifetime member.
Ok, neither password page works, just linked me to the front pages.
Like always, you guys are right on top of things. Nothing like sending out an email to the tens of thousands of people to play over the last two years and telling them to come reset passwords.
It's almost like they just wanted people to make the trip back to these websites...even if they stopped playing long ago. Sounds more like a PR trick than a security breach. Like I said before after 18+ months whatever would have been done HAS been done. It's hard to believe your security checks are so bad that they couldn't notice this breach sooner but that your security codes are so good that these people couldn't crack them before recently...
You do have to LOG OUT of the Forums, for it to work.
This just in: a major storm that has been brewing over Los Gatos, California for the last several weeks seems to be gaining strength over the last 24 hours. The epicenter seems to be one "Cryptic Studios."
Recently, the internetz have been boiling over something called a "Fenghi" lock box--am I saying that right, Tom? Just as EP DStahl was attempting to salvage the studio's battered image, news of unauthorized access to user accounts has further exacerbated an already restive community.
Eye witnesses on the ground describe it as a ****storm the likes of which has not been seen since the early days of launch.
Will Cryptic be able to recover from its troubles? Will her increasingly fed-up users weather the storm? Only time will tell.
But one thing is certain, STO has seen better days.
Ive noticed that a lot of people are under the impression that they knew all the details 17 months ago. I feel this is inaccurate considering they mentioned the more recent security upgrades that allowed them to notice the data *from* that long ago.
Protip: Log out of the forums first, then reset your password. Works fine.
You do have to LOG OUT of the Forums, for it to work.
And since you are still posting...
I think we found yer problem.
The links he provided bounce back to the front page. When I log out and goto request key be sent to X email on the Champions website it doesn't work. I receive no email. That's a different account name than this as I use the same display name for both but different account names...for you know...security.
So let me get this straight, Cryptic just informed us of a security breach in DECEMBER 2010!! So it takes a year and a half for them to find it out.
Congratulations Cryptic, not only have you told me that my account info was pontenially vulnerable for 1.5 years, but you also cause me to lose all trust in you.
My account was created after December 2010, so I am unsure why it was disabled. In any case, this is a good reminder as to why to use strong passwords. If the passwords were encrypted, then a strong password should still be pretty safe even if it were stolen.
Not just strong passwords but continually changing them too. Anyone how had canned their password after 2010 they would have been safe too.
The links he provided bounce back to the front page. When I log out and goto request key be sent to X email on the Champions website it doesn't work. I receive no email. That's a different account name than this as I use the same display name for both but different account names...for you know...security.
Powerhelm, make sure to check your spam box cause theres where my reset email came to.
The links he provided bounce back to the front page. When I log out and goto request key be sent to X email on the Champions website it doesn't work. I receive no email. That's a different account name than this as I use the same display name for both but different account names...for you know...security.
Don't use his links...
Sign out of this forum and then click on the STO Main Page and use the Login/Forgot Password there to reset it.
...and yes... my AOL account put the repliy in the SPAM box also, so check there.
The links he provided bounce back to the front page. When I log out and goto request key be sent to X email on the Champions website it doesn't work. I receive no email. That's a different account name than this as I use the same display name for both but different account names...for you know...security.
I use a different account name than my in-game handle as well. However, what was said is correct. You need to log OUT of the forums and any STO/Cryptic/PW site. Click on the link again in a browser and it works fine. I did this without being prompted simply because it's good practice to reset ones password.
Am I the only one who didn't get any e-mail regarding this? There was nothing in My spam box, or inbox... yet I was playing back in 1010, and My password was reset by Cryptic...
Comments
In many database systems, the encryption is only as strong as the password itself. If you have a simple password, it would not matter how good the encryption is because you could brute force it easily.
That depends on the nature of the intrusion and the method used to discover it. If traditional logging didn't detect it, and it may not, discovering that there was a compromise may be infinitely harder to confirm. Each database has their own rules and logging methods. Indeed, none of the big (or little ones) has a standard log format or alerting system. For that matter, even if a legitimate user or process connects, not all follow the ANSI99 SQL standards uniformly or consistently.
There's no evidence that the passwords were in the clear. Indeed, the link says the passwords themselves were encrypted. For this alone, we can at least thank our lucky stars that someone at Cryptic had the good sense to think of this in advance.
