2011-10-03 Path of Exile brute force attack incident report

"

Zeful wrote:

"

Sparka wrote:

Could always add the secondary password feature, have to use mouse only to enter a 4 or 6 digit number on a keypad that randomly generates positions.

Couple other online games have it...probably helps alot, and doesnt bother the players too much.

Just to note, a 0-9 numeric keypad with four available digits has only 10,000 possible combinations, and even with 3 to 4 login attempts a day with it, people still can get robbed.

Why? Because the game does not log in the number of times it's attempted and failed in the interim. And any game that has such a keypad needs to. More over, such a keypad doesn't actually help that much. They're simply nuisances more often than not. I play a game with one.

Hell, the best security feature possible? Once you login you get a "Since your last successful login, there have been __ attempts on this account. The most successful attempt was _____ with __ number of characters in common with your password." I had a computer back in 1999 that could do this, why the hell can't modern service providers do the exact same thing?

The problem is that some people will screw up their login and forget, then they will see that their login was attempted and it probably had high similarity to the actual... they will assume someone else did it, when in reality they did.

The best security is disallowing passwords less than <10 characters in length.

Oh no! They'll panic and think someone is hacking their account and switch up their password. This is clearly a flaw in the system.

Okay, I'm done with the sarcasm. But honestly, tricking the public into good security habits can only be a good thing, so I'm going to look at that instance as a feature rather than a bug.

And yeah, as annoying as forcing people to have long passwords is, it's better off in the end.

its not a flaw.gw has it the old d2 also had it.its good.

PSA Time!

I highly recommend LastPass if you want to keep difficult and unique passwords for every site you go to. They have a plugin which will autofill the information when you're on the appropriate site, and when you are starting an account it will detect it and prompt you to generate a password (or you can manually do that as well). Passwords can be a ridiculous number of characters and contain special characters, numbers, etc and the generator can be adjusted to match the requirements of the site (if it restricts or requires something in particular). The accounts are stored online, so they can be accessed anywhere you happen to login with your master login and password.

Now, being stored online, the primary concern is "well, what if they just try to attack that and get all my passwords!" Well, fortunately besides having a very good single password to remember for the master account, there is an additional token method of authentication you can enable. Subscribers (it's like $1 a month and you can purchase years in advance) can get a physical key to act as the authenticating token. Free users can print out unique grids and any systems not whitelisted will be required to enter various coordinates on the grid to gain access.

Lastpass themselves keeps everything completely encrypted and are very sensitive about traffic on their own servers. They threw up an alert a few months ago simply because there was a slight anomaly for a few moments in the packets going between some internal servers. Lastpass themselves cannot access the passwords, so it is important you keep your grid/master password handy because they cannot recover the account.


If that doesn't sound like you're thing, there are plenty of other systems that will generate and store logins and passwords for you locally, however, most do not autofill in browsers. Keypass being one of the most notable ones (but there are numerous others).

Small websites/companies are prime targets, and get by mostly on obscurity/lack of interest. After the whole Sony debacle, there should be no doubt that this is something you should be doing if you value your accounts, personal information, and online identity.

"

Zeful wrote:

Hell, the best security feature possible? Once you login you get a "Since your last successful login, there have been __ attempts on this account. The most successful attempt was _____ with __ number of characters in common with your password." I had a computer back in 1999 that could do this, why the hell can't modern service providers do the exact same thing?

Because this implies passwords aren't being salted and hashed.

Heck, the character compare thing might be vulnerable to some fancy timing attacks, too.

"

caaaaaaaaaaaaaaaaaaaaaaaaaps wrote:

Because this implies passwords aren't being salted and hashed.

Heck, the character compare thing might be vulnerable to some fancy timing attacks, too.

Possibly, but informing the player that someone might be after their account and getting them to preform preventative maintenance seems to be the more intelligent option.

"

Zeful wrote:

Possibly, but informing the player that someone might be after their account and getting them to preform preventative maintenance seems to be the more intelligent option.

?????

Let's say some guy on the other side of the world hacks some website and gets my email address. Heck, let's say he generates my address at random. He doesn't have a password, so he starts guessing.

How exactly am I supposed to ask him to stop if the page only says that somebody got 0/100 of my password right? It'd have to tell me where he lives, maybe also give me a photo. A list of shady bars he frequents might help.

But seriously, there's nothing the player can do other than choose an intelligent password, and you have them do that at account creation and password change. And tell them not to share their account etc.

Somebody's always after accounts, even ones that don't exist. Why put everyone at risk just so half the players can panic every time they log in after mistyping?

So, which PoE fansite was hacked to provide him with the email database?

this isnt a shame this is great beta testing -- they have added extra security measures because of it

I doubt GGG have over 2 million unique passwords, let alone a PoE fansite.