[Y_Less]

Quote:

Originally Posted by Bakr The different between SA:MP and a huge organizations database is that you don't sign agreements when entering SA:MP servers. You aren't reading and accepting their licenses and policies of how they keep your passwords safe, so you shouldn't expect it either.

You should! Anyone storing ANY personal data should have a privacy policy detailing what they do with your information. If you don't that's another thing you're doing wrong.

People seem to have the attitude that laws and sensibilities don't apply because this is "only" SA:MP - where do you get that idea from? Just because something is small and free does not make it exempt, nor does it exempt server owners from liability.

[Bakr]

Quote:

Originally Posted by Y_Less You should! Anyone storing ANY personal data should have a privacy policy detailing what they do with your information.

What do you consider personal data? In my opinion, a password for an online game account does not qualify.

Quote:

Originally Posted by Y_Less If you don't that's another thing you're doing wrong.

Sure, I agree with that, but then you are not relying on them to store your passwords securely in the first place. Also, I'm yet to see a server that goes into detail regarding their policies and processes prior to registration (as I believe most users would simply leave before reading the walls of text). If you could find one for me that contradicts that statement, I would love to see it!

Quote:

Originally Posted by Y_Less People seem to have the attitude that laws and sensibilities don't apply because this is "only" SA:MP - where do you get that idea from? Just because something is small and free does not make it exempt, nor does it exempt server owners from liability.

It doesn't, and I don't know where you thought I was directing towards that statement. My argumentative point is to the extent that no blame is getting put on the person using the same password for an online game modification's account and their personal credit card. You sign no agreement at registration (most (if any?) servers don't require ANY type of license agreement to register). You said continuing knowing that would be something wrong done on the user end, so why should insecure password processes on their end be any different?

[Y_Less]

Quote:

Originally Posted by Bakr What do you consider personal data? In my opinion, a password for an online game account does not qualify.

Name, e-mail, DOB, location, some servers want loads of info and its all covered by data protection.

Quote:

Originally Posted by Bakr Sure, I agree with that, but then you are not relying on them to store your passwords securely in the first place. Also, I'm yet to see a server that goes into detail regarding their policies and processes prior to registration (as I believe most users would simply leave before reading the walls of text). If you could find one for me that contradicts that statement, I would love to see it!

I didn't say they did, I said they should.

Quote:

Originally Posted by Bakr It doesn't, and I don't know where you thought I was directing towards that statement. My argumentative point is to the extent that no blame is getting put on the person using the same password for an online game modification's account and their personal credit card. You sign no agreement at registration (most (if any?) servers don't require ANY type of license agreement to register). You said continuing knowing that would be something wrong done on the user end, so why should insecure password processes on their end be any different?

You were getting at that by saying users are stupid, so why should we be any better. There are no data protection laws for users - its their data and they can do what they want with it, only services have to be careful.

[[HiC]TheKiller]

Quote:

Originally Posted by Bakr I am sure if someone had the intelligence to crack an advanced hashing algorithm in the first place they would surely find a more valuable resource. However, let's avoid that point, and say they DO decide to use SA:MP. What next? They unveil the passwords (after having spent several days/weeks/months) and try to use the combinations with known email addresses.

I'd like to start off by saying that hash cracking isn't really as advanced as you would think it is. Most people just get others to crack for them in most cases. If you have a database with plain MD5 hashes like a lot of people do, then expect 80% of your database to be cracked in a few minutes. We are not talking days, weeks or months here, we are talking a couple of minutes.

Quote:

Originally Posted by Bakr If they are lucky they will be able to access a few accounts. However, how can that be the responsibility of the server owners?

A lot of sa-mp members are quite young and generally will use the same password for a lot of things. Once a password cracker has cracked their ingame password, he/she could probably just log into the victims forum account (most regular players would have one) and grab their email.

Quote:

Originally Posted by Bakr One of the most basic lessons taught with using the Internet in any basic computer class is to use separate passwords for each account (and beyond that, common sense). What responsibility is the end-user taking from this? None, because all blame is put onto the server developers.

It is the players responsibility, but you must know that not all players are responsible. I personally think that it's the server owners responsibility to make their users data as secure as possible.

Quote:

Originally Posted by Bakr The difference between SA:MP and a huge organizations database is that you don't sign agreements when entering SA:MP servers. You aren't reading and accepting their licenses and policies of how they keep your passwords safe, so you shouldn't expect it either. There is also nothing personally attached to a user who plays on a server. The only thing that could personally damage someone by a SA:MP database leak would be on the ignorance of the user's themselves, not the developers, EVEN IF they store the passwords in plain text (though, that is ignorant in itself). Basically, I think you need to focus more on the people who idiotically use the same password for a SA:MP server as they do for their credit card account.

I would like to bring up another point here, which is that passwords are not everything. All data whether it's an IP, email or personal information can be used against someone or to hack someone. In most cases servers will store this information in their server + forum databases. So you're saying that it's the users responsibility to keep this data secure? Should we just use proxies everywhere with disposable email addresses?

[Bakr]

Quote:

Originally Posted by Y_Less Name, e-mail, DOB, location, some servers want loads of info and its all covered by data protection.

That would be going back to my "people are stupid" theory. I don't think anyone playing an unofficial online modification, knowing that anyone can create a server, should be giving away personal information like this. I would also argue that that is on them! If you don't know how to protect yourself on the Internet you shouldn't be using it, just as you shouldn't be allowed to perform maintenance on a jet aircraft without proper qualifications and experience!

Quote:

Originally Posted by Y_Less You were getting at that by saying users are stupid, so why should we be any better. There are no data protection laws for users - its their data and they can do what they want with it, only services have to be careful.

