Disclaimer: I am not a security expert.
I’ve been seeing a lot of talk about folks getting their Rift accounts hacked. Most often the #1 question is “How did this happen?” People go crazy examining their systems for key loggers or other malware that might be delivering their credentials to some hacker.
I have my own theory on what’s going on. Part of it is Trion’s fault, part of it is the internet’s fault. I don’t think we’re seeing a massive key logger issue here; at least not one on our home computers. That’s assuming the problem is as extensive as the community seems to think it is.
I think we’re seeing an organized, brute force hacking attempt across a multitude of accounts. If you’ve never read about rainbow hash cracking, now might be a good time to do so. Note the first line in that post: The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423” in 160 seconds. and the post is from 2007; you can imagine how much faster these cracking software packages work today.
[Update] Glad I put the disclaimer about not being a security expert in there. According to a friend on Twitter (who I won’t credit just so as not to put him in the spotlight) in order to use these rainbow tables, the hackers would first need to have access to Trion’s database of hashed (encrypted) passwords. Or, of course, a dump of any other database of passwords where you used the same password. So I may be off-base in my whole theory. [End Update]
So what can you do? Honestly, not very much. I think Trion stumbled when they limited password length to 16 characters. Coding Horror’s Jeff Atwood promotes the idea of pass phrases. So instead of “!ah84&nah3” as a password (which can be cracked pretty quickly using rainbow tables) your password might be “IreallyLove_Rift_(because)all(!)myhawtfriendsplay!” My understanding is (again, not a security expert) that a password that long is going to be hard to crack even with rainbow tables, because the size of the table it would require would be so freaking huge. There’s a little bit of “When a bear is chasing you, you only need to be faster than your friends” thing going on. A lengthy password takes you out of the “low hanging fruit” demographic.
For me, that long passphrase is also easier to remember and faster to type than !ah84&nah3, but maybe I’m just weird.
Anyway the point is moot since Trion limits us to 16 character passwords.
I’m also not sure about having to use your game login credentials to log into the forums and website. How many people log into the forums from public Wifi at a coffee shop or something? Since the site and forums use https:// to log in, they *should* be secure but I still feel uneasy about that.
Anyway, the good news is… well, there isn’t really any good news, except that if you get hacked don’t pull your hair out examining and re-examining your system looking for key loggers.
The best you can do at this point is using all 16 characters of your password and definitely mix in punctuation. But I suspect that the gold farming companies that are doing all this hacking are using rainbow tables that cover punctuation. Also make sure you’re using a unique password for Rift, not one you use on other sites.
Hopefully the Coin Lock feature will be the first step in putting an end to this outbreak of hacking (but I suspect the hackers will quickly start spoofing IP addresses to get around it), and I’m looking forward to Trion’s future anti-hacking techniques like authorization via emails/sms or smartphone authenticators.
Last thought: If you’re buying gold, you’re part of the problem. Remember that the gold you’re buying most likely originated from a hacked account. By creating demand, you’re encouraging hacking.
I always wonder about people who get hacked (great, I’m jinxing myself here, I can tell) because in the 10+ years I’ve been gaming, used forums, done downloads – I have NEVER been hacked. I don’t have passwords that are (in my mind) any harder or easier then any other password out there. I do keep a few rules of thumb. None of my emails have passwords that match any game passwords. None of my forums have passwords that match games or emails. I have seen a LOT of guild forums get hacked and low and behold people have used the same password for their game that they use for the forums – and your email information is typically there too.
I just don’t see how pretty much 99.9% of my friends have experienced hacking in their gaming lifetime, and I simply have not, and I don’t really take any precautions at all.
Using the rainbow hashes would imply that crackers have gotten the hashed password tables from the Trion servers — which is unlikely.
Even if they did, the rainbow hashes that include punctuation would be unwieldy and it’s unlikely those are being used.
Any password using punctuation is going to be pretty safe from rainbow cracking in general. But that still implies they have the password tables themselves, which is still unlikely.
Best protection for a Rift account or any other account is to never reuse passwords, and to change the ones you do use frequently. I have started to use a password keeper which generates random passwords for me that include punctuation.
Thanks Tipa, someone on Twitter told me the same thing. I updated the post, probably while you were writing your comment.
