no content
AdBlocker active?
It seems you are using software to block advertisements. You could help us if you could switch it off when visiting redzoneaction.org.
The reason is very simple: Advertisements help us running the site, to offer you the game in a good quality for free. So if you like the game, please support us by purchasing a Supporter Account or disabling the AdBlocker on this site.
Thank you very much!
| Main / Discussions / Security Issue, please read Search Forum | |
| Navigation: |< >| | |
| Poster | Message |
| posted: 2021-02-03 20:16:03 (ID: 100156843) Edits found: 3 Report Abuse | |
|
Hi,
As some of you might know I am quite into security stuff. During one of my regular checks I found some of the password hashes in so called rainbow tables. This is kind of alarming. However, after some first high pulse, I made some further checks to find out if someone broke into the database stealing userdata. So I ran some more checks of those hashed passwords against such rainbow tables, and it became clear to me, those passwords where not stolen from RedZoneAction. Puuuuh. Feeling better. However, I changed the SALTs used by our password hasher. For your own security, please go to Front Office, Settings, and change your password. You could even use the same password, and store it again. This will result in a new password hash stored to the database, using a much more random, stronger, more individual SALT. I am adding a warning on top of the page for those who not changed or saved again their passwords, soon. - - - - More nerdy explanation: It is common practice not to store user passwords in clear text in databases, for decades. Much more, you would HASH the passwords. So instead of "mypassword" we store something like '789a8s7d89as8dd79..." in our database. There are several algos, one of the most famous and most insecure is MD5. Those algos will create the same hash out of the same password, again and again. But one way only. So you can generate a hash out of a password, but not the password back from the hash. So, I do not need to know your password, just the hash of it is enough for my database. When you login, you enter your password, we run the HASH over it, and compare the HASH of the given password to the HASH we stored in the database. If both match, you can pass. Now, there are so called rainbow tables available in the internet. They store clear text passwords and their hashes, like a big dictionary. Everyone can type in a hash, and see if someone else matched a password to it. During my checks I try some databases with my very own password hash from our database here at RZA. And, I found a match. But how can this happen? To avoid such rainbow attacks, there is SALT to HASHES, random strings you just add, which cause different HASHES out of the same password. Someone in the internet was using the same SALT as I did. This in itself is crazy. And somehow, that other guy seemed to be the victim of an attack. Solution: I changed to SALT to something more random, more strange, much longer, more individual. Less chances that someone else has the same SALT in use. But to bring new SALT into use, you need to store your password again. Last edited on 2021-02-03 22:12:12 by pete |
|
| Quote Reply Edit | |
| posted: 2021-02-03 20:28:42 (ID: 100156844) Report Abuse | |
|
Changed mine successfully but the warning's still there.
 |
|
| Quote Reply Edit | |
| posted: 2021-02-03 20:30:46 (ID: 100156845) Report Abuse | |
|
Tyke1958 wrote:
Changed mine successfully but the warning's still there. Fixed that right now. I forgot to reset the warning once you store a password again. Sorry. |
|
| Quote Reply Edit | |
| posted: 2021-02-03 20:34:42 (ID: 100156846) Report Abuse | |
pete wrote:
Tyke1958 wrote:
Changed mine successfully but the warning's still there. Fixed that right now. I forgot to reset the warning once you store a password again. Sorry. |
|
| Quote Reply Edit | |
|
PhillyEagles
|
posted: 2021-02-04 05:34:18 (ID: 100156862) Report Abuse |
|
Done it and changed it to a much stronger password as well.
Thanks for the heads up. Danke Dir! |
|
| Quote Reply Edit | |
| posted: 2021-02-04 11:25:40 (ID: 100156865) Report Abuse | |
|
|
|
| Quote Reply Edit | |
|
pascua
|
posted: 2021-11-16 21:03:30 (ID: 100162710) Report Abuse |
|
Changed mine successfully but the warning's still there.
Thanks |
|
| Quote Reply Edit | |
| posted: 2021-11-17 11:27:03 (ID: 100162724) Report Abuse | |
|
pascua wrote:
Changed mine successfully but the warning's still there. Thanks To doublecheck if RZA is issuing wrong warnings, or your new password is broken, you could visit https://haveibeenpwned.com/Passwords And check your password directly against the database. |
|
| Quote Reply Edit | |
|
pascua
|
posted: 2021-11-18 19:01:58 (ID: 100162743) Report Abuse |
|
pete wrote:
pascua wrote:
Changed mine successfully but the warning's still there. Thanks To doublecheck if RZA is issuing wrong warnings, or your new password is broken, you could visit https://haveibeenpwned.com/Passwords And check your password directly against the database. Thanks🍻 |
|
| Quote Reply Edit | |
| posted: 2021-11-18 19:13:13 (ID: 100162744) Report Abuse | |
|
Btw, I added some more logic. We run the check every 14 days, only. And after password resets, of course. |
|
| Quote Reply Edit | |
| reply Mark this thread unread | |
| Navigation: |< >| | |
| Main / Discussions / Security Issue, please read | |
