It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
Sachys: You BOUGHT hatoful boyfriend?!?! O_____o

...1000 times?!?!
avatar
madth3: You told me you needed like 20 copies in our last trade.
i think you got wakalo'd - ive never traded and never will.
avatar
Sachys: you realise all these people had the password "g0gb34r" dont you?!
avatar
Randalator: Mine used to be "12345" but I changed it to "That'sAmazing!I'veGotTheSameCombinationOnMyLuggage!"
I changed it to randylaternowtnow
Post edited June 05, 2015 by Sachys
avatar
Titanium: I personally stand behind xkcd's "correcthorsebatterystaple" in regards to passwords.
avatar
Ixamyakxim: This comic changed my password life forever several years back ;) I swear by it, and a little pad I keep next to my computer. And I never go to sites that I think will cause problems.
Hmm wish i read this a while back, a bit funny... I usually tend to interlace two unrelated words, after you type it a dozen or two dozen times it becomes natural to just type it out. Some places recommend adding unique ascii characters that are never normally in passwords, like the omega symbol Ω...

Blanket + kittyCat = kBiltatnykCeatt

You could easily do three pieces.
avatar
Sachys: You BOUGHT hatoful boyfriend?!?! O_____o

...1000 times?!?!
avatar
Maighstir: You didn't? BURN THE HEATHEN!
only to bury them in a landfill until theyre legendary enough to be released into the wild!

...might pitch that as a movie idea to spielberg!
Post edited June 05, 2015 by Sachys
avatar
OneFiercePuppy: I MITM or eavesdrop, pull the hashed or encrypted password, then break it locally.
But how do you end up eavesdropping on a particular user?
avatar
F4LL0UT: What I don't understand, how is a password that even requires "only" several thousand attempts insufficiently safe in case of online accounts? Even if you're bruteforcing it, the server usually won't allow more than three login attempts in several minutes or up to an hour depending on the service (and in case of many services you get informed via email after a single failed attempt so you have time to go for a safer password). I have heard many times that weak passwords are one of the main reasons for compromised systems but I don't understand how that can be a major reason for online account stuff like on GOG. Isn't malware or using the same password on shady websites infinitely more likely to compromise your password in this case?
avatar
OneFiercePuppy: When I crack a password, I don't crack it by seeing what the server responds to. I MITM or eavesdrop, pull the hashed or encrypted password, then break it locally. That's what everyone does unless they have a good side channel. It's the most efficient way if you're dealing with normal hardware.

Yes, password re-use and malware like keyloggers are much easier ways to crack an account open, but brute force is rather easy once you know how to eavesdrop on a session.

[url= EDIT: for those of you who know enough that that second sentence looked strange - yes, of course I would generally brute force a larger transmission because hopefully they've used something that was written in the last few decades and encrypts more than just the password part itself. I was taking creative liberty with not having to explain how to open a tunnel or something like that.][/url]
That's also a very good point, you don't need to try to see what the server responds to at all by doing this...
avatar
Maighstir: You didn't? BURN THE HEATHEN!
avatar
Sachys: only to bury them in a landfill until theyre legendary enough to be released into the wild!

...might pitch that as a movie idea to spielberg!
Too late, Rolfe already used the idea.
avatar
OneFiercePuppy: I MITM or eavesdrop, pull the hashed or encrypted password, then break it locally.
avatar
F4LL0UT: But how do you end up eavesdropping on a particular user?
Tape a few toilet paper rolls together and point them at said user.
Post edited June 05, 2015 by Maighstir
avatar
OneFiercePuppy: I MITM or eavesdrop, pull the hashed or encrypted password, then break it locally.
avatar
F4LL0UT: But how do you end up eavesdropping on a particular user?
I suggest starting with a VM or dual boot of Kali Linux (has built in tools) and Google... your learn a lot about hacking. xD
avatar
OneFiercePuppy: When I crack a password, I don't crack it by seeing what the server responds to. I MITM or eavesdrop, pull the hashed or encrypted password, then break it locally.
And I would guess that's also the trick when an entire database gets compromised. Obviously if the site is dumb enough to save passwords in cleartext that's game over right there, but even if it's hashed, if it's unsalted or badly implemented the attacker will have all the time in the world to attack the database locally. And then if you're re-using passwords across multiple sites, you're SOL.
I kinda feel like an ass now, but I still prefer the 'better safe than sorry" approach and would do it again to help make sure we have a safe and fun community. Much thanks to Destro for finally clearing this up.
avatar
JMich: Yes. When someone mentions complexity for passwords, I assume he means that the pool of characters is more than just the letters, so about 80 characters.
94, typically. At least on a standard English qwerty keyboard. Likely more for non-English keyboards, though there are usually limits to what websites will allow for non-English character usage for passwords, and ASCII only characters that never appear on any keyboard are almost never considered valid for passwords.

