Just an update.
Passwords can now be 128 digits long, and GameLauncher goes up to 128.
Just an update.
Passwords can now be 128 digits long, and GameLauncher goes up to 128.
So Nexon is responding to a problem they won't admit to, hmmmm.Originally Posted by Locked
Ah I was semi-lied to ):
It's 128 for Game Launcher, 64 for the site.
Wrong. I didn't play DFO or charge NX.
[Jr. Event Coordinator]
This is new o_0 maybe nexon knows about the issue going on? It was just last week i couldnt login using a pw 20 digits long from game launcher.
I didn't lie, I told you the Game Launcher amount.
Earlier this week I couldn't either. They changed it very recently, as my password was 15+ characters and I was able to starting this weekend.
Last edited by RahlsSoldier; 2011-09-06 at 01:19 AM. Reason: Additional content.
Not you@@@
4 people counted for me :D
Yes, yes they do
I was told pw was 64 digits 3-4days ago, and now 128.
And just last week Game Launcher didn't even go over 12. I wonder why Nexon is doing this without announcing it. Is it a "We've been secure all along" ploy? I don't see the point in having a password that long anyways. After a certain amount of characters it just becomes unrealistic to be breached by brute force and more likely to be done in by a password bypass.
http://keepass.info/
?
Yay update.
1. Number limit is 128. As in, only numbers.
2. Mixed character limit is 60.
3. If you copy paste, it cuts off at 12 or so.
Hope that helps.
I have no idea how NEXON's internal infrastructure is set up, so I'm just going to be going out on a limb here, but, do you think they could have gotten access to a password hash database? I know some setups use those...basically, that would enable them to "bruteforce" a huge list of hashes and combine matches for optimum results. If their bruteforcing is based on the old 12 character system, that wouldn't be hard at all to get hundreds of matches a day. Which, on that same token, if someone were to update to a 13^ character password, it would render their script useless on those accounts. A small chance, but anything to reduce a chance of getting hacked is better than nothing, right? And it's not like NEXON is going to publicize the exploit after they fix it, so we never will know what actually happened unless the people with the script tell us.
Like this, according to BMS.
AccountID AccountName PasswordHash Pin 0 admin 21232f297a57a5a743894a0e4a801fc3 1234 1 admin1 21232f297a57a5a743894a0e4a801fc3 1234 2 admin2 21232f297a57a5a743894a0e4a801fc3 1234 3 admin3 21232f297a57a5a743894a0e4a801fc3 1234 4 admin4 21232f297a57a5a743894a0e4a801fc3 1234 5 user 21232f297a57a5a743894a0e4a801fc3
Bringing up cracking hashes reminds me of the original db leak.
I still remember being shocked my password was in one of those rainbow table things.
I recall fom the last account-hack event that a 12-character password with mixed lower-case, upper-case, and numbers was more than sufficient to make the most advanced hash-cracking techniques totally impractical. Have cracking techniques advanced so much that you need even longer passwords now? 64 or 128 characters long seems ridiculous.
Edit:
Lol 21232f297a57a5a743894a0e4a801fc3 = admin
I just got an automatic update for this:I have a question does the nexon site show this for anyone else? Or I'm the only one?
If i'm the only one guess i'm next?
Google says if you see this it means:
The site uses SSL, but Google Chrome has detected either high-risk insecure content on the page or problems with the site’s certificate. Don’t enter sensitive information on this page. Invalid certificate or other serious https issues could indicate that someone is attempting to tamper with your connection to the site.
Spoiler
So maybe this has something to do with it all.
All that means is the site is being reached over HTTPS and includes links to resources on it that are via HTTP instead HTTPS and those portions are not secured.
This is why I hate threads like this, people start to panic over things and draw lines and conclusions where none exist.
Hmm I didn't know about that first part and as for the second I completely agree with you Eso, I hate reading threads like this because of all the things people come up with and I posted a couple pages back that all people are doing is more scaring of people then anything else. But it's always on top and just like anyone else I too would like to know exactly what's causing all this but like I'm saying to all my friends and people I know really all you have to do is change your pass/pic at least 1-2x per month and you'll most likely be okay. I mean, with everything that's gone on in the past, people who have caught hold of the issue early on and changed their info seemed to be fine. So yeah, also hate threads such as these.
So if we want a super safe password from brute force, we should just change our passwords to a combination of Upper case, lower case, numbers, and keyboard symbols that extend pass the 12 character limit?
Challenge accepted.
I found another laughable hole in Nexon's security.
To change your account email address, you need to enter the answer to both security questions.
Fair enough.
Problem is you can change one security question by knowing the answer to the other question.
So, basically, that means that having two security questions actually weakens account security.
EDIT: I also really wish Nexon would suck it up and make Item Locks free.
I'm fairly sure that the lost revenue from those items would be surpassed by people buying NX because they feel secure enough to do so.
What's more, they should change the system.
While I like some suggestions I read, it'd also be rather nice if an item being locked would allow it to be account-tradeable.
I don't mind certain items being unsellable for up to a year, but I do mind being limited to one character when things like Evo Rings can't be moved.
I'm sorry, but item locking is useless since there are scrolls that destroy items... so if your pomegranate is locked, I'm sure the person wouldn't want you to have your pomegranate either so they will just destroy it... you talk about loopholes in Nexons attempt at general account security... but it seems like you're not looking at other obvious loopholes...
And why hasn't anyone mentioned other potential failiures in security... such as your email provider? (I haven't read the entire thread, but everyone seems to be assaulting nexon). And another thing: IPB and vBulletin exploits are out there too... using the same email from your nexon account on a fansite is also a security risk.
Posting Permissions
|
|
Reply With Quote
Bookmarks