Originally Posted by doskir

i have been using this method for safe passwords a long time now and heres how it works:
get a piece of paper and write every letter and the numbers 0-9 on it then randomly assign each letter and nummer a different number or letter. now create a password for each site/game by using it. ie: guildwars = df5onm68z. you can put this anywhere you want because NOBODY will know what this thing does copy it a few times and store it somewhere you wont loose it perfect password aslong you dont tell anybody that has access to it what it does

Originally Posted by doskir

i have been using this method for safe passwords a long time now and heres how it works:
get a piece of paper and write every letter and the numbers 0-9 on it then randomly assign each letter and nummer a different number or letter. now create a password for each site/game by using it. ie: guildwars = df5onm68z. you can put this anywhere you want because NOBODY will know what this thing does copy it a few times and store it somewhere you wont loose it perfect password aslong you dont tell anybody that has access to it what it does

Originally Posted by Diablo™

well thanks for telling everyone.. now everyone will know my password is 1337.

Originally Posted by VGJustice

[EDIT] To Tufty: The way they steal accounts is by either guessing or finding out what your e-mail and password are. After that, they can change the password and the e-mail to whatever they want, and the account is gone.

Originally Posted by Inde

Most forums are now encrypted. For example, there is no way in vBulletin for me to obtain or hack anyone's passwords. The encryption is that good. I know that older versions of Invision you could. This would also be the reason that I have different passwords for everything. For my GW Account, forum account, emails, admin access, etc.

Originally Posted by Ctb

The fix for that is keeping the password written down somewhere in a physically secure location, but it's not always practical to buy a safe just to store a piece of paper (and then you still have to remember the combination anyway).

Originally Posted by PsychoX

you would be suprised, vBulletin stepped it up, but they were most likely using phpBB, which just uses an md5 hash of the password.

Originally Posted by Ctb

In addition, don't use wimpy passwords. The ideal password would be a totally meaningless string of characters, but the next best thing is a psuedo-word comprised of various characters.

Example: gu1ldeeg00

It sounds kind of like a real word "guildy goo", but obviously it's just gibberish.

Another alternative that I used for a while is to put all your passwords in one place and have them be actually long nonsense strings of complex text. Then, you protect that location with one very strong password and just open it up when you need to know the nonsense string for a particular account somewhere. I used to do this with an encrypted text file on Windows using AxCrypt, but AxCrypt doesn't work right on 64-bit unfortunately.

The obvious downside there is that, while you're exceptionally safe, if you forget that one password, you lose them all for good :\

Of course, on the flip side, you only have to remember one password as well.

The fix for that is keeping the password written down somewhere in a physically secure location, but it's not always practical to buy a safe just to store a piece of paper (and then you still have to remember the combination anyway).

Originally Posted by Nevin

What happened to the good ol' highschool ilove___ passwords?

Originally Posted by Cymmina

It wouldn't have mattered how they were hashing the password in the database. Sure, an ordinary md5 hash would allow someone to figure out a few common passwords, but not uncommon alpha numeric ones.

Some of the older phpBB versions would allow a malicious user to gain enough access to the database to set the forum descriptions (I know this from fixing an abandoned phpBB install). What they would do from there is set a bit of malicious JavaScript as part of the description that would intercept the information being submitted through the quick login form (appears at the bottom of the default forum style). That JS would silently send that information (the plaintext username & password) to a script owned by the malicious user on another site and then allow the user to continue logging in as though nothing abnormal was happening. The JavaScript, being a part of the site, would also be able to read "remember me" login cookies, but I'm not sure if that information would be usable by a malicious user, since it is hashed as well. Few people suspect their own trusted forums as being malicious.