Relax, take a deep breath, and stop the UserID hysteria
To combat the hysteria about leaked user IDs, why don't we all take a deep breath and think about this rationally...
Facts:
1) Nexon goofed- people may know some players ID.
2) That is absurd and inexcusable mistake, and should result in us being able to change our IDs to make us feel warm and fuzzy again.
[b]However...[/b] consider these even more important facts:
3) Most systems (yahoo, gmail, any unix/Linux system with a root account) have publicly known IDs
4) An ID is next to worthless with a good password and PIC
5) A 10 digit, mixed-case with special characters password will take roughly 900+ years for a desktop PC to hack.
6) An IBM supercomputer, testing 72 BILLION passwords a second (no network latency- nearly infinite bandwidth) took 82 days to crack a 12 digit mixed case, special character password
7) At my workplace, we're required to test out password strengths on our important databases a few times a year. We've been successful once- when it took a week for our 8-core machine to crack a 10 digit one that wasn't using a good combination of case and characters. Upping it to 12 digits has made it such that it never returned within the test window (a few weeks). We've been audited by security consultants and they found similar results.
8) Given this, the realistic worse-case scenario is someone 'locks' your account with too many failed attempts. That is a true annoyance and issue, and it sucks, but it's not going to make you lose the account for more than however long they'll keep locking it for. (Like DC Hacking- they got bored after awhile).
Yes, it's absolutely possible that a silly password like "Password" will not be enough to protect you if your ID was leaked. However, choosing such a silly password is not the fault of Nexon. You would never do that on your yahoo account and then blame Yahoo.
Use this as a learning opportunity to understand password strength. Use this as an opportunity to implement better passwords and PICs. Don't simply get hysterical and assume the sky is falling and blame Nexon for a lapse in judgement on the player's fault who practiced terrible security practices.
Look at online tools like howsecureismypassword, microsoft, symantec, or any of the thousands of other resources available online. You'll see that brute forcing is not NEARLY as easy as it sounds for all but the most powerful supercomputers.
Sure, once hackers that long for fake online gold pieces and fancy brown work gloves have access to quantum computers that use qbits to try quadrillions of permutations a second, we'll have an issue. Until then, pick a good password and relax.
Bonus:
Here's a tip:
Pick a phrase specific to you and only you that is easy to remember.
(Example: "I am trying 2 explain how this Works to You as an example, get it?"
Turn it into letters and numbers.
1@t2ehtWtYa@3#gi?
Now look at that nice password! 1@t2ehtWtYa@3#gi?
17 characters of nonsense- and very very very time consuming to brute force. Longer than MS will likely be around.
12 Comments • Newest first
[quote=LeonGoldMage]@myrdrex: I wouldn't have to remember my PW, notepad would [/quote]
Always another good option- writing it down or keeping it in a password keeping app.
As long as no one else has access to your desk, there's honestly no real threat to that. And notepad, well, if someone puts a bug on your PC to see what you're looking at they don't need the password anyways, since they can just watch you do it. So again, not exactly the worst security practice. (Just be sure you can back it up, so a hard drive crash doesn't wipe out your Nexon accounts by making them inaccessible!).
I personally write mine down on a piece of paper next to my desk, in case I forget. If someone honestly breaks into my house for my long passwords to steal mesos, well, then fine, they can have the mesos. I'll be more worried about all the real stuff in my house as well as my and my family's safety.
@myrdrex: I wouldn't have to remember my PW, notepad would
[quote=LeonGoldMage]Some of my buddies said that changing your password on the site to something like 64 characters that include lower case, capitol and symbols by randomly smacking around the keyboard would probably be the safest bet to making a secure password. Insight?[/quote]
That would be a bit extreme and unnecessary.
Beyond 15-16, the time for even a cluster of high end servers to brute force it is longer than MS will likely be around.
Besides, you wouldn't even remember something like that.
The best password is simply a combination of upper and lower case characters, numbers, and special characters.
You have a nice password like "1@t2ehtWtYa@3#gi?"
(short for "I am trying 2 explain how this Works to You as an example, get it?"
will more than suffice.
Pick a phrase that you can remember, turn it into letters and special characters, and you have something that makes this 'security breech' a total non-event.
Now, if Nexon ever has a database breech where passwords and handed out, then yes, we're all hosed. Nothing can protect you from that. Then again, nothing can stop a band of ninjas breaking into your house and slicing off fingers until you hand over all your mesos. But there's no point in worrying about unlikely scenarios outside our control.
Some of my buddies said that changing your password on the site to something like 64 characters that include lower case, capitol and symbols by randomly smacking around the keyboard would probably be the safest bet to making a secure password. Insight?
You forgot that you cannot change your ID and that Nexon has extremely mediocre security that has been breached by password and PIC bypasses multiple times before. It's only a matter of time until another one comes out.
[quote=BladeLust]What do you mean by using special characters in our passwords? Is it things like: #/$/& ?
Some sites don't let you use them for your password.[/quote]
That's exactly right.
The more types of characters you use and are allowed, the better the password strength.
And it's not even hard to generate a good and easily remembered password. Think of something related to the site, use every first character of each word in that thought (along with special characters), and you're in good shape.
For example: Let's pretend I use this sentence to remember my MapleStory password:
"Grinding from level #100 to #120 is Uber-painful! So true!"
You could have a password of:
"Gfl#1t#1iU-p!St!"
That's a 16 character long password with upper, lower, and special characters. It would take centuries to crack that with any brute force attack using modern technology.
Granted yes, some sites won't allow special characters, some will limit your password length, etc... But Nexon allows quite a bit, more than enough to have a secure password that can withstand a brute-force attack.
if you guys want the link to the website with all the IDs here ya go---------------- just use it to check your own account is there or not but a lot of people have been a victim to this and i couldnt beleive that you said it took 82 days to crack a 12 letter password guess that must of calmed a lot of people down
EDIT: just read that i cant post the link and also thanks to person below me, sorry basil bros
What do you mean by using special characters in our passwords? Is it things like: #/$/& ?
Some sites don't let you use them for your password.
I wouldn't necessarily say the DESERVE to be hacked- only a true jerk deserves that. But it's certainly not Nexon's fault when people have lousy passwords, download keyloggers, enter their info into those giveaway sites, etc...
[quote=LastTrueWH]it took the computer that long because it had to test them all derp
get it?
lets say the pass had 10 digits and it has numbers 1-10 and letters A-Z
It would try out every single possibily
first it would make doubles then tripls then to 10 digits
A1B2C3 and so on to Z (the digits repeat)
that didnt work
A1B3C3...and so on until it finds the right numbers[/quote]
Yes, that's exactly my point- with a good password, the only choice is to brute force it, which takes obscenely long for precisely this reason. It sounds easy, simply try every possible combination of characters, lower and upper, and special characters. But in reality it takes long enough to be effectively uncrackable.
Don't use common words or phrases, keep the password long, use lower and upper case, use special characters, and you're at no risk of a stolen account simply because someone has an ID.
yes it's on the internet
and people who set their passwords to something like '123456' or 'qwerty' probably deserve to be hacked anyway
[quote=Sandraa2]Said this to my guild aswell, they were freaking out and gave all sort off site where the list should be..
Is it really on internet?[/quote]
Yes, there was a list of around 19-20k people's IDs.
However, as I pointed out, it's not the end of the world for anyone with a decent password. There's no need for alarm.
Whether your ID was on the list or not you SHOULD have a good password. As long as you do, then life is just peachy.