Concern about passwords on the CH-server - Cheat Happens Feedback, Complaints or Problems Message Board (Page 2)
Cheat Happens Game Cheats and Wallpapers
Cheat Happens Game Cheats and Wallpapers
Cheat Happens Game Cheats and Wallpapers
   Page 2 of 2     First Page     Previous Page     Next Page     Last Page  New Topic New Topic    New Poll New Poll    Post Reply Post Reply    Help Help   
 Concern about passwords on the CH-server  

Send a PM to PWizard
  send PM
  view profile
  add to friends

United States 
User #: 2
Posts: 21668 
Joined: Dec 01, 2001   
Last visit: Jul 29, 2015
Posted: May 01, 2013 9:27:56 AM - Report post  (1)  (0)       Post Reply  post reply  

Just today another large site, was hacked with hackers gaining access to all of the user's personal information, but everything is "OK" because the passwords were encrypted. So, now hackers have everyone's Real Name, Physical Address, Email Address, Phone Number, Birthdate and other personal information, but not the password for a single website. That right there should tell you that simply encrypting passwords is not the be-all end-all solution to protecting one's identity on the Internet. I'd rather hackers have every password I use than to get all of my personal information. I can change all my passwords. I can't change my birthdate and social security number.

We will be taking steps to further protect our users starting with the elimination of all unnecessary information that has been optional, including birthdates, gender, city/state, etc. We will only be keeping alias, email, country and password. We will also look at further securing the passwords beyond what we do today.

Chris O'Rorke (
Co-Founder: Cheat

Facebook . Google+ . Trainer Blog
Current rank: 1 Star. Next Rank at 100 Posts.

Send a PM to hokibukisa2
  send PM
  view profile
  add to friends

User #: 1368544
Joined: May 12, 2012   
Last visit: Jul 25, 2015
Posted: Dec 10, 2013 9:27:00 PM - Report post  (0)  (0)       Post Reply  post reply  

Hey guys. As PWizard mentioned there really is little concern of leaked personal information because they keep none.

What is a concern is if you use the same username/password, as so many do, then yes that is something you need to take upon yourself to better ensure your own information security.

More and more sites are getting hacked and you can't expect every website to do everything right, so a practice of using spamfilter garbage email addresses, keeping personal data private, and using strong and unique passwords for every account are what you can do to help ensure your own personal security.

That being said I think cheat happens already has the infrastructure in place to make their passwords NSA proof as well as recoverable.

The best practice is to either send a new and unique temporary password or a password reset link to the email address of the account. Cheathappens already does this, they just send you your current password instead of a garblygoop temporary one.

They also send you a reminder that you changed your password with an email which contains your new password. This just isn't necessary.

Also about the encryption as opposed to 1-way hashing. When a password table is compromised it should be assumed that the encryption key and algorithm are as well. If the encryption key could be ensured to remain a secret security experts wouldn't be so insistent on 1-way hashing.

But anyways, rock solid nsa-proof password security is actually pretty simple.

1) Add an 8 character varchar field to the user table, name is PasswordSalt, this value isn't a secret you can give it out to everybody. Salt ideally is unique for each user but random is good enough. For each user get 16 byte salt, encode to an 8 character base64 string.

2) Choose a KDF (key derivation function, not a hash algorithm). PBKDF2, BCrypt, and SCrypt are all excellent.
In terms of computational cost, SCrypt > BCrypt > PBKDF2
In terms of reputable time tested, PBKDF2 > BCrypt > SCrypt

3) Store the output of KDF(PasswordSalt + CleartextPassword) in the Password field.

4) When a user logs in, take the cleartext password they submitted to the server, and compare the output of
KDF(StoredPasswordSalt + SubmittedCleartextPassword)
to the StoredPassword value.

Thats it. A salted KDF is so expensive to bruteforce and make a rainbow table for, that the only passwords that could be found out are those that are extremely weak.

While I won't say that this is absolutely necessary, since I use unique passwords, I would be rather upset if my account were stolen. I rather like cheathappens.

So why implement a salted KDF?
1) Its easy.
2) Imagine successfully hacking a website's user table only to discover that it'll take you a second per guess per user? Thats a **** sandwich. You get satisfaction and peace of mind that anyone that hacks your site will be eating a **** sandwich.
3) You can brag to your patrons about how ridiculously secure you are. And feel pride for if ever your site gets hacked, probably nobody's password will be compromised. Good feels all around. Except for the hacker whos eating the **** sandwich.

Page 2 of 2     First Page     Previous Page     Next Page     Last Page
Go to page: 1 
All times are (GMT -08:00) Pacific Time (US & Canada). Current time is 9:11:23 PM
Return to Feedback, Complaints or Problems Message Board 2124 users online.   2040 guests / 84 members.
Trainer Troubleshooting Guide        Cheat Terms and Tutorials        Anti-Virus Notifications        Site Help / FAQ        Submit Cheats        Our Friends and Affiliates        About Us
      Copyright © 2001 - 2015  webworks, LLC  All Rights Reserved    -   DISCLAIMER    -   PRIVACY POLICY    -   TERMS OF SERVICE