To those that had their accound stripped
I have seen too many "I had been hacked" threads and I tried to remind people of having a good password in most threads, so instead of posting on them anymore. Here are the reasons and what your password should be.
This only applies to those TRULY never give out their info to ANYONE, even your BFF(s), family members, even your pet!. This include the email info used to register for MS. Also it doesn't apply to those that had been infected with keyloggers.
If you fits the above sentence, then ONLY reason you had been hacked is some how the hacker gotten hold of your info NOT from you and the password was too easy to discover by hackers using either a huge list of popular passwords or by brute force methods.
So, there is no way for you to control your info from hackers accessing it, BUT your password stored in Nexon's database is encrypted (or hashed) and there are no known method of using any algorithm to "reverse" encrypted password back into plain text quickly.
Because the encryption algorithm is well known, the hackers can come up with a encryption program then "feed" trial passwords into it to attempt to match the encrypted output with your encrypted password and there are specialize programs that works with GPUs to greatly speed up the encryption process for short passwords to be crack relative quickly.
The only way for users to protect themselves is to create a total random passwords (MS and your email) using the maximum allowable lentgh (16 chars), with upper/lower case letter, numbers AND symbols. This way even if the hackers have the above setup, it will take virtually forever to brute force crack your password.
I know its a pain to remember and enter it, but you can keep it in a file and then copy & paste it.
For those that want to check how good their password is you can google "password rater" and try what rating your current password returns.
For those that wants to follow my guideline on creating a new password, there are lots of password generator web site, just google (again) and choose those that allows you to specify length and include numbers and symbols.
Good Luck, good Mapling and may you never get hacked again!
15 Comments • Newest first
You guys have to use letters with accents on them.
or at least throw in a vertical bar (|) or underscore (_).
[quote=simmisahota]Can Somebody tell me what an arrow to the knee means[/quote]
Don't worry about it.
It's just silly Skyrim humour.
[quote=shaddow55]I doubt Nexon would store a non-hashed or salted password which was simply encrypted, that is medieval security right there.
The modern and more secure method should be:
1. Rego and enter password, password salted client-side.
2. Salt is encrypted and stored.
3. Since it is almost impossible to determine the original 'file' or in this case password from a hash or salt, on top of the encryption, the user is completely protected.
The password is never actually sent, only a hash or, preferably, a salt.
Half these people that get hacked share info and/or have some kind of spyware or have been phished (let's all use Internet Explorer...), to be honest I don't feel bad because they will develop a smarter sense of security.[/quote]
I did not say anything about the database encrypted password are salted or not, salt simply adds more combinations needed to the password which mean more iteration of brute force calculations. The guideline for creating the password still valid with or without salt. Also if hacker gotten whole of database, they would of gotten the salt too.
Salt are send from the server to the client when requested for login by the client, then the client use the specified salt to apply to the hashed password before sending the hashed result to the server for authentication.
Its true SOME of the people gotten hacked are their own fault but the recent compensation packages are the result of a massive database leak ~ 1.5 to 2 years ago that Nexon never admitted. Most hacked account were people had short/easy/non random passwords.
Do you really expect Nexon to use the most modern security methods.
I doubt Nexon would store a non-hashed or salted password which was simply encrypted, that is medieval security right there.
The modern and more secure method should be:
1. Rego and enter password, password salted client-side.
2. Salt is encrypted and stored.
3. Since it is almost impossible to determine the original 'file' or in this case password from a hash or salt, on top of the encryption, the user is completely protected.
The password is never actually sent, only a hash or, preferably, a salt.
Half these people that get hacked share info and/or have some kind of spyware or have been phished (let's all use Internet Explorer...), to be honest I don't feel bad because they will develop a smarter sense of security.
Damn, my pass is only 15 characters long and has no symbols. It does have a decent combination of numbers and uppercase/lowercase letters though.
I should get around to changing it some time soon...
i was gonna tell mods this thread is in wrong place but then i took an arrow to the knee
OT:Arrow-to-the-knee=/=change password more often
my firend has my password and i have his. if he somehow truns agianst me in the past 5 years ive known him then i could easily get into his email and chnage his too.
People need to realize the length of the password and the randomness DOES matters, in the case if the hackers gotten hold of the encrypted password info from the database. Even with the help of a GPU cracking setup which can process ~ 1 Billion encrypted per second. With 16 chars length, upper/lower letters, numbers and symbols, there are ~ (26 + 26 + 10 + 31) ^ 16 = 31313180170800116587336013460801 combinations which will take 992254 BILLION YEARS using the GPU setup to complete all the combinations.
Of course I follow what I preach with my passwords and PIC. I had posted my login ID along with my email to challenge those hackers to hack me, I am still waiting for the surprises.
[quote=radkai]How can you tell if it's related to Maplestory? The names are meaningless jumbles.[/quote]
this.
You don't realize that password strength isn't much of a factor for this hacking?
Oh, and max password length isn't 16. During the times of the hackings, despite profusely denying they were even occurring, Nexon decided to, without announcing it, increase the cap to 24, 48, 64, 128.
[quote=NebulaSyndicate]Every now and then, run a virus scan with malwayre bytes if you want. and then press, Start, type %Temp% and hit enter. Check if anything mapelstory related is there and delete immediately. One account got hacked when I didn't do these. Second account doing these and so far so good *crosses fingers*[/quote]
How can you tell if it's related to Maplestory? The names are meaningless jumbles.
I used to care about my password, but then I took an arrow in the knee.
What's funny is that I had 25k NX charged on my account.
Vindictus characters all got wiped out
Didn't change password for 6 months
All NX and all my other games are still fine.
I blame Nexon.
Every now and then, run a virus scan with malwayre bytes if you want. and then press, Start, type %Temp% and hit enter. Check if anything mapelstory related is there and delete immediately. One account got hacked when I didn't do these. Second account doing these and so far so good *crosses fingers*
Ohh mk.