2011-10-03 Path of Exile brute force attack incident report

Good to see changes being made!

so if i ever do get a beta invite no one will steal it away :)

Relevant xkcd:

"

Vandro wrote:

Relevant xkcd:
(img removed)

floor rolling tummy hurting

you could try having people answer 5 questions when they sign up and then every time they log in one of those questions is randomly chosen and they have to answer it.
ive seen this before on some very secure sites and i believe it works very very well.

Kind of surprised the passwords were stored as plain text, that doesn't sound too smart.

Mod Edit: The passwords are NOT stored as plain text, as the next poster and the original post explain.

We take the security of your account very seriously and as such we take many precautions such as not saving your passwords in clear text in our databases

They don't, and nobody should, anywhere, ever, as it's ridiculously poor security and unacceptable. At minimum you should $salt(md5) and preferably $salt($salt(md5)$salt(md5)) or something similar. There is no excuse to not, especially when you can build a database from the ground up that handles the server load that extra iterations of salting/encrypting puts on.

Makes me sad to see this sort of thing happen think ill change password just in case

I really want to play PoE but seriously, im not THAT desperate O.O i wouldnt spend all that time just to play a closed beta of PoE

Thanks for the heads-up on this. Damned hackers. :/

I've changed my password just in case.

Those are some pretty impressive numbers, as well as the quick report