So, for the majority of computer users all over the world, with a few potential variations this means:

26 uppercase letters
26 lowercase letters
10 numbers
32 symbols (33 if you count space as a valid input for a password, though most places don't)

Which is fascinating looking at different passwords, and knowing that a typical not-too-expensive computer CPU is now capable of cycling through hundreds of millions of combinations per second (we're somewhere around 1 billion / second with a high-end 8 core i7, probably 2 billion/second with the new 16 core Xeon that just dropped. But something mid-range should easily hit 200-400 million / second), and that's only going to keep getting faster and more efficient as time goes on. That's not even looking at GPUs which are even faster.

A 4 digit numbers only password has 10,000 possible combinations (10^4).
Change to just lowercase or uppercase letters, and that number climbs to 456,976 (26^4).
Allow upper or lower and numbers and you now have 1,679,616 combinations (36^4).
Upper & lower gives you 7,311,616 (52^4).
Upper, Lower & Numbers gives you 14,776,336 (62^4)
And going full out with upper, lower, numbers, and symbols you get 78,074,896 (94^4). Granted, still well within the range of what a typical home PC can brute force in less than 1 second.

Doubling the length of the password doesn't simply double the number of combinations, however. An 8 character password with upper, lower, numbers, and symbols gives you 6,095,689,385,410,816 combinations (94^8). Now we're entering the realm where a typical home PC would take a day or two to crack, rather than seconds. But a box built specifically for brute forcing passwords with several GPUs could still do this in a very short amount of time. A password length of 8 is interesting because a disgustingly disturbing amount of bank websites still won't let you use anything longer. And most of them don't even let you use all the symbols (if they let you use any at all...)

Now you may be thinking, surely the website in question would have some limit on failed attempts and block any further attempts, at least for a while, which would significantly slow down the cracking process. And you'd be right. Even with the best case scenario of brute forcing over the internet where you can only expect to get maybe 5-10 guesses per second just due to the time it takes for data to travel back and forth, would significantly hinder the cracking process, even if there were no such restrictions on failed attempts.

That's why most password cracking isn't done on the website directly. It's most often a sql injection attack or some other method of compromising the website to get at and download the entire database. Once that database is on the computer set up to do the cracking, it's going to be bombarded with billions of guesses per second. Though it will first be put through several dictionary and rainbow table attacks that will likely reveal a shockingly high percentage of user passwords in less than a day, and then if the cracker still wants more passwords, they might turn to brute force as a last resort, but will probably set some character limits to keep it from tying up the machine for days/weeks/months/years/lifetimes, and just take what they can get within say 72 hours.

Now you may also be thinking "okay, but what about xkcd's correcthorsebatterystaple example? Wouldn't that be 26^25, or 2.3677383000796758887679516493847e+35 combinations?" Yes it would, if it was being brute forced. But because the passphrase consists of four typical dictionary words, it's really <length of dictionary file>^4, because dictionary attacks are typically far faster than brute force. Let's use a common 100,000 word dictionary as an example, so 100,000^4 = 100,000,000,000,000,000,000. While a lot more than 94^4, it's still significantly less than 26^25 or even 94^25.

So, while length is typically better than complexity, complexity + length is the best of both worlds. And when the website only lets you have a maximum of 12 characters for a password, a passphrase is basically useless. Might as well just get in the habit of using a password manager and going for the complexity + length. I'd rather have 94^12 than use three 4 letter words or even four 3 letter words. That's 1,000,000,000,000,000 (100,000^3) or 100,000,000,000,000,000,000 (100,000^4) vs. 475,920,314,814,253,376,475,136 (94^12). And the passphrase combinations can be significantly reduced through filtering. If you know the website only accepts a maximum of 12 character passwords, and you suspect users are doing passphrases, you can simply have your cracking software only look at 2-4 letter words in that dictionary. Taking the number from 100,000 words to something far less than 100,000. Run another pass looking only at 6 letter words. And so on.

