Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Yuko banned.


Link
 Share

Recommended Posts

Well, everything here that I could say has been said already so I'll just reinforce the main point of the post. Change your password. Even if it's encrypted there's always a chance it could be decrypted. It's a shame this happened but other than changing our passwords there's not much anyone can really do about it.
Link to comment
Share on other sites

  • Replies 67
  • Created
  • Last Reply

Top Posters In This Topic

Link, if luck was a snail you still couldn't catch it…. I feels bad man :/

Thanks for letting me know my password hash was stolen.... I don't use that password for anything but this site thank the heavens.... It's still very good to know and I appreciate this move as far as administration goes.

As for Yuko.... wow.... unbelievable..... I'm going to go register just to tell her she's a bitch to her face since she can't read these forums any more.... another thanks for the info on that one ;)
Link to comment
Share on other sites

I'm surprised this even happen, but I see it as a learning experience. You can't always trust someone especially if their past is very colorful. There is nothing that can be done, she stole the DB so you can go around and change your passwords. Even though I don't really see a point to doing so because they are encrypted and salted so she wont be breaking them unless you have bad password practices. Shes gone for good so I don't really see a point in fueling the fire, I hope this was an eye opener for Link to chose who to trust a little better. If it was me I would require them to have some references of people from the community and also look at past indiscretions. That's just my two cents take it or not, Eclipse has been threw a lot and has almost died on multiple occasions. But it is the last of the Mirage era engines from what I know so just continue to advance it and I think it will be nothing but blue sky's. If you stick with the same path though sooner or later its going to burn out and I know I don't want to see that happen.
Link to comment
Share on other sites

Hopefully she can't decrypt the passwords. The account info I use on this site is one of my most used ones. Shame on you admins for trusting someone who is known for doing bad things when they are in power. I would've only trusted her up to Moderator, since mods can only affect threads and these can be restored. Anyway, the deed is done, hopefully no one else gets their hands on my account details in the future (at least from eclipse)
Link to comment
Share on other sites

@'MadalinV':

> Hopefully she can't decrypt the passwords. The account info I use on this site is one of my most used ones.

You probably should not mention this, anyone knowing such information would probably act on it immediately…However, I disagree with everyone on a separate party. This thread has too much overreaction. Despite the talent in this community I doubt anyone could use such information such as encrypted passwords. I worked with her and Galactic about a year ago and she posed no threat if that is an answer people are looking for.

It's actually quite funny how much you guys overreact, shows how vulnerable and weak this community has grown. Anyways good luck with everything Link, hope things get resolved, but I don't think anyone here on this community is really innocent, a lot of bad mistakes

Good day
Link to comment
Share on other sites

@'MadalinV':

> The account info I use on this site is one of my most used ones. **Shame on you admins**

Wait…shame on admins for....wait...what? Shame on you for using the same password everywhere.... pro tip about network security, the password could of been stolen by other means and this is bad practice on your part. Not saying the site owner made the best decision or did not make the best decision, but I must state that your decision to use the same password for all accounts is a terrible one.

www.youhavedefinitelypwnedyourself.com
Link to comment
Share on other sites

This post is blissfully ironic.
Did I say ironic, I meant iconic. This post is blissfully Iconic.

edit:
Just thought this could have a double meaning. It's ironic aimed towards me.
Link to comment
Share on other sites

_tl;dr Passwords are hashed, not encrypted (much better than if they were encrypted), if your password is longer than 10 characters, is at least single-case alphanumeric, and you aren't being singled out for password looting by Yuko, you're more than likely safe._

So to clear things up so people are a little less panicky: the breach, assuming she still has the data, and that she's willing to invest the time and money into cracking passwords, if you have a password that is 12 characters or longer and not easily guessable you're more than likely fine.

First of all to correct one dangerous (if you ever enter cyber-security) misconception, the passwords are **NOT** encrypted. Encryption is **_almost_ useless** because it can be **decrypted**. They aren't plaintext though, so don't panic and run yourself into a wall in fear.

While it is pretty weak (to attacks that would only help her gain access to your account, not your password and is a more or less unrelated and irrelevant topic), the passwords are hashed with MD5 and salted. The procedure stock MyBB uses to secure your password is by using MD5 to hash what is more than likely a user-unique salt, which is then prepended to your password and then that new string is hashed again and this is put into the database. The reason these hashes, even when using MD5, are relatively secure are because it's not possible to extract the original text from the hash using a key – which you could do if it was just encrypted. What is done is that MyBB stores the hash in the database and when you attempt to log in, it will go and compute the salted hash based on the password you provide it and compare it to the hash stored in the database. If they match, you are allowed to proceed.

The salt prevents her from using a rainbow table (pre-generated hash lists for massive amounts of strings) because the introduction of the salt (which she has since it has to be stored in the database) makes it so she would need a rainbow table for each user, so up to 50,000 users. Since rainbow tables can be massive (in the gigabytes), 50,000 unique rainbow tables would be an absurd size, this is plunging directly into the territory of hundreds of terabytes to store this information -- which she does not have and would need to generate, which means the method of password "procurement" would just be brute force generation of any and all possible passwords.