I always wondered, what’s the benefit of changing your password frequently? Unless you’re singled out as a target and someone has made a project out of hacking your account, how does it help?
Also Tipa, am I paranoid to think that some gold farmers could be in cahoots with seemingly legitimate community sites? So someone runs a ‘legit’ site and then just sells his hash tables to the gold farmers?
Stargrace, my LOTRO account was hacked last fall, and what was interesting was that I hadn’t logged in for months so I was pretty sure it wasn’t a keylogger or anything.
Any algorithm is worthless for cracking passwords if the company locks the account temporarily when you fail three times and requires email from your proper email to unlock it. This is entirely Trion’s fault if they are permitting people to hit the accounts repeatedly. We aren’t living in the year 1990 anymore. Security is a must nowadays. Let’s not mince words.
Yeah I remember when your LotRO account was hacked. I have accounts for.. more games then I can shake a stick at, Lineage II and all sorts that I never touch nor do I change passwords to, but none of them have ever been hacked. I am incredibly thankful in this regard of course, but it just makes me wonder why some people do get hacked and others don’t. I guess maybe I just don’t have any accounts of “value” or something, lol.
I think Blizzard fans is behind this. Mark my words SWTOR will be hacked too just like WAR. Any threat to WoW will be sabotaged. Those WoW people are crazy.
Great post and let me add that I’m one of the players whose account was recently hacked.
A couple of days ago on the 16th I logged off after running a group of clustered quests in Silverwood. The next day I logged back on for a brief moment of play for another group of quests. After applying my credentials I was notified of the recent patch that’ll help prevent account hacking using the coin lock feature. Once my client was patched I logged on and was a bit amused to see my lvl 19 character in his skivvies but was soon disappointed seeing him parked by a mailbox with no money, gear and bags empty.
I had submitted a GM ticket and because the Trion game forums indicated a slow response to recovering accounts I didn’t expect to have everything recovered within a reasonable time frame (most people were reporting three days of no recovery and no communication from a GM). So last night I logged on and saw that my warrior had his gear on and upon logging in found him where I had last parked him with all of his gear back. I would guess that Trion made it much easier to recover items/money.
Upon reflection on how I could’ve gotten hacked I believe that it was user error because of my own mistake of using an email and password combination that a few years ago was used with my WoW account and back then that was hacked. In response to that WoW hack after account recovery I changed my account email, password and got a key fob. A couple of weeks before Rift released I created my account to try the open beta and in my haste used the same compromised credential combination. Lesson learned here, do NOT use that combination again for anything.
Based on this I am using a utility called Password Keeper to generate long random passwords for online games; I just cut and paste. It’s still possible for keyloggers, man-in-the-middle attacks, hacking game company servers and home invasion to get my passwords (though the password keeper program is itself password protected), but they won’t get my passwords because I used them somewhere else.
Listen to Tipa, she knows what shes talking about. That’s a good idea.
I was hacked earlier this week. How? im still wondering that myself… Not even a chance I have keyloggers, never buy gold, use unique passwords for every game i play, and use complex passwords.
I have already changed this password and it was only used for Rift so as an example here is the password that was “hacked” to gain access to my account
RcSr!f7IS4w3S0m3
yeah 16 charaters, upper and lower, numbers and punctuation. I work in the network admin field with certifications in Security so i KNOW my shit is secure, it is very unlikely that the password was “logged” on my network. Which is why I believe their is a security vulnerability in Trion’s network somewhere, a network is only as strong as its weakest piece of equipment, only takes ONE piece of equipment to be compromised and have access to alot of other shit they shouldn’t…
I also think there is more than one group hacking accounts, some people have everything stripped and sold, while others (like myself) are just missing all the plat, not even missing any gold, just the plat is missing.
I was hacked today. I’ve thought the new system of rift was secure, but nonetheless they’ve gained acces to my acc and stole all my plat and from my highest character. They’ve also got all tradable items in the normal bags and the bank.
Like Iyeman said there must be some error in the security of trion – i mean: how could it be that every hundreth account was hacked? I’m wondering what the ppl at trion are doing…
@Shava – Ah, that sucks. I was really hoping this mess was behind us, but apparently not. Really sorry to hear you got hacked and I hope Trion can restore all your stuff. 🙁