Slashdot Mirror
2.5 Million Xbox and PlayStation Gamers' Details Have Been Leaked From Piracy Forums (thenextweb.com)
Xbox360ISO.com and PSPISO.com have been hacked by an unknown attacker in late 2015 and the details of the 2.5 million users affected have been leaked online. The leaked information contains email addresses, IP addresses, usernames and passwords. The Next Web reports: It seems that the operator of these sites did nothing to protect the latter, as all passwords were "protected" using the MD5 hashing system, which is trivially easy to overcome. For reference, that's the same hashing system used by LinkedIn. As the names of these sites imply, they were used to share pirated copies of games for Microsoft and Sony's gaming platforms. They also both have a thriving community where people discussed a variety of tech-related topics, including gaming news and software development. If you think you might have had an account on these sites at one point, and want to check if you were affected, you can visit Troy Hunt's Have I Been Pwned. If you have, it's worth emphasizing that anyone who gained access to that site, and anyone who has since downloaded the data dump, will be able to discern your password. If you've used it on another website or platform, you should change it.
From this totally wholesome-on-the-up-and-up site. Color me surprised. This is why we use throw away email addys for this sort of thing kids.
You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
The number of times I have had to explain to customers how to do password storage right is staggering. Most still believe a single hash is enough (well, to be fair, for a high-entropy password it is). Some have at least heard of salting the hash. But as soon as you come to iteration, most are clueless, and if you put in things like a large-memory-property (to prevent brute-forcing by FPGAs and graphics-cards), you have lost them completely. Many people just stop learning when there is no direct need to and these are the same people that in many cases write security-critical software.
On the other hand, PBKDF2 has been available since 2000, packing hashing, iteration and salting in a nice package. And Argon2 now adds large memory and other nice properties and essentially solves the problem. People just seem to be completely unaware of this.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Worst.
2.5 million game pirates had their information leaked from a sketchy ass website over a year ago and now are acting offended someone may steal from them
I started to type up a rant about how this headline was completely misleading... but instead I'll just same "I'm done".
/screw you guys, I'm going home.
The problem lies in not using a salt, not in using MD5.
If a three-digit combination lock protecting a safe needs a bodyguard standing next to it to ensure no one steals anything, then using a shitty lock is in fact the problem, especially since few choose to spice up their recipe when cooking up a security model.
MD5's weakness lies in it's popularity and therefore susceptibility to rainbow table lookup. There's not a hashing algorithm around you should use without a salt and feel good about in the long term.
Your analogy is dumb.
Much like a 3-digit combination that is unknown to the attacker, MD5's ultimate weakness lies in the speed at which it can be cracked, which today's hardware has proven, irrelevant of the popularity or combinations known by rainbow tables.
And if programmers are going to remain as ignorant as they always have and refuse to add a little salt to their coding diet, then stronger algorithms (stronger locks) are a rather necessary minimum, because convincing them to use a decades-old security bolster sure as shit ain't working.
You are correct in that a hash alone does not provide a comfortable security buffer, but that hardly dismisses my analogy.