Ubisoft Hacked

K.O.Kiki

nesf wrote: »

Ubisoft only leave you use 16. Though honestly, 16 random digits is, right now, unreasonable to crack even using a supercomputer.

Think again!
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/2/
:pac:

nesf

K.O.Kiki wrote: »

Think again!
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/2/
:pac:

Brute forcing 16 random digits is impossible right now. That article is talking about non-random passwords with human patterns in them, like words, numbers at the end, passphrases and so on.

If you wanted to brute force "843%X[Q<c:)L9g@P" at a rate of 4 billion combinations per second (a fairly powerful desktop machine) you're talking about it taking you 412 trillion years. There is no pattern in this password you can use to solve it faster.

Something like "HappyLittleBoys1" even though it's the same length could be solved with a mask attack.

Kirby

nesf wrote: »

"843%X[Q<c:)L9g@P"

:eek: How did you know my password?

The_Valeyard

thopschael4 wrote: »

I wasn't as sexy as a kid as you were.

Wha?




But if this was one year to the day that the last hacked happened, was probably some sort of anniversary attack by the hackers.

Annoying though.

nesf

Kirby wrote: »

:eek: How did you know my password?

It's on a post-it on your desk. Also, you might want to turn off your webcam.

Richard Dower

yet more reasons not to.......

nesf

Ok, I tried again this morning and kept getting the same error. For a laugh I decreased it from 16 to 14 random digits, worked fine. Really, Ubisoft are not impressing me at all.

Sierra Oscar

nesf wrote: »

Ubisoft only leave you use 16. Though honestly, 16 random digits is, right now, unreasonable to crack even using a supercomputer.

Out of interest, what number of random digits would be considered 'robust' for a password these days?

Monotype

You'd want a minimum of 8. That's 208 billion combinations if you're just using lower case. 1000 times the combinations when using upper case and numbers.
A good way to generate seemingly random passwords is to use the first letter of a words of a song or phrase.
Mary Had A Little Lamb Fleece As White As Snow - MHALLFAWAS.
Now, if you can throw in a few upper and lower cases (e.g., nouns, start or end of line) as well as substitute some symbols, if the system supports it.

Shiminay

I picked up an app called mSecure for my phone as a password vault and it's been serving me well. It'll generate passwords for me too that are complete random gibberish with as many characters as I want. They have a Windows version too that I found myself looking at after this Ubisoft notification and you can synch your stuff via an encrypted file in Dropbox which seems convenient.

nesf

Sierra Oscar wrote: »

Out of interest, what number of random digits would be considered 'robust' for a password these days?

Define robust. Crackers normally want around 90% of the passwords, what's "robust" is being in that 10% that's too much of a bitch to crack to be worth the effort.

With random digits you're talking about solving a password space, i.e. going through all possible variations, so totally solving a 6 digit password is fairly trivial any modern PC with a decent GPU could do it in seconds. Every digit beyond that multiplies the time involved. This increases near vertically on a graph if you plot it out for the entire ASCII keyspace. I've seen 12 digits being touted as robust enough for almost any need. Some examples of numbers of combinations:

(Assuming a 50,000 word list being used for passphrases): the formula for those interested is (n + k - 1 | k) rather than the (n | k) you may have seen in school, this works out as (n - k - 1)!/((n-1)!k!) You can solve these kinds of equations with Wolfram Alpha.

4 word passphrase: 2.6 × 10^17
5 word passphrase: 2.6 × 10^21
6 random digits: 6.8 × 10^9
10 random digits: 4.5 × 10^14
16 random digits: 6.1 × 10^20

Assuming a solving speed of 1 x 10^11 (100 billion) combinations a second (super computer speed) and in brackets a speed of 1 x 10^9 (1 billion) which would be more in line with a home computer:

4 word passphrase: 30 days 2 hours 13 minutes 20 seconds (98.93 months)
5 word passphrase: 823.9 years (82,391 years)
6 random digits: less than a second (less than 7 seconds)
10 random digits: 1.25 hours (5 days 5 hours)
16 random digits: 193.3 years (19,330 years)

You can see why 5 word passphrases and 16 digit passwords are so recommended. A 12 digit password has 10^16 combinations which turns those 5 days into 500, making it unreasonable for cracking with a home PC.

some say its just pr for watch dogs

McSasquatch

Using Last Pass myself. Worth it for the hassle it saves, let alone the peace of mind it gives.

uncle_sam_ie

Potential-Monke wrote: »

I'm running out of passwords and starting to forget others...

