| . : News : . | . : Message of the Week : . |
You are currently viewing an archive of the Wilderness Guardians clan's IPB1 forums.
These forums were used by WG from 2008 to 2011, and now exist for historical and achival purposes only. For the clan's current forums, CLICK HERE. |
"You are a Wilderness Guardian. That northern wasteland; that land of blood, desolation and death is your dominion. Tonight we are going home." ~His Lordship |
|---|---|---|
| War Alert: OFF | Raid Alert: OFF | |
PM a WG Official |
||
Posted: December 21, 2010 08:31 am  | |||
      IRC Nickname: RobbieThe1st Group: Founder Posts: 770 Member No.: 2 Joined: December 26, 2007 Total Events Attended: 49    | With the recent hacks of Gawker Media and the subsequent release of just about everything, including all usernames, emails and passwords, it has come to light just how -many- users use a poor password. As shown in the third link, over three thousand users had "123456" as their passwords! Theoretically, all these passwords were "encrypted", but a simple password is easy to crack, no matter -what- you do to it. Now, let me quickly explain how websites store your password. Most sites, including this one, use a method known as "hashing". A hashing function is a bit of code that takes a string of characters of -any- length, does some fancy math to it, and puts out a relatively short(in the case of MD5, 32 hexadecimal characters) string. This string is -always- the same length, and the same input will -always- give the same output. Now, the important part of this is that there is -no way- to "reverse" the process, and get the original string or password back out. What this does is give us a way to authenticate someone -without- storing the password. Lets say your password is "thisismypass". When you register for an account with that password, the hash of that is stored in the site's database(In this case, the md5 hash is "79b202fb0e7236fdc804af5c22c2de59"). When you attempt to login with your password, the site takes that input, uses the same hashing method on it, and then compares the resulting value with what's stored in the database. Here's a couple of examples: 1.You type "thisisMYpass": The md5 hash of this is "adca84828518cd2ff2a5f58591eb46ff". Is it the same? NO. You've typed a wrong password. 2. You type "thisismypass": The md5 hash is "79b202fb0e7236fdc804af5c22c2de59", which is the same as that above, and you are accepted. Now, we've shown that we aren't keeping the password in the database. But, anyone with access to the database can get the hashes - I, for example, can get -anyone's- pass hash in a matter of seconds. But what can I do with that hash? If it's simple enough, I can simply run it through a cracking tool which simply -brute-forces- the password - it just generates sequential password after password, feeds it into the chosen hash function, and compares the result to the password hash we've gotten from the database. The problem is a matter of scale: Lets say I have a 5-character numeric password. That's a maximum possible 10^5, or 100,000 combinations. My current dual-core 2.6ghz Athalon backup PC can test 5,546,000 keys per second. That password wouldn't even last one second! Lets say we've got a 5-letter password with uppercase, lowercase -and- numbers. That means we have 62 possible values per character(26 for each upper and lower, 10 for number), so the password could be 62^5 possible combinations. That's 916,132,832 combinations, or 165 seconds(<3 minutes) to crack(maximum). Now, lets talk about a strong password. Lets say we have something that's ten characters long, and we've got Upper, Lower, Numbers, and symbols(!