Community - American Football Simulator
AdBlocker active? It seems you are using software to block advertisements. You could help us if you could switch it off when visiting RedZoneClash.org. The reason is very simple: Advertisements help us running the site, to offer you the game in a good quality for free. So if you like the game, please support us by purchasing a Supporter Account or disabling the AdBlocker on this site. Thank you very much!
Main / Discussions / Security Issue, please read Search Forum
Navigation: |<  1 >| 
Poster Message
pete
Guinness Consumers United

 pete owns a supporter account

Joined: 2013-06-26
Posts: 644


posted: 2021-02-03 21:09:13 (ID: 2837) Report Abuse
Hi,

As some of you might know I am quite into security stuff. During one of my regular checks I found some of the password hashes in so called rainbow tables. This is kind of alarming.

However, after some first high pulse, I made some further checks to find out if someone broke into the database stealing userdata. So I ran some more checks of those hashed passwords against such rainbow tables, and it became clear to me, those passwords where not stolen from RedZoneAction. Puuuuh. Feeling better.

However, I changed the SALT of our password hasher. For your own security, please go to Front Office, Settings, and change your password. You could even use the same password, and store it again. This will result in a new password hash stored to the database, using a much more random, stronger SALT.

I am adding a warning on top of the page for those who not changed or saved again their passwords, soon.

- - - -

More nerdy explanation:

It is common practice not to store user passwords in clear text in databases, for decades. Much more, you would HASH the passwords.

So instead of "mypassword" we store something like '789a8s7d89as8dd79..." in our database. There are several algos, one of the most famous and most insecure is MD5. Those algos will create the same hash out of the same password, again and again. But one way only. So you can generate a hash out of a password, but not the password back from the hash.

So, I do not need to know your password, just the hash of it is enough for my database. When you login, you enter your password, we run the HASH over it, and compare the HASH of the given password to the HASH we stored in the database. If both match, you can pass.

Now, there are so called rainbow tables available in the internet. They store clear text passwords and their hashes, like a big dictionary. Everyone can type in a hash, and see if someone else matched a password to it.

During my checks I try some databases with my very own password hash from our database here at RZA. And, I found a match.

But how can this happen? To avoid such rainbow attacks, there is SALT to HASHES, random strings you just add, which cause different HASHES out of the same password. Someone in the internet was using the same SALT as I did. This in itself is crazy. And somehow, that other guy seemed to be the victim of an attack.

Solution: I changed to SALT to something more random, more strange, much longer. Less chances that someone else has the same SALT in use. But to bring the new SALT into use, you need to store your password again.
Quote   Reply  
reply   Mark this thread unread
Navigation: |<  1 >| 
Main / Discussions / Security Issue, please read