RANDOM VIDEO GAME NEWS

[alanschu]

I actually have no clue.

[Mamoulian War]

The ars article more addresses that people create poor passwords.

 

It also says that when a site uses weak hashing algorhytms, they can harvest relative secure passwords with the help of databases on previously harvested weak passwords.

[alanschu]

You're right it does.

 

The problem, of course, is that by creating weak passwords, it compromises the integrity of better hashing systems, as they now have libraries of commonly used poor passwords that they can brute force attempts with to help crack the hashing algorithm.

 

The best encryption system in the world doesn't save people from using "123456" as their password and having it compromised.

[Mamoulian War]

Yup, but with better system, there is much lesser chance, that your more complex password could be compromised even with these big databases. The Ars article was only about success of breaking MD5 with these tables.

 

I would really like to know, how successful would be these guys with harvesting complex passwords in newer SHA-3, RIPEMD or Skein hashing.

 

The only reason why lot of companies are still using weak algorithms is to save processing power of their servers... Which is stupid...

Edited July 4, 2013 by Mamoulian War

[alanschu]

 

 

Yup, but with better system, there is much lesser chance, that your more complex password could be compromised even with these big databases. The Ars article was only about success of breaking MD5 with these tables.

 

I actually felt that the article was more about how stuff like MD5 is still used, despite not being very secure.  There IS a benefit to the tougher encryption algorithms, in that the number of searches you can make gets slowed drastically, but if the hashing algorithm gets cracked, then the issue become moot. 

 

Having said that, the hash function for MD5 encryption given wasn't cracked either (otherwise they'd have had a 100% success rate), and it's a good bet that the ones they aren't able to crack are the good passwords.  The tougher hash algorithms keep the less than awesome passwords safer, because it just takes more time to brute force the system.

[AwesomeOcelot]

If the numbers are right, and they could only manage 8 billion guesses a second with MD5, one 9 character password would take years to crack if it had symbols, lowercase, uppercase, and numbers. Even if they used a 8 GPU homebrew cracking box, that's stills months to crack one password.

 

If they're using best practices with a properly hashed and salted password e.g. SHA512crypt, with a mucher higher work-factor making for 2000 guess per second on one GPU (according to the Ars article) only the short passwords (less than 6 characters), passwords in a dictionary, lowercase passwords, and the ones that substitute letters with numbers or symbols e.g. "p4$$word" would take weeks or less, the rest would take months each.

 

Memory-hard functions in hashing are designed to make cracking impractical by making the cracker use larger amounts of memory, so they're forced to use the memory I/O, limiting parallel computation. So using a 8 GPU setup or cloud cracking array wouldn't be as much benefit and designing a cracking box would be more expensive as I think now crackers (and bitcoin miners) go for the most compute per $, generally means multiple low-mid graphics cards. With memory-hard functions it creates a bottleneck for that kind of setup.

Edited July 4, 2013 by AwesomeOcelot

[sorophx]

you're talking about bruteforcing. but that's not how they crack these passwords

[AwesomeOcelot]

you're talking about bruteforcing. but that's not how they crack these passwords

Yes, I was, and they did use brute forcing and dictionary attacks first. They were using hybrid attacks but that still involves brute-forcing, just of a smaller space, they're still doing lots of guesses so memory-hard and work-factor still comes into play. With hybrid attacks the time can be shorter depending on the entropy of the password or whether the password uses a ruleset the cracker is using.

Edited July 4, 2013 by AwesomeOcelot

[AwesomeOcelot]

Found a quote from Tim Schafer's AMA on Reddit:

 

The truth is I always act as if I didn't have to worry about profits, had all the money in the world, and no technical limits. Maybe that's why my games are considered "niche," why they go over budget, and why my programmers have to work so hard. So basically, I'd be doing exactly what I'm doing right now!

[Malcador]

Well, good to see he'll learn from his experience.

Edited July 5, 2013 by Malcador

[Bester]

I once had a DB with passwords that were hashed like this: md5(md5(pass) + salt) or some same ****. Used GPU to bruteforce. Could bruteforce any password that was 8 signs long (big or small letters, with numbers and punctuation) in under 2 days. Of course if I wanted to find as many passwords as possible from a huge DB, I'd use a base of common passwords and that'd go much much faster, I'd get like 10000+ accounts/day.