Ultimately it is their choice to input the information. It's very similar to someone signing up for an account on a website that asks for your phone number, then you skipping their license, and then wondering why you are getting 100 telemarketers calling your house everyday. That's on them.

I will admit, I don't know anything regarding "data protection laws", but if that does allow such ignorance on the end user, then the whole system is flawed (which seems to be a common theme as of late).

EDIT:

Quote:

Originally Posted by [HiC]TheKiller I'd like to start off by saying that hash cracking isn't really as advanced as you would think it is. Most people just get others to crack for them in most cases. If you have a database with plain MD5 hashes like a lot of people do, then expect 80% of your database to be cracked in a few minutes. We are not talking days, weeks or months here, we are talking a couple of minutes.

Yes, that is why I said make the process more difficult.

Quote:

Originally Posted by [HiC]TheKiller A lot of sa-mp members are quite young and generally will use the same password for a lot of things. Once a password cracker has cracked their ingame password, he/she could probably just log into the victims forum account (most regular players would have one) and grab their email.

That is on the member then. If you don't know how to protect yourself on the Internet, don't use it.

Quote:

Originally Posted by [HiC]TheKiller It is the players responsibility, but you must know that not all players are responsible. I personally think that it's the server owners responsibility to make their users data as secure as possible.

I think server owners should make an effort. However, when joining a SA:MP server, you should assume that passwords are being stored in plain text anyway, as you don't know. There is no information (most probably) telling you otherwise, so why would you assume otherwise?

Quote:

Originally Posted by [HiC]TheKiller I would like to bring up another point here, which is that passwords are not everything. All data whether it's an IP, email or personal information can be used against someone or to hack someone. In most cases servers will store this information in their server + forum databases. So you're saying that it's the users responsibility to keep this data secure?

No, it's not their responsibility, but it IS their responsibility to check if correct protocols are taken to secure that information.

Quote:

Originally Posted by [HiC]TheKiller Should we just use proxies everywhere with disposable email addresses?

If that is what you believe you need to do, then sure.

[Y_Less]

Licences basically say "we want to do this with your data, click here to let us" - no license, no permissions, so all servers with no agreement are fully bound by all data protection laws, even if users are stupid.

[Bakr]

OK, then I blame the system.

I did a VERY quick search for these laws (as I need to leave in a few moments). The only results I found were regarding specific countries, and nothing globally bonding. Would you mind providing a link to these laws so I can review them later?

I really am interested in seeing what the "standards" are. Since there is no license saying what is being done with the data, you are bound by these laws. The guidelines should be an interesting read.

[Y_Less]

Quote:

Originally Posted by Bakr OK, then I blame the system. I did a VERY quick search for these laws (as I need to leave in a few moments). The only results I found were regarding specific countries, and nothing globally bonding. Would you mind providing a link to these laws so I can review them later? I really am interested in seeing what the "standards" are. Since there is no license saying what is being done with the data, you are bound by these laws. The guidelines should be an interesting read.

Well it depeds on where the servers are based then. I do know that the US has much laxer laws than the EU, and as a result if US services providers want to cater to EU customers as well they have to show that they comply with EU laws - which is why many of them are now getting in trouble over here thanks to PRISM.

[SchurmanCQC]

I updated my thread linked in the OP to contain better and more credible information. I also updated the code.

[[HiC]TheKiller]

Quote:

Originally Posted by Gamer_Z if any database leaks no matter how strong the hasing algorithm, if the cracker aims for one pasword he will get it anyway.

If the password is weak enough, yes it will. It's all about time though. The harder the hash is to crack, the more time the servers owners have to tell their players about the breach. It also may reduce the scope of what the cracker is actually trying to crack (due to the slower speed) which reduces the chance of your hash being cracked.

[Johnson_boy]

I find these arguments about "stupid" people invalid. It's definitely also the server administrators/developers responsibility to keep the passwords safe. The user is not supposed to expect that his/her password is not safe in the service provider's database, and act according to that assumption (Although on most SA-MP servers you have to, as the vast majority takes no or very little effort to keep the passwords safe). Still, it *shouldn't* be like that.


Some also argued that if the hash is leaked, the password can be cracked no matter what you do. Yes, that's true. However, if the password is hashed securely, the damage can be minimized.

Assume that a hacker gains access to your user database with 250 000 users, including passwords, salts and email addresses. With high probability, there are thousands of users who have used the same password as with their email (not a smart thing to do, but happens). The hacker has to just crack the password and then possibly gains access to one's email (and from email to vast number of other services)

- If the passwords are stored as plain text, the hacker has immediate access to all passwords.

- If the passwords are not salted, but are hashed with MD5, the hacker can get the majority of passwords in no time using rainbow tables.

- If the passwords are salted with unique salts and hashed with MD5, the situation is already significantly better. Rainbow tables cannot be used, and the hacker has to bruteforce the passwords individually. Now it takes significant amount of time and computing power to crack a password. However, if a password is for instance 7 characters long, it can be cracked in a couple of seconds with a modern GPU.

- If the passwords are salted with unique salts and hashed with whirlpool, the situation is even better. The same applies as in the case above, but it takes longer to calculate a whirlpool hash than a MD5 hash, so bruteforcing becomes slower. Again less damage.

- If the passwords are salted with unique salts and hashed with whirlpool 16 000 times, it's again 16 000 times slower to crack a password than in the case above. Now it takes a lot of effort to crack even one password, compared to little effort to crack 250 000 passwords. That's a pretty good improvement from the first case, right?

And to add on that, if there are no down sides of hashing the passwords securely, why on earth would you not do that? If you have a choice between moderate level of security and high level of security, is there a reason to go with moderate?


TL;DR
Proper hashing reduced the amount of compromised passwords by a very large factor.