The other problem with passphrases is that as they are cracked, they get added to dictionaries of their own, so that "correcthorsebatterystaple" you can bet is already part of a dictionary and even if there are 10 million other passphrases in that dictionary, that's still only at most 10,000,000^1 guesses that need to be made to find the passphrase, and even the cheapest computer on the market could crack that in a second. 100 million passphrases would still only take a second. And this is why the best method is and will always be using randomly generated passwords consisting of upper, lower, numbers and symbols.
avatar
darkwolf777: And this is why the best method is and will always be using randomly generated passwords consisting of upper, lower, numbers and symbols.
Well, almost. Your arithmetic is mostly beyond reproach but it's generally accepted in security that humans are the weakest link. If you make someone have a long, random or pseudorandom string for password, they're going to either change it or write it down everywhere and lose it. "Best" for machine hardness rarely matches well with "best" for overall system hardness, and that's why, for example, you should write down your passwords and why passwords that are easy to remember are actually better than pure noise.

I for one will be very glad when we get biometrics figured out properly.

[url= There are a lot of other sources I could quote for reference, but I figure if you won't accept Bruce Schneier as an authority on security there's nothing I can say that you'll agree with. ][/url]
Guys... I found a little something out here, ok I will try to make this short and This is a big thing. ok so these guys who got accounts hacked if these where bought accounts I just found out the way to easily take it back after changing an email LOL


I made a dummy account with my old email and some stupid password on my laptop and stayed logged in and then went to my desktop pc and changed the email and password and said successfully changed and I logged out of it and went back to my laptop and it was still logged in. And I changed the email AGAIN on that and it worked... and went back to the pc and then it wont let me log in with the stuff I put on that pc.


Sneaky shits if that was what was done here with some accounts. This problem I found out should be FIXED ASAP cause this is some bad loop hole to get accounts back even when changing passwords and giving it to someone.
avatar
OneFiercePuppy: Well, almost. Your arithmetic is mostly beyond reproach but it's generally accepted in security that humans are the weakest link. If you make someone have a long, random or pseudorandom string for password, they're going to either change it or write it down everywhere and lose it. "Best" for machine hardness rarely matches well with "best" for overall system hardness,
Oh, definitely true. Which is why I always recommend a password manager. Get one that you can also sync with your smartphone to always have access to your passwords. That way you only have to remember a single password (and hopefully you make it sufficiently tough but easy enough to repeat several times to commit it to memory and not need to write it down, but if you must right it down, keep it somewhere safe). Which itself isn't foolproof by any means. A rogue keylogger on your system can easily compromise the password manager database and expose all your randomly generated passwords to an attacker, but if you keep your system updated and are mindful about what software you run on it, that threat should be minimized if not eliminated entirely.
In any event, I'm still waiting for tech support to resolve this issue, but if Thursday was a bank holiday, this could explain why (Destro, Arbiter of Cool, did state: "This topic is 6 hours old and today is bank holidays in Poland. ").
avatar
Destro: This topic is 6 hours old and today is bank holidays in Poland.

Also - this isn't any new topic - we're fully aware of it, and if we believed something was wrong, we would inform you...
avatar
Cyraxpt: Oh, sorry for being cynical but since you (gog team) are aware of what's happening around here, when is gog going to upgrade the forums for something more stable that don't require that you remove stuff (like hidding old threads in an archive section or the search forum from the top side)?

Removing the report spam = delete thread/post would also be a good idea since i don't think the the gog community should be policing the forum, that's the job for the moderators.

A sticky section for the "friend me" posts would also be welcome since the first page gets the occasional "Friend me Mike" threads (not that it would fix the problem that gog galaxy caused).

And i'm sure that there are way more improvements to be made here (spoiler tag would be AMAZING) but i guess you guys get the idea.

I'll await an answer! :)
Hey blue ones, i know that this is the weekend and i won't ask for an answer now but i do hope to see something during next week! :)

This time i've done my research (because i don't want to bother you guys during your time off) and there's no bank holidays for the rest of the month.
Post edited June 06, 2015 by Cyraxpt