You need a good password manager like Lastpass, https://lastpass.com
Everyone one of my login sites has a unique strong password that lastpass will generate.
A security expert explains why he trusts it.
Skip to 1:12:00 https://www.youtube.com/v/r9Q_anb7pwg&enablejsapi=1&playerapiid=r9Q_anb7pwg

Also,
Here is a good read on security, https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

nesf

uncle_sam_ie wrote: »

You need a good password manager like Lastpass, https://lastpass.com
Everyone one of my login sites has a unique strong password that lastpass will generate.

Here is a good read on security, https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

I've used 1Password for years. It has some useful features.

Potential-Monke

uncle_sam_ie wrote: »

You need a good password manager like Lastpass, https://lastpass.com
Everyone one of my login sites has a unique strong password that lastpass will generate.
A security expert explains why he trusts it.
Skip to 1:12:00 https://www.youtube.com/v/r9Q_anb7pwg&enablejsapi=1&playerapiid=r9Q_anb7pwg

Also,
Here is a good read on security, https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

Right, time to download and get this baby working! Much difference between the free and paid?

uncle_sam_ie

Potential-Monke wrote: »

Right, time to download and get this baby working! Much difference between the free and paid?

With the paid you get mobile device features. The free version is fine.

delta36

Well this was annoying to hear about, and the problem is I have no idea what my original Ubisoft password was, so no idea if it's something I used on other sites.

But like other people have said, there's always going to be a risk of an online service being hacked, and at least they came out and announced it immediately, rather than going the Sony route of leaving it a month before telling people their passwords may have been compromised.

In terms of password security, I do recall reading somewhere in the last few days (can't seem to find the article), that a password with special characters in it is harder to crack than a password with only letters and numbers in it, something to do with the fact that the keyspace of special characters is larger, and takes longer to process..or something. Anyway, here's a free password for anyone who wants it: !"£$%^&*(*&^%$£"£%^& :P

uncle_sam_ie

delta36 wrote: »

In terms of password security, I do recall reading somewhere in the last few days (can't seem to find the article), that a password with special characters in it is harder to crack than a password with only letters and numbers in it, something to do with the fact that the keyspace of special characters is larger, and takes longer to process..or something. Anyway, here's a free password for anyone who wants it: !"£$%^&*(*&^%$£"£%^& :P

The thinking that you only need a strong password is where people are getting into trouble.

From the article I linked above,

"Most of the security advice we've all seen through the years has focused on how to choose a strong password. You might therefore think that the primary way hackers break into accounts is by preying on accounts with weak passwords, perhaps scanning every word in the dictionary looking for matches. That’s rarely the case.
The basic truth is this: hackers steal game accounts because they already know the account name and password. They know them because they stole them (via security breaches or spyware) from another game or site where the person used the same account name and password.
So unfortunately, if the lesson you've learned from security advice through the years is to pick a single complicated password, memorize it, and then use it everywhere, that’s exactly the wrong lesson for today’s security environment. To keep accounts on different sites secure in today’s environment, you need to use a unique password for each account."

Also,
"They’re not guessing or brute-forcing passwords; they’re trying a very specific account name and password for each attempt. For example, account name “joe.user@example.com”, password “alligator101″. If they don’t get a match immediately, they may try a variant like “alligator100″ or “alligator102″, then they quickly move on to the next entry on their list. And it’s interesting to see that the passwords on these lists are mostly quite good passwords. For every one account on the hackers’ lists with a password like “twilight” (real example, ಠ_ಠ), there are dozens of accounts with good strong passwords. So the world at large clearly knows how to pick good passwords; the reason people are still getting hacked is because they use the same passwords on multiple sites."

K.O.Kiki

uncle_sam_ie wrote: »

The thinking that you only need a strong password is where people are getting into trouble.

From the article I linked above,

"Most of the security advice we've all seen through the years has focused on how to choose a strong password. You might therefore think that the primary way hackers break into accounts is by preying on accounts with weak passwords, perhaps scanning every word in the dictionary looking for matches. That’s rarely the case.
The basic truth is this: hackers steal game accounts because they already know the account name and password. They know them because they stole them (via security breaches or spyware) from another game or site where the person used the same account name and password.
So unfortunately, if the lesson you've learned from security advice through the years is to pick a single complicated password, memorize it, and then use it everywhere, that’s exactly the wrong lesson for today’s security environment. To keep accounts on different sites secure in today’s environment, you need to use a unique password for each account."

