Concern about passwords on the CH-server - Cheat Happens Feedback, Complaints or Problems Message Board (Page 1)
Cheat Happens Game Cheats and Wallpapers
Cheat Happens Game Cheats and Wallpapers
 
Cheat Happens Game Cheats and Wallpapers
 
     TRAINERS       REQUESTS       GAME REVIEWS       GAME WALLPAPERS       BOARDS
-OR-
 
     
  MESSAGE BOARD LINKS:   SIGNUP    |    BOARDS HOME    |   MY FAVORITE BOARDS    |   NEWEST POSTS    |   MY THREADS  
 
FEEDBACK, COMPLAINTS OR PROBLEMS MESSAGE BOARD
 
   
SEARCH BOARDS:  
SEARCH THIS BOARD ONLY  
SEARCH HEADERS ONLY  
 
           
   Page 1 of 2     First Page     Previous Page     Next Page     Last Page  New Topic New Topic    New Poll New Poll    Post Reply Post Reply    Help Help   
 
 MESSAGE BOARDS >> FEEDBACK, COMPLAINTS OR PROBLEMS
 Concern about passwords on the CH-server  
 
 
Current rank: 1 Star. Next Rank at 100 Posts.

Send a PM to Skuggan
ELITE
Skuggan
  send PM
  view profile
  add to friends

Sweden 
User #: 233819
Posts: 63 
Joined: May 03, 2007   
Last visit: Dec 13, 2014
Posted: Apr 30, 2013 11:06:47 AM - Report post  (0)  (0)       Post Reply  post reply  


Greetings,

I have some concerns about the way you store our account passwords. Today was the first time that I had to use the "forgot password" and I was sent my password wich means passwords are stored in clear text on the server. I do understand that you should have different passwords for different services, and ofcourse I do, but the problem here is that it would be very easy for someone to use stolen accounts. All they would need is the password list from the server.

So with that said I wish you could encrypt and salt the passwords.

CH Promo Club Member

Send a PM to techowl
CH PROMO CLUB
techowl
  send PM
  view profile
  add to friends

Russia 
User #: 899469
Posts: 6813 
Joined: Jan 19, 2010   
Last visit: Dec 19, 2014
Posted: Apr 30, 2013 11:25:31 AM - Report post  (0)  (0)       Post Reply  post reply  

Have you thought about that the passwords when they get sent out, that they get decrypted before they are sent? Also there is no way they can get the password list. PWizard and Nevermore would be the only 2 able to access it.
---------------------------------------------------------------------------
~ CH PROMO CLUB ~
Honorable Cheaters

CH Promo Club Member

Send a PM to Varacka
CH PROMO CLUB
Varacka
  send PM
  view profile
  add to friends

United States 
User #: 384327
Posts: 1302 
Joined: Jan 18, 2008   
Last visit: Dec 19, 2014
Posted: Apr 30, 2013 12:14:16 PM - Report post  (0)  (0)       Post Reply  post reply  

 quote:
 originally posted by Angel:

Have you thought about that the passwords when they get sent out, that they get decrypted before they are sent? Also there is no way they can get the password list. PWizard and Nevermore would be the only 2 able to access it.

Tell that to hacker groups like anonymous. When someone wants something bad enough they will find a way. On that note encryption can be broken. However as angel said they easily could have them decrypted when sent. (Which further proves anything can be undone.)

Note: I am in no way saying people have or will hack this site. I am merely stating that anything possible to be prepared. Change your passwords often. Etc etc.

[Edited by Varacka, 4/30/2013 12:15:20 PM]

---------------------------------------------------------------------------
Anything less then peace will destroy us all.
Founder

Send a PM to PWizard
FOUNDER
PWizard
  send PM
  view profile
  add to friends

United States 
User #: 2
Posts: 20371 
Joined: Dec 01, 2001   
Last visit: Dec 18, 2014
Posted: Apr 30, 2013 12:51:36 PM - Report post  (2)  (0)       Post Reply  post reply  

I have often thought about making our passwords more secure by utilizing things like 4-layer encryption, quadruple reverse salting, etc but then a few things come to mind.