Now onto the good news. If you're password isn't an easily guessable piece of crap (i.e. "password") you are probably in luck, especially if your password is 12 characters or longer, and especially if they are alphanumeric, mixed case or contains symbols.

While I doubt she has it or could write good enough code to automate this, and assuming she has and uses this, the Titan X is one of the fastest hashers in the world, running around 17 billion hashes per second. I figure using one of the "worst case" scenarios is better when discussing level of risk.

Now onto more hard numbers and math.

**Bad passwords first.**
If you have a numeric password it has a complexity of 10 (10 digits) per character, so for a 10 character password, it would have a complexity of 10 billion (complexity 10 ^ 10 characters). It would take less than 1 second for her to crack your specific password alone, assuming she knew it was 10 digits or less and only numbers.

An entirely lowercase password (e.g. "password") has a complexity of 26 per character, so for a 10 character password it would have a complexity of 141 trillion – 2.3 hours or less to crack.
Lowercase + numbers is 36/char, so at 10 characters it would take up to 2.5 days.
**Better passwords now.**
Mixed case is 52/char, at 10 characters it would take up to 99 days.
Mixed case alphanumeric is 62/char, at 10 characters it would take anywhere up to 1.6 years.

Now if you have a mixed case alphanumeric password with symbols (which MyBB allows) she'd probably need to have a character set of around 70-80 characters, so around 70-80/char, yielding a brute force time between 5.3 and 20.1 years for one password.

As a recommendation, if your password is less than 10 characters, change it (to something longer, please). If your password is weaker than lowercase + numbers, change it to be at least that. If you think she would target you and try to get into your account, change it. If you don't apply to any of the preceding groups you're probably fine, but obviously changing your password is never a bad idea, but this "breach" isn't something to be overly panicked about.

For reference a lowercase + numbers password at 12 characters would take 8.9 years to crack in the best case (for you) scenario, and if it's 16 characters you're probably safe with a best case (again for you) time to crack your and only YOUR password if she targeted you, of 14.9 MILLION years.

If your password is mixed-case alphanumeric and your password is 10 characters or more it will take at least 1.6 years to crack it with a single Titan X, assuming she even has one and wrote the code to automate this. You probably needn't bother changing your password.

**Ending tidbits**
Being realistic, I doubt she has or could properly create any set-up to efficiently crack the passwords (especially not all 50,000 of them). A Titan X which I based all of these numbers on, for reference, is 4 times slower than the fastest GPUs for hashing, but in practice will not hit the hash rate of 17gH/s. All of my numbers have been with that 17gH/s number, so in reality the time estimates will be much higher, perhaps even several magnitudes slower than what I mentioned above.
Link to comment
Share on other sites

@'Diefool':

> @'MadalinV':
>
> > The account info I use on this site is one of my most used ones. **Shame on you admins**
>
> Wait…shame on admins for....wait...what? Shame on you for using the same password everywhere.... pro tip about network security, the password could of been stolen by other means and this is bad practice on your part. Not saying the site owner made the best decision or did not make the best decision, but I must state that your decision to use the same password for all accounts is a terrible one.
>
> www.youhavedefinitelypwnedyourself.com

Yes, it is my fault that I use the same password for multiple accounts, that is my choice, but it was not my choice to have her in a high position and it wasn't my choice for her to have my info (as hard to break as it is). Should I have used a better password? Maybe. Was it my fault, as you said, that the account was leaked? No.

Thank you for the info, panda.
Link to comment
Share on other sites

I agree with Madalin, I also use same password for many things, except my e-mails and such, it's pretty hard to remember every damn password for every damn website, it's those who own the websites job to make sure they have good protection against situations like this, even if the passwords are stolen, the thief can't do shit with them, not just some pure bs wich can easily be converted to text.

If you have a respectable amount of accounts, then you better to your damn job and take care of them the best you can, trust no one with important stuff, this incident proved only how childish he is, always making bad choices and apologizing, followed by some drama, then a little peace time mixed with hyping something new, disappointing us again, then again apologiez, again drama.
Link to comment
Share on other sites

@'Helladen':

> I wil tell her to take the site down and purge the files, if she keeps this up we will remove her from Nin Online team.

Lol she is still in your team while you know about this?

I don't care that she stole the DB, but she did show that she can't be trusted. I would've removed her from my team immediately
Link to comment
Share on other sites

I'm still not sure why people don't care much of the DB being stolen. It's your data that Yuko has. She's stolen it to create her own forums. Who knows what she might do next. What if she dumps the database in some hidden part of the internet. Your data gets leaked and there (most probably) will be people who'd be ready to 'de-hash' (read bruteforce) the password.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×
×
  • Create New...