Also,
"They’re not guessing or brute-forcing passwords; they’re trying a very specific account name and password for each attempt. For example, account name “joe.user@example.com”, password “alligator101″. If they don’t get a match immediately, they may try a variant like “alligator100″ or “alligator102″, then they quickly move on to the next entry on their list. And it’s interesting to see that the passwords on these lists are mostly quite good passwords. For every one account on the hackers’ lists with a password like “twilight” (real example, ಠ_ಠ), there are dozens of accounts with good strong passwords. So the world at large clearly knows how to pick good passwords; the reason people are still getting hacked is because they use the same passwords on multiple sites."

Hmm, guess it's time for me to rethink my password creations.

Potential-Monke

Having installed Lastpass, i have to say it appears great. Easy enough to change most passwords to randomly generated ones, but didn't pick up on a few of them. Still, my password strength for all sites is gone from 9.8% to 68%!

nesf

Potential-Monke wrote: »

Having installed Lastpass, i have to say it appears great. Easy enough to change most passwords to randomly generated ones, but didn't pick up on a few of them. Still, my password strength for all sites is gone from 9.8% to 68%!

Yeah the only annoyance are sites like Google, or perhaps your Apple ID if you're an iOS user, you've got to type these passwords in on devices where you can't cut and paste a random series of digits and memorising 14-16 random digits isn't very good.

You pretty much have to fall back on five word passphrases and similar at that point.

uncle_sam_ie

Potential-Monke wrote: »

Having installed Lastpass, i have to say it appears great. Easy enough to change most passwords to randomly generated ones, but didn't pick up on a few of them. Still, my password strength for all sites is gone from 9.8% to 68%!

For added security I also use a google Authenticator with Lastpass. It's very easy to set up.
https://helpdesk.lastpass.com/security-options/multifactor-authentication-options/google-authenticator/

Cuddlesworth

Ahh the old password argument. I think people always forget exactly what a password is meant to do. Allow you easy secure access to something. What most of your are suggesting removes the easy part.

wayne040576 wrote: »

That's last years attack. I'm assuming they've fixed it by now :eek:
But let me ask you this. With all of the hacks that have happened over the past couple of years have you updated your own personal security practices or are you still doing the same thing you always did? Do you use a different , strong password for every site and service that you use or are you using the same password on several sites?

By the way a strong password is something like "58EL$mPx%Wsl" a completely random sequence of characters.

Nice random password. Now, how do you remember that? Do you write it down, or do you store it in something? How do you know what you are storing it in is more or less secure then the site your using it on. And the browser that you clicked remember my password on. How safe do you think that is? Are you suggesting creating a unique and random password for every site people use. At a guess I would be in around 120 "unique" passwords at this stage.

You have created a password that is relatively easy for a computer to attack, but impossible for a human to remember. Then created a system that is unworkable. Your basis of a secure password is based around a human guessing it, rather then a computer.

On a pure social level, if my password is "mycatisalittlefluffywuffy"(25 digits, assumed brute force of 7.83 hundred billion centuries with a cloud array and your password is "58EL$mPx%Wsl", 11 Digits, assumed brute force of 1.83 years with cloud array.

Who has the better password overall. Btw, I'm aware of rainbow lists and dictionary attacks. And unless you want to get to work on programming a crack attempt to use syntax and grammar while creating new near infinite rainbow lists for salted passwords, go for it.

K.O.Kiki wrote: »

Think again!
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/2/
:pac:

I don't think they emphasize length enough to people, that's what is important. Maybe I should try make a password penis joke somewhere.

nesf wrote: »

Something like "HappyLittleBoys1" even though it's the same length could be solved with a mask attack.

That is a ludicrously hard password to crack. For all purposes, that's three random words combined with a number. Dictionary attacks don't scale well past single words + number sequences at all. And a quick check shows me its not on any rainbow listed I know of.



I use the following system.

A long and easy to remember fairly random phrase for my email, combined with two factor auth on my phone. Great system, meaning I can recover anything that does get hacked.

Two financial passwords. A long secure for my password for my paypal and another for any paid service that has credit card details stored(amazon etc).If any get hacked, I will receive a immediate email and will be able to cancell.

And a long easy to remember password for sites like this, that I couldn't care if they get hacked.

Four passwords, all impossible to crack and most of all, a system that leaves me able to recover everything.

And on that note, I leave you with one of my favorite comics.

http://imgs.xkcd.com/comics/password_strength.png

nesf

Cuddlesworth wrote: »

That is a ludicrously hard password to crack. For all purposes, that's three random words combined with a number. Dictionary attacks don't scale well past single words + number sequences at all. And a quick check shows me its not on any rainbow listed I know of.