 

GPU is so quick. Like 1000 times faster than CPU in this matter.

Edited July 5, 2013 by Bester

[AwesomeOcelot]

I once had a DB with passwords that were hashed like this: md5(md5(pass) + salt) or some same ****. Used GPU to bruteforce. Could bruteforce any password that was 8 signs long (big or small letters, with numbers and punctuation) in under 2 days. Of course if I wanted to find as many passwords as possible from a huge DB, I'd use a base of common passwords and that'd go much much faster, I'd get like 10000+ accounts/day.

 

GPU is so quick. Like 1000 times faster than CPU in this matter.

It would take under 10 days going at the rate they said they were going in the article (8 billion guesses a second) with one GPU to search the 8 sign password's space. I don't think the nested md5 hash would do anything, and the salt isn't to prevent brute forcing.

[Bester]

Surely it adds operations, and by that doubles the required time.

[pmp10]

Surely it adds operations, and by that doubles the required time.

If the operation is fast to begin with that hardly matters.

And depending on the algorithm using double hashing may actually weaken your protection.

[ManifestedISO]

Not once in nine months have I heard mention that Project: Eternity could become a "long-running" franchise. Until now. Which is why I'm posting. Now. 

 

 

Regardless of how well Project Eternity does beyond the contributions of its backers, however, there are already plans to begin work on an expansion after the completion of the first game.

[Lexx]

No surprise, really. It's their own ip and if it sells good, there is no reason not to make more games. It's really what Kickstarter is all about for developers, imo.

[alanschu]

I'm pretty sure they had indicated that they'd love to do more going forward.

[Tigranes]

It was mentioned very early on that they'd like to do this. All good, I say.

[Orogun01]

 

Not once in nine months have I heard mention that Project: Eternity could become a "long-running" franchise. Until now. Which is why I'm posting. Now. 

 

 

Regardless of how well Project Eternity does beyond the contributions of its backers, however, there are already plans to begin work on an expansion after the completion of the first game.

 

Extra! Extra! Developers have hopes and dreams.

Read all about it!

[Zoraptor]

 

Not once in nine months have I heard mention that Project: Eternity could become a "long-running" franchise. Until now. Which is why I'm posting. Now. 

 

 

Regardless of how well Project Eternity does beyond the contributions of its backers, however, there are already plans to begin work on an expansion after the completion of the first game.

 

You could pay a whole extra $20 (?) to get the expansion as part of the kickstarter, so it's not exactly been sprung on people. Though it needs the fulfilment/ redemption method(s) to be up and running to actually, well, redeem it. There's also been a fair bit of talk about whether or not any sequel to PE would use KS, which was a pretty strong indicator it would be a 'franchise'.

[ManifestedISO]

 

You could pay a whole extra $20 (?) to get the expansion as part of the kickstarter, so it's not exactly been sprung on people. Though it needs the fulfilment/ redemption method(s) to be up and running to actually, well, redeem it. There's also been a fair bit of talk about whether or not any sequel to PE would use KS, which was a pretty strong indicator it would be a 'franchise'.

 

Oh, yes, I see it now. I opted to add-on a black Obsidian T-shirt, instead of the expansion pack. Probably because I knew I could always download the latter, but may never get a chance to own the former. See ... forgetting things can be like a free bonus when you remember them! 

[Humanoid]

I think they were also going to do an Obsidian shop to sell various knickknacks like the shirts, hats, mugs, cookbooks and minivans, so I doubt the shirt is a one-off either.

[Bester]

Plus if they do a sequel, they won't have to adapt unity from scratch, create rules, etc. Just make content. Easy.

[AGX-17]

So I guess the OUYA has the car parking simulation market cornered. And that's about it.

Edited July 6, 2013 by AGX-17

[rjshae]

Plus if they do a sequel, they won't have to adapt unity from scratch, create rules, etc. Just make content. Easy.

 

Mmm... mostly. They'll still need to add higher level spells and capabilities. I'll bet there's also a temptation to expand the base system, perhaps with new races, classes, or what have you.