MD5 and possible security disasters around the corner or ongoing(for years).
So, lo there...
MD5, many people likely don't know much about what it even is, so I'll try to be brief(in a futile attempt to not come off as boring). The current website security system, is very lackluster.
Lackluster in the sense of password encryption.
I posted this message in another thread about a day or 2 ago(which for some reason now no longer shows up in my own post history), but it discussed the same security issue, except it was from 2014... IIRC, I bumped it for a reason(and it got closed...).
The issue persists.
What am I talking about? Password hashes, I did the test earlier with my dad and showed him how easy it is to crack the code once you have hands on with the actual encrypted password and it generally takes ~100 ms, aka. 0.1 seconds. He gave me his own example of his password and that's how long it took to find it from the internet databases on cracked MD5 hashes. My own, luckily isn't listed, but the length of which(the hash), is not that much longer to warrant a brute attack on it, that'd take longer than 2 days, max. Probably seconds to be fair, if you have a proper algorithmic cracker. And bear in mind, the username goes in clear-text.
So what am I yapping on about? Your website security. HTTP. plain-text MD5 hash password transport. I'd advocate your folk to take it seriously, MitM attacks are not *that* hard to achieve, in fact. I live in a dorm(go to school, uni). And as an effective result, have successfully conducted MitM attacks on my own local subnet /23, 511 host range via ARP poisoning to bring an example.
It was relatively cheap and easy to tunnel all the local net traffic of all the folks in the building(subnet) through my computer machine(Badly configured L2 switches, no VLAN tunneling). And from there, what exactly is the stumbling block for people being able to achieve the same relatively simply elsewhere(shitty wi-fi network ex. etc. etc.). Now, granted, that is easy peasy but the real guys, often achieve the same goal by hacking into badly secured routers instead, allowing them to sniff everything en-route, aka. between hops A-B.
The point is, you were suggested the same stuff 3 years ago. To migrate over to TLS (v1.2), and you've still not done it.
So when?
And to make matters worse, it is not rare for folks to use a password in more than 1 area of their net-lives. Often is the case where quite a lot of people just use 1 password everywhere(of whom there are many) and thus get the real important places hacked(mail). I don't, so thank god for that, but knowing how insecure the current system here is, I'm just happy for my own sake that I am aware on how easy it is to infiltrate and impersonate someone and that I never used a password that matched any other account that I have.
Because truth be told, how many times have you guys been really hacked and your password databases infiltrated without us knowing about it. Lots, I bet. One of your own former moderators confirmed it in the thread I spoke of earlier. But considering the responses the last threads OP had from the twitter posts he brought up with the actual owner AFAIK, it'll be likely that nothing will change.
But please, take notice, especially you other folk reading out there, beware of what you enter on this website!
And owners of this forum(of which has had a peak of near 200K+ users online at various points in time), change your encryption methods... For christ sakes.
I work at a telecom, I've seen useage numbers(real ones), regarding nation-wide famous shows etc. 200K+ is nothing to scoff at. You are more than likely on someones radar at all times, and have likely been so, for a long time in the past as well.
Recent Blue Posts
Limited PvP -> PvE Free Character Transfers
Feedback: Hunter Updates
Important stuff?
MMO-Champion
Recent Forum Posts