However, as I said in my previous post, once the data is received, a hacker can eventually decrypt the password through either brute force or using a program to sequentially guess the password. The stronger one's password is (mixed cases of lettering, numbers, optional characters, and length), the longer it takes to brute force that password. A sufficiently strong password will take a lot longer than one that can be found in a dictionary of passwords to guess.
Edit to add: Consider for a moment the complexity of the passwords increases the time to crack them and decreases the chances that your password will be guess immediately.
The formula goes something like this:
10 numbers
16 first row symbols that aren't numbers.
26 lower case letters
26 upper case letters
16 other symbols on a typical American 101 or 105 key keyboard.
That's 94 possible combinations per character in the password - if you use a strong password. Let's say the password is 13 characters long and is a 'strong' one in terms of mixed cases, numbers, and special characters.
94^13 = 44,736,509,592,539,817,388,662,784 possible combinations to find the password.
If you use only lower (or only upper) case passwords and numbers and stick to an 8 character password:
(10+26) ^ 8 = 2,821,109,907,456 possible combinations.
You can see that there is roughly 15,857,769,126,365.580717887 times as many characters to go through with a strong password. It's always better to have a strong password.
Many thanks
Yet I can't help but feel unsettled be this whole event.
Only one of the databases was determined to be compromised. Presumably, only users who were in said database got an email about it. I didn't get one, but I reset my password anyway.
It's been nearly two years. Whatever damage could be done with that info has already been done.
How long have to wait for the links to work.
And yet we can't just pretend nothing will happen, just because probabilities say one thing doesn't mean we ignore any other. As unsettling as this all is, it proves that they do care. Otherwise it would have taken less work to simply hope for the best. But they took the high road and reset the password and gave us notification.
I'm constantly surprised by the vitriol that the forums can sometimes provide. They just found out about a security risk due to the security upgrades they mentioned in the notice, and so they took action *and* gave us all notification. Meanwhile Brandon is stuck with the job of trying to rein in the storm of superfluous threads. What's done is done, what more could we ask for?
Make sure to LOG OFF the Forums...
Then use the Login on the main Cryptic/STO Page.
Yesterday..
To the Haks: If you wanted my account you coulda just asked I have a free spare:p
Like always, you guys are right on top of things. Nothing like sending out an email to the tens of thousands of people to play over the last two years and telling them to come reset passwords.
It's almost like they just wanted people to make the trip back to these websites...even if they stopped playing long ago. Sounds more like a PR trick than a security breach. Like I said before after 18+ months whatever would have been done HAS been done. It's hard to believe your security checks are so bad that they couldn't notice this breach sooner but that your security codes are so good that these people couldn't crack them before recently...
b) It's too bad there's no way to add an additional layer of security to the login.
You do have to LOG OUT of the Forums, for it to work.
And since you are still posting...
I think we found yer problem.
This is why I gave Trion the finger earlier this year.
I wouldn't mind a smartphone authentication app. That makes me feel better.
Recently, the internetz have been boiling over something called a "Fenghi" lock box--am I saying that right, Tom? Just as EP DStahl was attempting to salvage the studio's battered image, news of unauthorized access to user accounts has further exacerbated an already restive community.
Eye witnesses on the ground describe it as a ****storm the likes of which has not been seen since the early days of launch.
Will Cryptic be able to recover from its troubles? Will her increasingly fed-up users weather the storm? Only time will tell.
But one thing is certain, STO has seen better days.
Back to you, Tom.
Protip: Log out of the forums first, then reset your password. Works fine.
The links he provided bounce back to the front page. When I log out and goto request key be sent to X email on the Champions website it doesn't work. I receive no email. That's a different account name than this as I use the same display name for both but different account names...for you know...security.
Congratulations Cryptic, not only have you told me that my account info was pontenially vulnerable for 1.5 years, but you also cause me to lose all trust in you.
Great job! (Extreme Sarcasm):mad:
Not just strong passwords but continually changing them too. Anyone how had canned their password after 2010 they would have been safe too.
Powerhelm, make sure to check your spam box cause theres where my reset email came to.
Don't use his links...
Sign out of this forum and then click on the STO Main Page and use the Login/Forgot Password there to reset it.
...and yes... my AOL account put the repliy in the SPAM box also, so check there.
I use a different account name than my in-game handle as well. However, what was said is correct. You need to log OUT of the forums and any STO/Cryptic/PW site. Click on the link again in a browser and it works fine. I did this without being prompted simply because it's good practice to reset ones password.