@#$%^&*(),.:;'"-_[]{}+=). That's 86^10, or 22,130,157,888,803,070,000 combinations. It could take 3,990,291,721,746 seconds to crack, or 126.5 thousand years to crack! As you can see, the difference between a weak password and a strong password is -significant-; while a weak one could take less than a day easily, a strong one would take too long to worry about. That's the theory, at least. In practice, it may take less time, and also if there are -problems- with the hash(like md5 has), it can take significantly shorter time, even for a long password. We, for one, use md5. It was common when this forum software was built, but it's fallen out of favor these days. Within two weeks, I intend to update the password hash method(as well as how cookies are used). This is going to mean that you will have to update your password. When you do, there will be some restrictions in place to -force- you to use a strong password - It will be at least 8 characters, and require at least one character of three of the following four: Upper, Lower, Numbers and Symbols. I may have to make you "recover" your password, so you all need to make sure your emails are current. tl;dr: Be ready to change your password in two weeks; make sure your email is up to date. -------------------- Old Avatar - Paypal donation link  I am left handed, and proud of it! Retired from RuneScape. Old forum posts: 2275(s4+s10+wg.com)+1759(z6 old account)+474(z6 new account) Total: 4508 Join date: 4/16/05 | Get Firefox 3.5 now: http://www.getfirefox.com | RobbieSwich for Firefox | ||
Posted: December 21, 2010 08:36 am | |||
 IRC Nickname: megajayson Group: Elite Guardian Posts: 9246 Member No.: 423 Joined: April 4, 2008 Total Events Attended: 216 | sounds like a great idea, good work robbie --------------------  This is ten percent luck, twenty percent skill Fifteen percent concentrated power of will Five percent pleasure, fifty percent pain And a hundred percent reason to remember the name! 7th Highest Overall for Wars Attended. | ||
Posted: December 21, 2010 08:39 am | |||
 IRC Nickname: [JC] Group: Emeritus Posts: 3320 Member No.: 23 Joined: December 30, 2007 Total Events Attended: 147 | Probably best to put the tl;dr bit at the top, because to be frank most WG members won't care enough to read the explanation of password security. Interesting read, though I doubt anyone cares enough about WG to really go to the effort of brute forcing anyones pass, at least it's not a huge hassle to make sure that everyone has an up to date email address in the two weeks before you make this change. Maybe send a mass PM for those people who don't read forums as much as they should (ie. Emeritus), I'm sure there is bound to be issues there.... --------------------  Old awards wat Most Mature & Most Honourable Most Dedicated|IRC Freak|Best Emeritus Placeholder lolz | ||
Posted: December 21, 2010 08:54 am | |||
 IRC Nickname: Vephy Group: Elite Guardian Posts: 6186 Member No.: 813 Joined: June 10, 2008 Total Events Attended: 478 | I refuse! --------------------   | ||
Posted: December 21, 2010 10:03 am | |||
| IRC Nickname: Zooby Group: Guest Posts: 1669 Member No.: 1464 Joined: November 12, 2008 Total Events Attended: 109 | I was actually on 4chan as they were leaking the passwords for gawker and was reading the info about brute forcing passwords. If I change it now to say a 12 letter password, do i still have to change it in two weeks? zuh -------------------- A Revolution without dance is a Revolution not worth having at all Lightbulbs die my sweet, I will depart | ||
Posted: December 21, 2010 11:20 am | |||
 IRC Nickname: Gorgemaster Group: Elite Guardian Posts: 9840 Member No.: 3 Joined: December 26, 2007 Total Events Attended: 540 | I want a password that will take 126,000 years to hack! --------------------    | ||
Posted: December 21, 2010 11:51 am | |||
| IRC Nickname: RobbieThe1st Group: Founder Posts: 770 Member No.: 2 Joined: December 26, 2007 Total Events Attended: 49 |
No - You'll still have to change it(though you could change it to the same thing), because the new system isn't in place yet. -------------------- Old Avatar - Paypal donation link I am left handed, and proud of it! Retired from RuneScape. Old forum posts: 2275(s4+s10+wg.com)+1759(z6 old account)+474(z6 new account) Total: 4508 Join date: 4/16/05 | Get Firefox 3.5 now: http://www.getfirefox.com | RobbieSwich for Firefox | ||
Posted: December 21, 2010 05:32 pm | |||
