Friday, July 18, 2014

Change your password gamers

A quick note for all you online gamers out there. If you play online games, MMO's, etc and have for a while you probably have joined a fair number of online gaming boards over the years. Guild after guild most likely, plus alliance after alliance if you play EVE. A good number of those sites are running VBulletin software. If you game a lot you probably recognize a VBulletin site without even having to scroll down to the bottom and see the logo and are happy to see it and not a less friendly free forum site. Well there is a new SQLi attack for the 5.X branch of that software and the people who found it said they will release the code in the wild soon. The official announcement is here: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4097503-security-patch-release-for-vbulletin-5-0-4-5-0-5-5-1-0-5-1-1-and-5-1-2

It should be noticed this isn't the first SQLi attack found in this software over the years. But I have a feeling this one is going to be used a lot so I'm giving this warning.

For those who don't know, a SQLi attack allows people to collect data from the database the site uses to store things like, say, your username and password. VBulletin by default stores passwords using an MD5 hash and a 3 character salt. If you don't know what that means, just know it means it is easy to crack and get your password, especially weak ones. No biggie right? Well ask yourself...

On any of these numerous sites you signed up to over the years (god help EVE players they probably can't even find all the old alliance ones), how easy it is for someone to find the game or games you play and the username you use to login with? If you are good your login name is nowhere on any of these sites for most games and your account names aren't the same or a single character off from them. Some games like ESO are idiotic and force you to tell everyone your login name however. If by chance you play ESO or one of your character's name is also your login name for a game and you give that name up in posts or signatures or profiles in forums all over the Internet, ask yourself this. Did you use the same password on one or more game forum that you use to login to the game with? If so, you are either going to spend some time changing passwords, or learn a life lesson the hard way when your account is banned for gold selling or something and when you finally get it unbanned you have nothing even your characters are deleted,

Think about it. You should never use game password on forum sites, ever, ever, ever. And changing 1 character at the end isn't clever enough not to get figured out btw.

So if you are freaking right now do this:
1. Stop using your character name as your login name where you can help it (ESO aside that was a bad move on their part)
2. Never use passwords for games on any other website
3. Go change all your game passwords

If you share passwords you likely don't have a system and/or password manager. Here is some final advice.
Come up with a system to help you remember passwords without sharing them. Like incorporating part of the same of the site into the password.
Use a password manager. Here are three I like:
LastPass: Web plugin cross platform. My current option due to the cross platform, free
KeePass: Good stand alone one for Windows, I found it annoying on the Mac, free
PINs: Good stand alone on for Windows, older now but still good and doesn't need an install. The password file and the exe is all you need and it works so it is 100% portable, but Windows only, free
 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)