Printable View
Well, I guess the only way around this is to lock your account with an invalid password. You can then only relog when you request a password change and input a valid one.Quote:
Originally Posted by CrazyNomad
inb4 Nexon's announcement:
Quote:
Originally Posted by Nexam
I used to use his RMVX scripts. He/she is a genius and a very knowledgeable fellow & knows a lot about coding, and knowing Nexon... I wouldn't be the least surprised if it turned out to be true.Quote:
Originally Posted by CrazyNomad
./run on sentence
well, as of now, its the only explanation about what is happening, sw.net database leak, hacker probably trying every email he got to find if it is valid(since you can use your email address to log on your maple account), then he look at the sp/sw.net user accounts, and try it as login ID too.Quote:
Originally Posted by Phoenix Wright
can be rumor, can be real, but its the best explanation about the case.
Yanfly:
So password hashes are that easily cracked nowadays? Or does he mean that Nexon is using some inferior encryption method.Quote:
Apparently, going to the login page and inputting the wrong password will yield the right password but encrypted. This is unfathomable security if anything. Any one with a mediocre level of programming and logic base understanding can break and decrypt what Nexon put out. I managed to decrypt the jumble of text in a matter of less than a half hour. Now, I did nothing to the person’s account that I decrypted, but I seriously have to question Nexon’s campaign for players protecting their own accounts.
Also sounds like the PIC is totally useless. May as well set it to 111111 for efficient relogging.
so all u have to do is keep forum email and maple email diff :f3:
Sheer dumb luck and a bit of paranoia is probably all that's keeping my account mostly safe at the moment.
I don't touch the MTS, never log in through the site, and my email/log-in name is so old that it doesn't relate in any way to any character name I possess or any screen name I use on SP or Basil.
And I have a PIC and password from hell but at this point I don't think either of those accomplish very much.
Blowfish/bcrypt with the correct adaptivity secures passwords damn good, so it would mean the latter.Quote:
Originally Posted by MissingLink
If they're using SHA or MD5, then they're messing around:
Spoiler
See that you have the possibility to use a checksum to check if the data is correctly downloaded? The reason those algorithms are there is because they're able to check whether a file give the correct checksum with those algorithms damn fast. Because of that, there's no problem to try out very many different passwords in a very short amount of time, and with enough computing power, you'll eventually get a hit.
A link to the same article was posted on Nexon forums, and promptly deleted.
When asked why it was deleted, -Hime- replied:
http://forum.nexon.net/MapleStory/fo...d/8279200.aspx
When locking another thread about the current hacking epidemic, she said:Quote:
Originally Posted by -Hime-
http://forum.nexon.net/MapleStory/fo...d.aspx#8248670
Ah well. At least we know someone at Nexon is aware of this "already sensitive situation".Quote:
Originally Posted by -Hime-
Can anyone check whether they've changed the website login page not to give out the (hashed) password anymore?
Please send a ticket to nexon that'll work!! (or not... going off of my still open ticket from well over a year ago now.)
I would expect nothing less than total denial of anything on nexon's end. That's their game always has been and most likely always will be.
At least they're acknowledging that this pomegranate is real.
Too bad they won't ever come out and say that it's their fault for failing so much so many times and on so many levels.
Inputting a wrong password yields the actual (encrypted) password? -___________- seriously?
I can't seem to reproduce YanFly's supposed explanation. There's nothing there o.o
lol
What a load of bullcrap.
i doubt if you put the wrong password in. It will show the pw right in front of you.Quote:
Originally Posted by Fimbulvetr
This goes back to what i was saying before about nexon changing their password section. Before under manage account it would show your actual password when you request to change it in plain text. Now it doesn't do it anymore since they changed it.
@danny maybe he is using a special program that you dont have. This guy knows his stuff you know.
They might have changed it already. They've been changing their web pages related to login, on the sly, for several days now (length of passwords and such)Quote:
Originally Posted by Locked
Quote:
Originally Posted by Fimbulvetr
I actually asked if this was possible on the very first page. Nobody has replied yet, but it's interesting that somebody else posted it in the thread. I also found a third person on Basil who told me he has been using this method himself for several months.
If it was deleted off Nexon forums, it was already tested, and it was already fixed probably within the hour they caught wind of it.Quote:
Originally Posted by Locked
Same for me... all you say applies for me but the difference is:Quote:
Originally Posted by Phoenix Wright
I got hacked like 1 week ago....
I stepped through all the JSON and Ajax and whatnot and saw nothing incriminating. It has it's own base 62 function to do comparisons with but that's just to hash the input for the server to compare.Quote:
Originally Posted by Locked
Post from basil on the same subject as the blog(http://www.basilmarket.com/forum/2196294/7)Quote:
Originally Posted by CrazyNomad
"myrdrex: That doesn't seem right- the response is a simply JSON message:
"error":{"code":"1510","type":"Unauthorized","mess age":"INCORRECT_ID_OR_PASSWORD"}}
Just set up a SSL proxy, decrypt it, and you'll see that. There's no embedded password at all on the response that comes back from a failed login.
"PepsiMin; ^ This is correct. Also, -Hime- on the nexon forums stated that they do not store any passwords on their end (believe it or not).
SO, THIS THREAD IS 100% INCORRECT. There's no proof (SS) of any encrypted passwords being sent back posted by the person who started this rumor, and until I see one, you should all regard this as a false scare.
About the hackings going on for the past month or so, I honestly don't know what's causing it. There could be other security holes in the game that hackers are exploiting."
This guy(Judging by my eyes and perhaps my disbelief in his theory) and what he said seems more reliable then the thread starter. I also could not re-create what the TS was talking about, so as far as I'm concerned. It's bullcrap unless he posts actual proof, instead of words.
lol I remember back in the days when nexon did that hackers started logging in by changing the verification packet from a no to a yes so they could log in with the wrong password. It would be kinda odd that they could fix that but still send the password packet (encrypted) for verification.
How hard is it to decrypt those passwords in the packet (if they exist)?
In before new pw requirement is 64 digits long at least one number, at least one lowercase letter, at least one uppercase letter, at least one symbol, have no words found in a dictionary, and must be changed every 10 days. :f3:
About the hackings: I have not been hacked yet to my knowledge on any of my 31+ accounts. Though with some of my mules maybe I wouldn't know because maybe they didn't take anything, though I would think they would take the mesos even though most of my accounts only have a mil or less mesos per character. My mules all have maple chairs, some have whips, but maybe those things just aren't valuable enough to mess with. My mains or stores certainly have not been hit (but that's much smaller, like 6 accounts - and much harder because they are logged in a lot).