 IRC Nickname: Outlaw Group: Emeritus Posts: 558 Member No.: 2055 Joined: September 12, 2009 Total Events Attended: 95 | That shit is so irritating.. If someone doesn't want to use a password that is complicated, don't make them. I have passwords for forums, RS, random sites, WG forums... I think it should be left to the individuals discretion. --------------------  Join date : June 2006 Left : March 2007 Rejoined : October 2009 Original DG Member Completed Goals : 99 Cooking, 99 Fishing, 99 Strength, 99 Attack, 99 Constitution, 99 Defence, 99 Ranged  | ||
Posted: December 21, 2010 05:58 pm | |||
| IRC Nickname: Rodney75 Group: Council Posts: 1683 Member No.: 2109 Joined: October 29, 2009 Total Events Attended: 154 | Good bit of info. Will probably start to think to update my pass, although mine's in the 'years' category!  --------------------  | ||
Posted: December 21, 2010 06:12 pm | |||
 IRC Nickname: Kat Group: Event Leader Posts: 1085 Member No.: 2257 Joined: April 30, 2010 Total Events Attended: 223 | honestly. im a girl. so i have no idea what any of that means. but i read most of it and some stuff is confuzing but it sounds like a good idea --------------------   | ||
Posted: December 22, 2010 02:33 am | |||
 IRC Nickname: Kung_man149 Group: Higher Guardian Posts: 1054 Member No.: 2111 Joined: October 30, 2009 Total Events Attended: 79 |
What Robbie's trying to say it that most people with hacking software can hack your account in seconds, so he's going to change the software we use on our forums to keep us safe by updating our passwords into something much stronger to avoid getting hacked and everything getting leaked out. -------------------- Taken❒ Single❒ Mad✔ <+Mark``> i think the brothers GF is going into labour <+Mark``> I WANNA WATCH YU-GI-OH   | ||
Posted: December 22, 2010 06:59 am | |||
| IRC Nickname: RobbieThe1st Group: Founder Posts: 770 Member No.: 2 Joined: December 26, 2007 Total Events Attended: 49 | Essentially. Currently, you are safe from -most- people, but not a rogue Admin(nor if someone gets into the server somehow). This will make it hard even -if- someone gets into the server. -------------------- Old Avatar - Paypal donation link I am left handed, and proud of it! Retired from RuneScape. Old forum posts: 2275(s4+s10+wg.com)+1759(z6 old account)+474(z6 new account) Total: 4508 Join date: 4/16/05 | Get Firefox 3.5 now: http://www.getfirefox.com | RobbieSwich for Firefox | ||
Posted: December 22, 2010 08:50 am | |||
 IRC Nickname: Kiwi011 Group: Emeritus Posts: 3052 Member No.: 40 Joined: December 30, 2007 Total Events Attended: 21 | lets just say my passwords are usually smaller passes than the ones that i actually care about like email, school etc, like lets say my pass on wg forums is Hash, if my emails pass is Hash123x will they know part of my password is Hash? --------------------  | ||
Posted: December 22, 2010 11:10 am | |||
| IRC Nickname: Zooby Group: Guest Posts: 1669 Member No.: 1464 Joined: November 12, 2008 Total Events Attended: 109 |
So a RoT member or EoS member hacks your forum PW? Gets access to level 3? Yeah fuck it dont worry aye. -------------------- A Revolution without dance is a Revolution not worth having at all Lightbulbs die my sweet, I will depart | ||
Posted: December 22, 2010 06:42 pm | |||
 IRC Nickname: Tnuac Group: Emeritus Posts: 1806 Member No.: 51 Joined: December 30, 2007 Total Events Attended: 58 | Ok thanks robbie, I -will- change my password =p I put full trust in our  'ing methodInteresting insight into how it works, cheers -------------------- ~Aetas: carpe diem quam minimum credula postero~ "Seize the day and place no trust in tomorrow"  | ||
Posted: December 22, 2010 11:17 pm | |||
| IRC Nickname: Outlaw Group: Emeritus Posts: 558 Member No.: 2055 Joined: September 12, 2009 Total Events Attended: 95 | Well evidently having access to lvl 3 isn't that big of a deal. Plus, my password consists of two symbols four numbers and a phrase... -------------------- Join date : June 2006 Left : March 2007 Rejoined : October 2009 Original DG Member Completed Goals : 99 Cooking, 99 Fishing, 99 Strength, 99 Attack, 99 Constitution, 99 Defence, 99 Ranged | ||