First, this is a VIDEO GAMES website. Not Facebook. Not a bank. Not a doctor's office. We store very little information about each user that would be useful to anyone. We do not store physical addresses, phone numbers, social security numbers, financial information, etc. Not even your zip code. Most people don't even put in their real names when registering. So, the most anyone would get is alias, email address and password, which if you use the same one for every website you visit, then shame on you.

All of the financial and personal information used when purchasing a membership from our site is handled by PayPal, Authorize.net and other third party merchant account vendors. We never see that information and do not store that information.

Now, having said that, the security of the personal information we do store is very important to us. Our web server is protected by multiple web application firewalls and a hardware firewall. We have measures in place to document all user activity such as trainer downloads, password changes, logins from multiple IPs etc, and we monitor this information daily for any suspicious activity and take the appropriate actions.

There have been many occasions where we've had to recover someone's account password for them, otherwise they would have lost their UNL account and had to create a new one.

As others have said, you can have the strongest encryption in the world on the passwords, but it won't matter if hackers gain access to the server where the encryption is taking place.

We will continue to investigate whether or not more secured passwords will really help or end up hindering more users than it does good. We appreciate everyone's feedback and concern and know that we don't take things like this lightly.

---------------------------------------------------------------------------
Chris O'Rorke (chris@cheathappens.com)
Co-Founder: Cheat Happens.com

Facebook . Google+ . Trainer Blog
Current rank: 1 Star. Next Rank at 100 Posts.

Send a PM to Skuggan
ELITE
Skuggan
  send PM
  view profile
  add to friends

Sweden 
User #: 233819
Posts: 63 
Joined: May 03, 2007   
Last visit: Dec 13, 2014
Posted: Apr 30, 2013 2:09:16 PM - Report post  (0)  (0)       Post Reply  post reply  



You cant do that, the server would have to bruteforce the encryption first and then send your password to you in clear text, or they would have to have a rainbow table that covers everyones password. Anyone who tried bruteforcing a 16+ character password knows it wont happen with current hardware.

Thanks PWizard for the reply, I do hope that you guys end up encrypting them, or atleast inform people about it when they create their account. Some people use very long passwords, but they might be using the same first 14 characters and then add the websites name, or something else related to the website after. It's pretty secure as long as noone knows the initial characters.
But as long as you do restore passwords or accounts incase of someone loosing their unlimited account it's fine with me.

[Edited by Skuggan, 4/30/2013 2:11:28 PM]

[Edited by Skuggan, 4/30/2013 2:11:57 PM]

Current rank: 1 Star. Next Rank at 100 Posts.

Send a PM to RndStranger
VETERAN
RndStranger
  send PM
  view profile
  add to friends

Andorra 
User #: 1639108
Posts: 18 
Joined: Mar 03, 2013   
Last visit: Dec 18, 2014
Posted: May 01, 2013 5:02:47 AM - Report post  (0)  (0)       Post Reply  post reply  

Well, maybe I'm stupid because I studied that kind of stuff - Also I'm working as some kind of IT-Technician (hard to translate the real title)....

But storing a password in PLAIN text is always bad, no matter what you want to do with it or what you're selling.

Simply encrypting is also not optimal - Why would the server ever need the real password? Besides that, the server needs to know the key - So does the bad hacker

Sha-256 (few thousand iterations) + salt and you're done.

Password reset would work with a new created random password which must be changed after first login.

This way the passwords are safe.

SHA-256 is a Hash - Means one way encryption. The password is only stored as a hash on the server - No way to 'calculate' the real password from it. Throw some salt plus the thousands of iterations in it and you'll also blow all the rainbows

The thousands of iterations are for extra security. This way you get a hash from the hash from the hash from the.. You get the point. For the CH-Server this is a one-time task - Quick for just one password.
For the hacker who stole the DB and want's to crack the passwords with a Rainbow-Table (he needs a custom because we're already using a salt) it's n*iterations per string.
Noone would try to crack them..

