Guild Wars Forums - GW Guru
 
 

Go Back   Guild Wars Forums - GW Guru > The Inner Circle > The Riverside Inn

Notices

Reply
 
Thread Tools Display Modes
Old Mar 11, 2008, 06:28 AM // 06:28   #41
Lion's Arch Merchant
 
Join Date: Feb 2007
Advertisement

Disable Ads
Default

Quote:
Originally Posted by Ekelon
This is pretty epic fail.

Do you realize how many valid password combinations there are? Obviously, if you have a generic password like "123" or "cheese", then of course you'll get hacked. But let's say you use 8 letters in your password and use alpha-numeric lettering... then that's 8 to the power of (36), there being 36 people combinations. Yup, that comes up to roughly 3.25 times ten to the 32nd. Ouch.

So yes, you can brute-force an account with an easy password (one that might take under a decent amount of tries), but that would be your own fault for such an easy password.
It's actually more then that. Passwords are case sensitive, and whats more GuildWars allows symbols (like periods and dashes). So you get the following total possible values for each character of the password for GW:
26 (all lowercase letters)
26 (all uppercase letters)
10 (all numerics, 0-9)
32 (all symbols on a standard keyboard)
--
94 (total possible values for any given character)

A password that is 8 characters and uses at least one of each of these 4 categories (assuming that's all we know about it) will have about 6e15 possible passwords. This improves by about 1e14 if you have to check all 7 character passwords first (don't know the length), but drops dramatically if you can eliminate one or more of the categories (for example, alpha-numeric passwords only have 2e14 possible 7 or 8 character passwords).

Unfortunately, your math was wrong earlier. It's 94^8, rather than 8^94, so I lied at the begging when I said it's actually more.
MoriaOrc is offline   Reply With Quote
Old Mar 11, 2008, 08:31 AM // 08:31   #42
Desert Nomad
 
Shanaeri Rynale's Avatar
 
Join Date: Aug 2005
Guild: DVDF(Forums)
Profession: Me/N
Default

This has been an issue for years now, with zero sign of improvement. Tbh it's pretty shameful it's not been resolved since it requires such simple changes.
  • Cannot change Username(as mentioned above).
  • You might be able to use symbols for your GW password, but you cant if you link it to PLAYNC.
  • The max password length is limited to 13 chars, which is too low. 15 should be minimum
  • No wrong password lockout
  • Use of email as a user ID

These are BASIC security measures.

Other features people have been crying out for would be very simple to put in, and yet save people so much frustration and headache if they are hacked.
Things like
  • Being able to lock a character to prevent deletion
  • Marking some items in game as undroppable/untrashable/untradeable.

Computer security is TWO sided. We might have all the anti virus, firewalls, right behavour all we want, but if the server side security is weak then it does us no good at all.

I realise the PlayNC side is NCSoft and not Anet, but it should not take two years for such a basic system to be put into place. It's almost bordering on the negligent to have such things outstanding for so long.

As the game gets older and peoples time investment in their chars gets more and more, this issue becomes ever more serious for them.

Come on Anet/NCSoft, Sort it..

Last edited by Shanaeri Rynale; Mar 11, 2008 at 08:38 AM // 08:38..
Shanaeri Rynale is offline   Reply With Quote
Old Mar 11, 2008, 08:35 AM // 08:35   #43
Forge Runner
 
Iuris's Avatar
 
Join Date: Nov 2006
Guild: Crazy ducks from the Forest
Profession: W/
Default

Um, a 5 letter password using 25 possible characters means:
25*25*25*25*25 combinations, or: 9765625.

So, 50% chance at 5 milion attempts.

Brute forcing like that would be noticed, simply because it would severely burden the server.

Now, 10 letters, 25 characters (guaranteed on all keyboards, so lacking čšž and similar ones) in lower and upper case (GW does distinguish case with passwords) + 10 letters, means:
604661760000000000 combinations.

Not a real thing to crack.

