Disclaimer: I am not a security expert.
I’ve been seeing a lot of talk about folks getting their Rift accounts hacked. Most often the #1 question is “How did this happen?” People go crazy examining their systems for key loggers or other malware that might be delivering their credentials to some hacker.
I have my own theory on what’s going on. Part of it is Trion’s fault, part of it is the internet’s fault. I don’t think we’re seeing a massive key logger issue here; at least not one on our home computers. That’s assuming the problem is as extensive as the community seems to think it is.
I think we’re seeing an organized, brute force hacking attempt across a multitude of accounts. If you’ve never read about rainbow hash cracking, now might be a good time to do so. Note the first line in that post: The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423″ in 160 seconds. and the post is from 2007; you can imagine how much faster these cracking software packages work today.
[Update] Glad I put the disclaimer about not being a security expert in there. According to a friend on Twitter (who I won’t credit just so as not to put him in the spotlight) in order to use these rainbow tables, the hackers would first need to have access to Trion’s database of hashed (encrypted) passwords. Or, of course, a dump of any other database of passwords where you used the same password. So I may be off-base in my whole theory. [End Update]
So what can you do? Honestly, not very much. I think Trion stumbled when they limited password length to 16 characters. Coding Horror’s Jeff Atwood promotes the idea of pass phrases. So instead of “!ah84&nah3″ as a password (which can be cracked pretty quickly using rainbow tables) your password might be “IreallyLove_Rift_(because)all(!)myhawtfriendsplay!” My understanding is (again, not a security expert) that a password that long is going to be hard to crack even with rainbow tables, because the size of the table it would require would be so freaking huge. There’s a little bit of “When a bear is chasing you, you only need to be faster than your friends” thing going on. A lengthy password takes you out of the “low hanging fruit” demographic.
For me, that long passphrase is also easier to remember and faster to type than !ah84&nah3, but maybe I’m just weird.
Anyway the point is moot since Trion limits us to 16 character passwords.
I’m also not sure about having to use your game login credentials to log into the forums and website. How many people log into the forums from public Wifi at a coffee shop or something? Since the site and forums use https:// to log in, they *should* be secure but I still feel uneasy about that.
Anyway, the good news is… well, there isn’t really any good news, except that if you get hacked don’t pull your hair out examining and re-examining your system looking for key loggers.
The best you can do at this point is using all 16 characters of your password and definitely mix in punctuation. But I suspect that the gold farming companies that are doing all this hacking are using rainbow tables that cover punctuation. Also make sure you’re using a unique password for Rift, not one you use on other sites.
Hopefully the Coin Lock feature will be the first step in putting an end to this outbreak of hacking (but I suspect the hackers will quickly start spoofing IP addresses to get around it), and I’m looking forward to Trion’s future anti-hacking techniques like authorization via emails/sms or smartphone authenticators.
Last thought: If you’re buying gold, you’re part of the problem. Remember that the gold you’re buying most likely originated from a hacked account. By creating demand, you’re encouraging hacking.