It's not three random words combined with a number, it's three extremely common English words capitalised only at the start with a single number appended at the end. If it was "HappyLittle1Boys" it'd be far more difficult to crack because it doesn't follow a normal pattern. Similarly "haPpyLitTle1bOys" is even more difficult because of the odd capitalisation. The latter is horribly difficult to remember but you can achieve an even greater number of possible variations by using a five word password rather than a three word + number.

uncle_sam_ie

Cuddlesworth wrote: »

Nice random password. Now, how do you remember that? Do you write it down, or do you store it in something? How do you know what you are storing it in is more or less secure then the site your using it on. And the browser that you clicked remember my password on. How safe do you think that is?

I've been following Steve Gibson and his Security now Podcast for years. He gives Lastpass his seal of approval and that's good enough for me to trust it. Skip to 1:12:00
https://www.youtube.com/v/r9Q_anb7pwg&enablejsapi=1&playerapiid=r9Q_anb7pwg

Cuddlesworth

nesf wrote: »

It's not three random words combined with a number, it's three extremely common English words capitalised only at the start with a single number appended at the end. If it was "HappyLittle1Boys" it'd be far more difficult to crack because it doesn't follow a normal pattern. Similarly "haPpyLitTle1bOys" is even more difficult because of the odd capitalisation. The latter is horribly difficult to remember but you can achieve an even greater number of possible variations by using a five word password rather than a three word + number.

Feel free to to try crack it using dictionary attacks without isolating those particular words. Remember, without prior reference a computer doesn't see the difference between happylittleboys, boyslittlehappy, happyboyslittle, littlesboyhappy, happysboylittle etc or the sheer enormity of other word combinations including grammar quirks like pluralization that can lead to a 16 digit password.

To you it seems simple. To a computer its not. And as you increase both the length and word count it becomes so much harder for a computer to brute force it.

The inclusion of requirements like having a capital letter, having numbers included and special characters have simply served to shorten overall passwords lengths. Simply forcing people into 16-20 character phrases would make password cracking near impossible by today's standards.

Cuddlesworth

uncle_sam_ie wrote: »

I've been following Steve Gibson and his Security now Podcast for years. He gives Lastpass his seal of approval and that's good enough for me to trust it. Skip to 1:12:00
https://www.youtube.com/v/r9Q_anb7pwg&enablejsapi=1&playerapiid=r9Q_anb7pwg

Interesting in itself.

But the program itself it open to a key-logger attack(2 factor auth isn't). I just don't see the need to use or trust a separate program to manage my passwords. As long as my email is secure, I'm not worried by my password getting into the open domain.

uncle_sam_ie

Cuddlesworth wrote: »

Interesting in itself.

But the program itself it open to a key-logger attack(2 factor auth isn't). I just don't see the need to use or trust a separate program to manage my passwords. As long as my email is secure, I'm not worried by my password getting into the open domain.

I'm using 2 factor with it. If the way you do it is fine for you, great. I'm too old to remember a **** load of passwords and a separate program to manage them works for me.

nesf

Cuddlesworth wrote: »

Feel free to to try crack it using dictionary attacks without isolating those particular words. Remember, without prior reference a computer doesn't see the difference between happylittleboys, boyslittlehappy, happyboyslittle, littlesboyhappy, happysboylittle etc or the sheer enormity of other word combinations including grammar quirks like pluralization that can lead to a 16 digit password.

To you it seems simple. To a computer its not. And as you increase both the length and word count it becomes so much harder for a computer to brute force it.

The inclusion of requirements like having a capital letter, having numbers included and special characters have simply served to shorten overall passwords lengths. Simply forcing people into 16-20 character phrases would make password cracking near impossible by today's standards.

If you've a word list of 100,000 words, there are only around 160 trillion three word combinations (10^14) you can make from this list. This is crackable with modern hardware. Someone recently built a small cluster specifically for a cracking, it could churn out 160 billion MD5 hashes a second and solved the 8 character space in five and a half hours when it was encoded with Microsoft's best encryption algorithm (25 GPUs cracked out 6 x 10^15 hashes in that time). Five words from the same list creates a far greater number of combinations, (of the order of 10^22). Even using words from a really small list like 20,000 words, five word combinations still number over 2 x 10^19. Whereas three words would only give us around 1 x 10^12 combinations. 10^19 isn't crackable in a reasonable length of time, 10^12 is. Even with a million word long word list you're only getting 10^17 combinations and you're starting to talk about remembering some very unusual words there if you're not mixing languages.

Five word passphrases are massively more secure than three word ones. That's the take home point.