What one must avoid is using meaningful combinations. A brute force attacker will be smart enough not to start with 0000000000 and end with zzzzzzzzzz, but rather with 01010001 and working to 31122008, just to check for any people using birthdays. After all, checking the 365 birthday possibilites, "just in case", is a valuable time saver.

Also, note one thing:
If you limit "X failed attempts mean an Y hour lockout", this means that the brute force attacker won't be able to get your password before the sun burns out - but your account will be useless, as you won't be able to enter your own password
Iuris is offline   Reply With Quote
Old Mar 11, 2008, 09:45 AM // 09:45   #44
Forge Runner
 
FrAnt1c²'s Avatar
 
Join Date: Jan 2007
Location: Belgium
Guild: Legion Of Sacred Light [LSL]
Profession: Mo/
Default

*Goes changing his password to something more complicated*
FrAnt1c² is offline   Reply With Quote
Old Mar 11, 2008, 10:17 AM // 10:17   #45
Forge Runner
 
Rushin Roulette's Avatar
 
Join Date: Sep 2007
Location: Right here
Guild: Ende
Default

Making a secure Password shouldnt be too hard for people to remember.
Start off with a simple phrase like;

I am a Guild Wars PvP immortal god

Take the first letters from every word (makes the password slightly more secure)

IaaGWPvPig (lol at Player v Pig here )

change a few letters to 1337speek

[email protected]\/Pi9

you have a pretty good length 9 password with smallcaps, largecaps, numbers and symbols.

Note; this isnt anything similar to my PW and was just meant as an example.

Remember, the longer a Password is the harder it is to crack.
Rushin Roulette is offline   Reply With Quote
Old Mar 11, 2008, 11:29 AM // 11:29   #46
Lion's Arch Merchant
 
Join Date: May 2007
Default

Quote:
Originally Posted by Shanaeri Rynale
Other features people have been crying out for would be very simple to put in, and yet save people so much frustration and headache if they are hacked.
Things like
  • Being able to lock a character to prevent deletion
  • Marking some items in game as undroppable/untrashable/untradeable.

[...]
As the game gets older and peoples time investment in their chars gets more and more, this issue becomes ever more serious for them.

Come on Anet/NCSoft, Sort it..
There's a suggestion about this issue in Sardelac:
http://www.guildwarsguru.com/forum/s...php?t=10248665

Gaile Gray answered the thread, and the only point so far is that if we are willing to pay for such protection they might think to implement it.
Mangione is offline   Reply With Quote
Old Mar 11, 2008, 11:34 AM // 11:34   #47
Ascalonian Squire
 
azzer20's Avatar
 
Join Date: Oct 2006
Location: In Ballerup, Denmark
Profession: Me/
Default

if you have 6+ letters or numbers it takes a password finder 30 years to find your password, i say it's pretty safe
azzer20 is offline   Reply With Quote
Old Mar 11, 2008, 11:47 AM // 11:47   #48
Major-General Awesome
 
fenix's Avatar
 
Join Date: Aug 2005
Location: Aussie Trolling Crew HQ - Event Organiser and IRC Tiger
Guild: Ex Talionis [Law], Trinity of the Ascended [ToA] ̖̊̋̌̍̎̊̋&#
Profession: W/
Default

No no no, you guys have it slightly wrong. You don't brute force the GW account, you brute force the Play NC account. If you get that, you can change anything you want. Also, the Play NC account has almost NO security...so yeah, gg NC Soft.
fenix is offline   Reply With Quote
Old Mar 11, 2008, 12:54 PM // 12:54   #49
Desert Nomad
 
Shanaeri Rynale's Avatar
 
Join Date: Aug 2005
Guild: DVDF(Forums)
Profession: Me/N
Default

Yup, the main issue is with and at PlayNC. Alas the only thing we can do is keep on at Anet to put pressure on NCSoft. As mentioned before these issues have been outstanding for 2 years or more and have not been resolved.

How hard is it on the plaync side to change the password checker to allow more characters or remove the code that refuses symbols in a password? Not something that takes a year to code thats for sure.

