Hey, Parts of the Empires website were hacked (not the forums). If your forum password is the same as your Wiki or Mantis password, CHANGE IT Thanks! More Info: http://forums.empiresmod.com/announcement.php?f=2 (forums are fine because they were on a separate server. If you do not have a bug-tracker or wiki account, you are probably fine)
If it's as an MD5, are you really suggesting they spent the time and had the know how to decode it? It's been shown to be possible, but last I looked it's hardly simple or commonplace...esp if you seed the hash with some existing value to throw it off.
RA you're talking about the game that had the attention of a few DDOS'ers for quite some time. Obviously Empires is the "High-Priority" target of many many hackers/skiddies. Why? They know that Empires will eventually become have a place on the "Golden Shelf" of each retail store and will be front-page Steam news for a month.
Are you....stupid? It took me 5 minutes to crack an 8char capsnumberlowercase password in MD5 using the CUDA cracker. Let alone if they used rainbow tables. The forum has a much harder to break encryption as well as being on another forum, it would take them months if not a year to crack one password. But as the announcement said, mantis bug tracker uses a STRAIGHT md5, nothing else. Which is why it has since been removed.
You should never use MD5 for passwords, not even salted. MD5 is simply too easy to compute. Site below shows that you can execute MD5 million times per second or more. PostgreSQL even has proper cryptographic functions that can be tweaked to be as slow as desired. But it's not like your random something PHP coder will care. Here's explanation: http://chargen.matasano.com/chargen...bow-tables-what-you-need-to-know-about-s.html Here's even an already made function for PHP that has CRYPT_BLOWFISH option with cost parameter - you can tweak it to be as slow as you want. If salted, it'll take centuries to crack 1 password. http://php.net/manual/en/function.crypt.php
change wiki and mantis password too or will it get hacked again anyway? And how long ago did it happen, could it be that he/she already searched for user infos on the forums ...? Guess yes huh ...
I think I signed up on the bug-tracker once upon a time, but I've never used it. However, I changed my password on the forums not so long ago, way after signing up, so I should be fine.
MD5 is super easy to compute. Years ago, brute forcing a 6 char md5 hash would have taken years, but now it takes hours. Additionally, rainbow tables are really easy to get ahold of now, and that takes all the effort out of cracking passwords (Rainbow tables is a file of precomputed hashes. like "aaaa = 1ab2c23d5e3f"). If you salt your password (Which VBullitin does, which is another reason the forums are safe), then it is much harder to get your password. HOWEVER, Mantis did not salt passwords...which is why we are making this announcement.
Kylegar picked up on what I meant; no seed or salt was added, so you're just toast. The announcement didn't say it was a straight hash, so no - I'm not stupid. I was in the dark. OK, that's just bad...and now I understand. Any proper login system at least MD5s the passwords with salt...or uses SHA2 now I guess. Also, aren't rainbow tabes something like 10 GiB?
If someone tried to login to the forums using a password they gleamed off of those databases, you would know. I have only received an invalid password attempt message when someone tried to login using the list of decrypted Gawker passwords. The people who hacked the site just appear to be script kiddies from IRC. Hell, they said they were from Dalnet. What kind of self respecting hacker would hang out on Dalnet? I think they just crack a bunch of easy sites for giggles and drop their junk on the server. They didn't even bother to take the time to deface the web site or anything.
and I have a 1.5 TiB HD sitting on my desk that I bought for $80. Your point is? In reality, this only effects the very small portion of users that have Wiki and Mantis accounts. We haven't used mantis for ~6mo/1year now, and registration was limited for the wiki. However, it's still a good idea to change your password.
I'm not calling the size prohibitve, I'm just finding rainbow tables amusing. There was no point Also, 1.5 TiB? What on earth? They make "1.6GB" drives?