Current rank: 3.5 Stars. Next Rank at 8000 Posts.

Send a PM to DABhand
AUTHOR
DABhand
  send PM
  view profile
  add to friends

United Kingdom 
User #: 157287
Posts: 5483 
Joined: Aug 27, 2006   
Last visit: Dec 19, 2014
Posted: May 01, 2013 6:42:22 AM - Report post  (0)  (0)       Post Reply  post reply  

BTW skuggan just because a password is sent via plain text in an email, doesn't mean it is not protected on the database.

Most databases have standard encryption anyway, no matter who hosts the site.

As for CH not sure, but I think there has to be some sort of encryption used to stop people from unknown sources gaining info, the only people who can get the passwords in pure form as the admin who log in via the sites administration controls.

As for high level encryption, there is a problem with that, the site has to understand how to decrypt/encrypt information to check if the password stored for an account is the same which means the key is stored on the site, which means a hacker with knowledge can take that key wherever it is stored and then use it to decrypt data.

Only way would be to add another server which contains decryption data which is not part of the site adding another layer of protection.

[Edited by DABhand, 5/1/2013 6:47:56 AM]

---------------------------------------------------------------------------
Great site for new games with constant deals

Click Here for G2Play for great deals

Oh and Don't forget some tuts on ASM and defeating DMA

Clicky Here for them
Current rank: 1 Star. Next Rank at 100 Posts.

Send a PM to Skuggan
ELITE
Skuggan
  send PM
  view profile
  add to friends

Sweden 
User #: 233819
Posts: 63 
Joined: May 03, 2007   
Last visit: Dec 13, 2014
Posted: May 01, 2013 9:06:27 AM - Report post  (0)  (0)       Post Reply  post reply  

 quote:
 originally posted by DABhand:

BTW skuggan just because a password is sent via plain text in an email, doesn't mean it is not protected on the database.

Most databases have standard encryption anyway, no matter who hosts the site.

As for CH not sure, but I think there has to be some sort of encryption used to stop people from unknown sources gaining info, the only people who can get the passwords in pure form as the admin who log in via the sites administration controls.

As for high level encryption, there is a problem with that, the site has to understand how to decrypt/encrypt information to check if the password stored for an account is the same which means the key is stored on the site, which means a hacker with knowledge can take that key wherever it is stored and then use it to decrypt data.

Only way would be to add another server which contains decryption data which is not part of the site adding another layer of protection.

[Edited by DABhand, 5/1/2013 6:47:56 AM]


Well it cant send me the password in plain text if it is encrypted, simply because the server doesnt know what my password is, it only knows the value of the encryption. With a key and the password I write to login it then check that the encrypted value in the password-list matches the encryption value generated from the password I wrote.

If it had a key to decrypt the passwords in the list and then send them in plain text to users all kinds of encryption would be kinda waste of time as you would provide the decryptionkey to any hacker who can reach the file.

A simple encryption and salt is all that is needed, and users that use long passwords. Anything above 16 characters long is safe enough, no one will spend time trying to bruteforce those passwords when they got a whole list of encrypted passwords and where some of them probably are pretty short, 10 characters or less.

[Edited by Skuggan, 5/1/2013 9:12:13 AM]

Page 1 of 2     First Page     Previous Page     Next Page     Last Page
Go to page: 2 
All times are (GMT -08:00) Pacific Time (US & Canada). Current time is 5:57:24 AM
Return to Feedback, Complaints or Problems Message Board 2998 users online.   2870 guests / 128 members.
 
     
 
 
Trainer Troubleshooting Guide        Cheat Terms and Tutorials        Anti-Virus Notifications        Site Help / FAQ        Submit Cheats        Our Friends and Affiliates        About Us
      Copyright © 2001 - 2014  webworks, LLC  All Rights Reserved    -   DISCLAIMER    -   PRIVACY POLICY    -   TERMS OF SERVICE