I also note on the plaync there's this annoucement. http://eu.plaync.com/eu/about/pressr...sana_security/

Anyone know what this is about?

If it's just another anti spyware program it's kinda meh. I would rather see the issues outlined above addressed as well as the anti malware stuff.

All the talk about permutations etc is kinda moot. Password hacks dont happen by systems starting at A and ending up at ZZZZZZZZZZZZ, they use intelligence in guessing, social factors and all sorts of tricks.

And yes i'd willingy pay something in the online store that protected my characters from deletion/trashing.
Shanaeri Rynale is offline   Reply With Quote
Old Mar 11, 2008, 01:17 PM // 13:17   #50
Grotto Attendant
 
Numa Pompilius's Avatar
 
Join Date: May 2005
Location: At an Insit.. Intis... a house.
Guild: Live Forever Or Die Trying [GLHF]
Profession: W/Me
Default

Quote:
Originally Posted by Shanaeri Rynale
I also note on the plaync there's this annoucement. http://eu.plaync.com/eu/about/pressr...sana_security/

Anyone know what this is about?
Sounds like a heuristic anti-virus suite to me, it's hard to see how it could do anything against keyloggers or even brute force password cracks. Also I've come to think of heuristic anti-virus software as "I like false positives" software. I don't know if anyone's ever detected an actual new threat with heuristic software, but everyone gets false positives.

Quote:
All the talk about permutations etc is kinda moot. Password hacks dont happen by systems starting at A and ending up at ZZZZZZZZZZZZ, they use intelligence in guessing, social factors and all sorts of tricks.
I'm guessing pretty much all account hacks are done through social engineering (phishing mails, or by setting up sites where users have to register and then trying the same user emails & passwords at NCSoft), or by keyloggers. I doubt brute forcing is much of an issue.
Numa Pompilius is offline   Reply With Quote
Old Mar 11, 2008, 01:34 PM // 13:34   #51
Ctb
Desert Nomad
 
Join Date: Apr 2006
Profession: W/
Default

Quote:
And if you want to be safe, by yourself a french keyboard, that way he won't be able to reproduce the accent (well it will take him a lot more time if you can input accents).
First off, you don't need a special keyboard to type those characters, it just makes it easier to do so. Secondly, if YOU can input the character, so can a dictionary attack tool. Finally, building and using a dictionary of French words (or any other language on Earth) is just as trivial as building and using a dictionary of English words.

Quote:
15 should be minimum
Fifteen characters is the old windows LANMAN limit and those passwords are trivially defeated these days. It's still a common problem in XP and 200x, in fact, since the stupid OSes store a LANMAN hash of your password for compatibility, by default, if the password is short enough to be valid for LANMAN.

Anyway, my password is a "not a word". It sounds like a real word when you speak it, and it contains the elements of real words, but it's not a real word and it contains the usual mix of letters, numbers, and punctuation characters. As a result, my password "word" will very probably not be in any dictionary, and it still has a few of the "tricks" to try and keep it safe even if it is. I expect, however, that as attack tools get more sophisticated and computers more powerful this trick may not work as effectively in the future.

Regarding the risk of brute forcing, brute forcing is not a significant threat at all so far as the process of tossing passwords at the GW login prompt goes. That would be trivially detected and stopped. The real risk is that people do stupid things with their login credentials like use them on forums:

1. Attacker finds a vuln in the GuildWarsguru.com/forum software

2. Attacker exploits the flaw and gains access to either the database prompt or the actual storage files on disk

3. Attacker loads all that data to his own machine

4. Since logins and emails are typically not stored encrypted, attacker now has a ton of potential logins for people on Guild Wars

5. Attacker also knows that it's common for people to reuse passwords and email addresses, so he breaks the vulnerable encrypted passwords in the forum database

6. Attacker then takes those stolen credentials and tests each one in the Guild Wars client, likely getting at least a few accounts

Note that the risk of a brute force exists because the attacker actually stole a file and was able to pound at it on his own systems where he didn't have to worry about detection.

