Jump to content

About privacy of accounts


Recommended Posts

I'll have to edit this topic bit later, but for now my question is:

 

I've thought of, what if player writes password repeatedly wrong, will gm be able to see if it happens or not? For example, 50 million times wrong password, does anything happen if someone does that?

Link to post
Share on other sites

 There is a huge point why I'm asking this, it is because our guild leader got hacked recently, however, there was a mistake of people floading his email without trying to harm, but that doesn't stop the bad persons to make something bad. However, why I was asking 

3 hours ago, Lyzoic said:

what if player writes password repeatedly wrong, will gm be able to see if it happens or not?

 

Because IF yes, I figured out deeply, can someone "hack" (its not a hack, it is "figuring out" without actually knowing the pass)

 

This is my point. Someone got your e-mail. Next step of that bad person would be: Would it be a number, alphabetic password or a mix of both? Since numbers are easier to dig out, (because of uppercase and lowercase), the scammer would try first with numbers. I roughly could say, theres a high chance of the passwords are just numbers, which doesn't mean anything, are just a specified numbers of what I know of but nobody else can figure it out, let's say number between 1-5 000 000. Is there person to try it 5 million times? Some people put to their password a specific days for example, let's say yesterday's 9122020. Obliviously, there is no person to write it 10 million times, so it would be bot-made. How difficult is it to make a typing bot? I'm not a programmer, but tried 2 years ago for fun a typing bot, writing keyboard without actually touching it. Literally we lost our most activest guild on server and my dear friend's account, so I had to deeply think every option.

 

Back to case, people knows your e-mail because of something, decides to make a bot for test multiple combinations of passwords. It's not hard, nowadays everyone can do that.

let's think what would it take, imagining:

 

- clicking to login menu and trying password again repeatedly, maybe 2.5 seconds

- calculating 60/2.5 seconds, it becomes 24, multiplying it by 60 minutes, comes 1440 passwords per hour, multiplying it by 24 hours, comes 34560

- each password try just increases by 1 number like normally, 1,2,3.....

 

We could think that:

34560 doesn't sound even close to my imaginary 9122020 password, sounds like hacker has to try 263 days for break 9122020 password. I change my password once a half year or even a month. Would I be safe?


No, because there is also multiple clients of warspear on multiple desktops doing that 34560 times a day, trying to crack the password. for example, if there is 5 of desktops doing that 34560 tries password per day on 5 clients, it would make just 12 days to crack it. Next step we are thinking of, wouldn't that take a lot of PC's CPU? Yes it would, but there is way to turn that CPU to lowest as possible on each client software, for maximize the limit of clients cracking the password. (You don't need super laptop/PC for this either) Also there is problem at starting point of number for each client, but it is easy to figure out as well, by thinking the example the maximal number of passwords which would be used for execute, lets say between 10 million, I would divide it by 25, result would be 11 days. 11 days for guess random password between 0-10000000, that's why I'm worried, and asking, if that is possible.

 

Link to post
Share on other sites

 

6 hours ago, GalaxyRekt said:

Just use strong passwords. The only thing the devs can do is add some captcha after X wrong attempts. Also, don't use the same password in different services. There are tons of leaked passwords for each email online.

 Yeah I recommend everyone change their passwords if its just including numbers. Also, sometimes I think email is safer than password, like on our case, that's why I honestly hope support to check our case deeply, since it is a little woopsie from warspear who had my friend's email showing at gmail to each participant who joined to new classes, chieftain and templar hidden test. Perhaps some of the YouTubers have recorded showing his email by mistake on video, or just innocently mentioned it to some bad person, but since that I think our case requires deep check😑

Edited by Lyzoic
Link to post
Share on other sites

I agree to this person's opinion too. 

18 hours ago, GalaxyRekt said:

Just use strong passwords. The only thing the devs can do is add some captcha after X wrong attempts. Also, don't use the same password in different services. There are tons of leaked passwords for each email online.


This chart shows how long it would take a modern computer to crack passwords of varying complexities, assuming the hacker knew the basic password requirements for the application.

image-password.png.580c3d7349127162b0d3200f1faca4dc.png

My suggestion to players : Make a long strong password with combination of upper case, lower case, numbers and symbols so that hackers cannot hack/figure the password.
My suggestion to Devs: Please introduce a defensive mechanism which puts capcha after X wrong attempts and at worst case locking the device which keeps putting wrong password and can be unlocked through the email service if it is really the owner who is trying to enter correct password.( the same mechanism of how you bind the warspear account to your email for first time). 

 

Edited by Sai Chandra
Link to post
Share on other sites
29 minutes ago, Sai Chandra said:

I agree to this person's opinion too. 


This chart shows how long it would take a modern computer to crack passwords of varying complexities, assuming the hacker knew the basic password requirements for the application.

image-password.png.580c3d7349127162b0d3200f1faca4dc.png

My suggestion to players : Make a long strong password with combination of upper case, lower case, numbers and symbols so that hackers cannot hack/figure the password.
My suggestion to Devs: Please introduce a defensive mechanism which puts capcha after X wrong attempts and at worst case locking the device which keeps putting wrong password and can be unlocked through the email service if it is really the owner who is trying to enter correct password.( the same mechanism of how you bind the warspear account to your email for first time). 

 

Exactly. Just don't forget that this chart is probably related to the time needed to crack a hash. In this context the dude trying to hack into an account probably doesn't even have idea of the password's hash. Most likely itz's email was already associated to some leaked passwords 

Link to post
Share on other sites
1 hour ago, Sai Chandra said:

I agree to this person's opinion too. 


This chart shows how long it would take a modern computer to crack passwords of varying complexities, assuming the hacker knew the basic password requirements for the application.

image-password.png.580c3d7349127162b0d3200f1faca4dc.png

My suggestion to players : Make a long strong password with combination of upper case, lower case, numbers and symbols so that hackers cannot hack/figure the password.
My suggestion to Devs: Please introduce a defensive mechanism which puts capcha after X wrong attempts and at worst case locking the device which keeps putting wrong password and can be unlocked through the email service if it is really the owner who is trying to enter correct password.( the same mechanism of how you bind the warspear account to your email for first time). 

 

Yes, I found similar information. However, symbols can't be used on warspear yet, and yes I agree with this capcha

Link to post
Share on other sites
38 minutes ago, GalaxyRekt said:

Exactly. Just don't forget that this chart is probably related to the time needed to crack a hash. In this context the dude trying to hack into an account probably doesn't even have idea of the password's hash. Most likely itz's email was already associated to some leaked passwords 

Yeah it might be possible, but considering that it was aigrind who floaded itz's email to others, devs should really investigate about this, same as players responsiblity is keep their email safe, so is aigrind's job to keep their e-mail safe, not shown for other players. and the autoreplies really pisses off, even there is huge chance of this exact screenshot to be the problem. It contains 10 e-mails of different players, probably none of them was even warned, that this will be shown to others. 

 

 

112.png

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...