Posted: December 23, 2010 08:50 am | |||
 IRC Nickname: `Joey|welly Group: Clan Friend Posts: 32 Member No.: 2478 Joined: December 7, 2010 Total Events Attended: 2 | do you guts think rot or eos even know we excist nor care about us? they dont.. sorry but they just dont.. --------------------
 | ||
Posted: December 23, 2010 01:01 pm | |||
| IRC Nickname: megajayson Group: Elite Guardian Posts: 9246 Member No.: 423 Joined: April 4, 2008 Total Events Attended: 216 |
nice attitude! anyway, its for the safety, not only for the clan, but for you. So suck it up and just do it, its not hard. -------------------- This is ten percent luck, twenty percent skill Fifteen percent concentrated power of will Five percent pleasure, fifty percent pain And a hundred percent reason to remember the name! 7th Highest Overall for Wars Attended. | ||
Posted: December 24, 2010 07:12 pm | |||
| IRC Nickname: Tnuac Group: Emeritus Posts: 1806 Member No.: 51 Joined: December 30, 2007 Total Events Attended: 58 |
Well they've been as obsessed with us for bloody ages, if they've gone off us, thank god -------------------- ~Aetas: carpe diem quam minimum credula postero~ "Seize the day and place no trust in tomorrow" | ||
Posted: December 25, 2010 02:06 am | |||
 IRC Nickname: Tricksy Group: Emeritus Posts: 645 Member No.: 77 Joined: January 1, 2008 Total Events Attended: 18 | Does that mean everyone with a password, say 12345 has the same hash regardless of website, server etc etc Thanks rob --------------------  Edwarrior317 - 102 Combat - Perm Banned Wilderness Guardian Moderator: 19th April - 3rd December, 2007 | ||
Posted: December 25, 2010 04:44 am | |||
| IRC Nickname: RobbieThe1st Group: Founder Posts: 770 Member No.: 2 Joined: December 26, 2007 Total Events Attended: 49 |
In theory, probably not - Websites -should- use a second value mathematically added to each password to prevent this(say appending "123456" to the -end- of each password). In reality, yes. A significant portion of websites simply use whatever the CMS/Forum software does, which means that - at the -least- all websites of a certain type(i.e. all IPB 2.0, or PHPBB3) will have the same hash stored in the DB. -------------------- Old Avatar - Paypal donation link I am left handed, and proud of it! Retired from RuneScape. Old forum posts: 2275(s4+s10+wg.com)+1759(z6 old account)+474(z6 new account) Total: 4508 Join date: 4/16/05 | Get Firefox 3.5 now: http://www.getfirefox.com | RobbieSwich for Firefox | ||
Posted: December 25, 2010 04:50 am | |||
 IRC Nickname: Group: Ex-Member Posts: 632 Member No.: 2467 Joined: November 27, 2010 Total Events Attended: 26 | To be honest I wouldn't be concerned, the odds of a clan trying to hack us in our current condition is SO slim I can guarantee it won't happen. -------------------- Our greatest glory consists of not in never falling, but rising everytime we fall.   Former Raid Leader of the Wilderness Guardians # MAX # COMBAT # | ||
Posted: December 25, 2010 04:26 pm | |||
 IRC Nickname: Dnovelta Group: Emeritus Posts: 2750 Member No.: 130 Joined: January 20, 2008 Total Events Attended: 137 | Cool read. Just out of curiosity, if our current password already meets the requirements you plan to put in place, is there anything preventing us from using the same password or is this just to ensure we have a higher standard for security? Either way, thanks for keeping us safe. --------------------   | ||
Posted: December 28, 2010 09:24 am | |||
| IRC Nickname: RobbieThe1st Group: Founder Posts: 770 Member No.: 2 Joined: December 26, 2007 Total Events Attended: 49 |
Nope; so long as it meets the requirements, you can use anything you want. -------------------- Old Avatar - Paypal donation link I am left handed, and proud of it! Retired from RuneScape. Old forum posts: 2275(s4+s10+wg.com)+1759(z6 old account)+474(z6 new account) Total: 4508 Join date: 4/16/05 | Get Firefox 3.5 now: http://www.getfirefox.com | RobbieSwich for Firefox | ||
[required reading]New passwords