Quote:
Sounds like a heuristic anti-virus suite to me, it's hard to see how it could do anything against keyloggers or even brute force password cracks. Also I've come to think of heuristic anti-virus software as "I like false positives" software. I don't know if anyone's ever detected an actual new threat with heuristic software, but everyone gets false positives.
Sounds to me like they might be looking to embed heuristic software into the client to detect illegal access of the program's memory space. That would detect anything interacting with the gw.exe client or it's loaded DLLs that doesn't have an "approved" footprint. Blizzard has a similar program for WoW that, as of its last major revision, is horribly obtrusive and, frankly, raises serious security concerns of its own, imho.

Generally, however, that sort of thing is used to detect and stop botters, not protect players...

/ my speculation, let me show you it

Last edited by Ctb; Mar 11, 2008 at 01:41 PM // 13:41..
Ctb is offline   Reply With Quote
Old Mar 11, 2008, 01:44 PM // 13:44   #52
Krytan Explorer
 
Join Date: Mar 2006
Guild: EOA
Profession: P/W
Default

Brute force is totally not feasible, a real brute force will take thousands of attempts, a modified dictionary hundreds.

Ive brute forced a .zip file id lost the 7 letter password to. It took a hours and this wasn't even across the net !

The guy who said brute force cant be stopped is plain wrong. I.P bans,locking the account, forcing a captcha after a certain amount of failed attemptsm, would all stop one.
FeroxC is offline   Reply With Quote
Old Mar 11, 2008, 01:45 PM // 13:45   #53
EXCESSIVE FLUTTERCUSSING
 
Kattar's Avatar
 
Join Date: Mar 2007
Guild: SMS (lolgw2placeholder)
Profession: Me/
Default

Quote:
Originally Posted by FeroxC
Brute force is totally not feasible, a real brute force will take thousands of attempts, a modified dictionary hundreds.

Ive brute forced a .zip file id lost the 7 letter password to. It took a hours and this wasn't even across the net !

The guy who said brute force cant be stopped is plain wrong. I.P bans,locking the account, forcing a captcha after a certain amount of failed attemptsm, would all stop one.
Herd of Zombie army netz?

Apparently not.
Kattar is offline   Reply With Quote
Old Mar 11, 2008, 01:47 PM // 13:47   #54
Krytan Explorer
 
Join Date: Mar 2006
Guild: EOA
Profession: P/W
Default

I think you mean botnets.
CAPTCHA, account freezing. Read please.
FeroxC is offline   Reply With Quote
Old Mar 11, 2008, 01:50 PM // 13:50   #55
Krytan Explorer
 
Surena's Avatar
 
Join Date: Mar 2007
Profession: N/Me
Default

Quote:
Originally Posted by fenix
No no no, you guys have it slightly wrong. You don't brute force the GW account, you brute force the Play NC account. If you get that, you can change anything you want. Also, the Play NC account has almost NO security...so yeah, gg NC Soft.
PlayNC blocks you for a while after a few failed login tries.
Surena is offline   Reply With Quote
Old Mar 11, 2008, 01:52 PM // 13:52   #56
Grotto Attendant
 
zwei2stein's Avatar
 
Join Date: Jun 2006
Location: Europe
Guild: The German Order [GER]
Profession: N/
Default

Quote:
Originally Posted by Ctb
...

1. Attacker finds a vuln in the GuildWarsguru.com/forum software

2. Attacker exploits the flaw and gains access to either the database prompt or the actual storage files on disk

...
3. Attacked modifies log-in code to send raw password + username + email to him.

Its trivial to do and kiddies have lots of kits that do that for popular board software without any need to really know what is going on. All you need is exploitable vulnerability. And all that takes is to monitor security boards.
zwei2stein is offline   Reply With Quote
Old Mar 11, 2008, 01:54 PM // 13:54   #57
Major-General Awesome
 
fenix's Avatar
 
Join Date: Aug 2005
Location: Aussie Trolling Crew HQ - Event Organiser and IRC Tiger
Guild: Ex Talionis [Law], Trinity of the Ascended [ToA] ̖̊̋̌̍̎̊̋&#
Profession: W/
Default

Quote:
I don't know if anyone's ever detected an actual new threat with heuristic software, but everyone gets false positives.
NOD32 does


So they added a block thing if you get it wrong? Must be only new, because I remember when Tsunami Rain got hacked through a brute force....and that wasn't too long ago.
fenix is offline   Reply With Quote
Old Mar 11, 2008, 01:59 PM // 13:59   #58
EXCESSIVE FLUTTERCUSSING
 
Kattar's Avatar
 
Join Date: Mar 2007
Guild: SMS (lolgw2placeholder)
Profession: Me/
Default

Quote:
Originally Posted by FeroxC
I think you mean botnets.
CAPTCHA, account freezing. Read please.
Well done. Musta missed that one earlier.
Kattar is offline   Reply With Quote
Old Mar 11, 2008, 02:24 PM // 14:24   #59
Ctb
Desert Nomad
 
Join Date: Apr 2006
Profession: W/
Default

Quote:
The guy who said brute force cant be stopped is plain wrong. I.P bans,locking the account, forcing a captcha after a certain amount of failed attemptsm, would all stop one.
Steal the list of encrypted passwords and you've defeated every one of those "protections". Very few systems are so insecure anymore that you can just hit them repeatedly with passwords and not get noticed, so dictionary attacks are mostly limited to files in the possession of the attacker (an especially dangerous risk is your own employees).

Quote:
Attacked modifies log-in code to send raw password + username + email to him.
There are plenty of other options as well, yes, but that one in particular would be dangerous.

First it requires you to have write access to the code, and one would hope that the GWG account, the webserver, and the db server are running as sufficiently unprivileged users that this would be prevented. Failing that basic security step, it would still require obviously funny looking SMTP calls that should be picked up in basic daily log monitoring. Simply stealing the DB outright could be covered up effectively for days, weeks, or even forver on a typical website security setup, and you don't have to worry about creating new footprints later.

It all depends on the sophistication of the attacker and particulars of the victim, in the end.

Last edited by Ctb; Mar 11, 2008 at 02:26 PM // 14:26..
Ctb is offline   Reply With Quote
Old Mar 11, 2008, 04:14 PM // 16:14   #60
Wilds Pathfinder
 
lakatz's Avatar
 
Join Date: Jun 2006
Default

Quote:
Originally Posted by FeroxC
Brute force is totally not feasible, a real brute force will take thousands of attempts, a modified dictionary hundreds.

Ive brute forced a .zip file id lost the 7 letter password to. It took a hours and this wasn't even across the net !

The guy who said brute force cant be stopped is plain wrong. I.P bans,locking the account, forcing a captcha after a certain amount of failed attemptsm, would all stop one.
Password recovery programs abound for applications such as Word, Excel, Zip or anything else that can be password protected by the user. If you'd started with a google search, you would have had the file open within about five minutes. These programs are legal btw.
lakatz is offline   Reply With Quote
Reply

Share This Forum!  
 
 
           

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
A Simple Question *deserves* A Simple Answer Chunk Questions & Answers 25 Jan 04, 2009 05:51 AM // 05:51
What is the fastest brute force way to earn Norn faction? AaronSwitchblade Questions & Answers 11 Nov 17, 2007 07:38 PM // 19:38
Chapter 4: an alternative to Brute Force ? FrogDevourer The Riverside Inn 58 Dec 14, 2006 10:04 PM // 22:04
Thunder Force IV or Lightening Force? Riplox Off-Topic & the Absurd 4 May 17, 2006 07:30 PM // 19:30
BellyFlop The Riverside Inn 58 Mar 16, 2006 05:51 PM // 17:51


All times are GMT. The time now is 04:55 AM // 04:55.


Powered by: vBulletin
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("