How real is the threat of being hacked when gaming?

[JoonasTo]

I prefer a piece of paper for password, unless someone breaks into your apartment, you're safe.

"sis" is a common slang, too common. the rest i don't know, i don't hack myself so yeah.

gpu accelerated rigs today can guess at a phase of over 1,000,000/sec, with a dictionary attack containing a billion words it'd take it 1000seconds to finish each word at worst case scenario.
so with a 4word max at 1000seconds each that'd take 4000seconds, less than a day.
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

to put things on a neutral here, i'm saying that don't build your password entirely out of words.

That's so lol, windows passwords. Are we talking about the passwords that are stored in a non-encrypted, free of restrictions registry node? 
There's no reason to crack a windows password as all you need to do is reset or replace it with one of your choosing. All you need is some form of access to the computer, physical/remote, power on/off doesn't matter. Only state I can think of that a windows computer is protected is when it's waiting for a login.

[kitamesume]

I prefer a piece of paper for password, unless someone breaks into your apartment, you're safe.

"sis" is a common slang, too common. the rest i don't know, i don't hack myself so yeah.

gpu accelerated rigs today can guess at a phase of over 1,000,000/sec, with a dictionary attack containing a billion words it'd take it 1000seconds to finish each word at worst case scenario.
so with a 4word max at 1000seconds each that'd take 4000seconds, less than a day.
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

to put things on a neutral here, i'm saying that don't build your password entirely out of words.

That's so lol, windows passwords. Are we talking about the passwords that are stored in a non-encrypted, free of restrictions registry node? 
There's no reason to crack a windows password as all you need to do is reset or replace it with one of your choosing. All you need is some form of access to the computer, physical/remote, power on/off doesn't matter. Only state I can think of that a windows computer is protected is when it's waiting for a login.

lol you obviously didn't read the article.

[Remak]

Absolutely do not follow Tiffany's password advice. You will more likely lose the password yourself.

(click to show/hide)

This advice is better:

Tiff's advice is good if you're using LastPass, since you don't have to remember your passwords to begin with.

I used lastpass once lol. Then I removed it when I decided I didn't like it and forgot to save my grooveshark password it generated (it was the only new acc I made). Now when I try to recover my password it says it sent an email but I don't get any email in my inbox or spam folder .

[JoonasTo]

Obviously not.

For my defense though, name of the article has nothing to do with the article itself.

[buchno]

For my defense though, name of the article has nothing to do with the article itself.

That's pretty common.
...at least in printed articles.

[xShadow]

I'm surprised no one has jumped at this...

"sis" is a common slang, too common. the rest i don't know, i don't hack myself so yeah.

gpu accelerated rigs today can guess at a phase of over 1,000,000/sec, with a dictionary attack containing a billion words it'd take it 1000seconds to finish each word at worst case scenario.
so with a 4word max at 1000seconds each that'd take 4000seconds, less than a day.
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

to put things on a neutral here, i'm saying that don't build your password entirely out of words.

I don't think probability works that way. You have a branch for each one of those words in the dictionary at each step. You could only do a straight multiplication of that maximum time if you had per-word verification. Which you do not if you're trying to brute force.

So instead of 4*1000 seconds, it would be 1000⁴ seconds. Note that is not expected time or any kind of mean time, but worst case scenario time. Still staggering, either way.

It has been a while since my statistics class but I believe that is how it works.


Edit: Also any punctuation between words would fuck that time over hard.
Edit2:actually that assumes you know that there are 4 words in the pw in the first place. I think it would actually be 1000±1000²+1000³+1000⁴ seconds.

[kitamesume]

yeah i figured something was off.

but that only applies to pure word passwords, they do exists since there are people with simplistic minds

[Slysoft]

How could someone hack you just by knowing your screen name on an online game? Most of those guys are skids anyway so they can only hack if it involves a tool with a start button.

[Tiffanys]

For video games you just copy the password from LastPass. You don't need to remember it. You could also use something like Password Safe which can enter it in the game client for you automatically.

Assuming you're using LastPass though, you could also just download LastPass Pocket and make an encrypted offline backup of your LastPass database and then just right click and copy your password to clipboard then paste it in the game client then close LastPass. Though to be honest, you could do that even with the online version.

[Xycolian2332]

For video games you just copy the password from LastPass. You don't need to remember it. You could also use something like Password Safe which can enter it in the game client for you automatically.

Assuming you're using LastPass though, you could also just download LastPass Pocket and make an encrypted offline backup of your LastPass database and then just right click and copy your password to clipboard then paste it in the game client then close LastPass. Though to be honest, you could do that even with the online version.

I'm not that knowledgeable on keyloggers, but I'm sure it's easy enough for them to record logs for everything that went through the clipboard?

So essentially, if you were phished into going to some stupid site, and they installed a keylogger on your comp you're pretty much boned

Someone who knows more about those kind of programs feel free to contradict me.

[Tiffanys]

...if you had a keylogger you would be boned anyways. But uh, phishing would already have you boned to begin with, even without a keylogger.

I don't see how you can make having a compromised PC some sort of argument against having good security. Even if you had bad security you'd still be screwed if you were compromised.

As for websites, if you used LastPass even if you did have a keylogger you'd be relatively safe. You can't log automatic form filling as far as I'm aware.

As for games... if there's a possibility to have some sort of keyfob authenticator then getting that will also greatly increase your security. Though, most don't have that.

Not having a compromised PC tends to be the first step in keeping your password safe... xD

[megido-rev.M]

I just realised something; if you're a person who easily forgets passwords, can't you take a common word (or the name of the site or something), calculate the SHA1-hash of it and use that as your password? It'll both be very secure and easily memorable!

...although, you probable won't remember the hash, so tools like LastPass or hash calculation algorithms are necessary.

Length would be a problem quite often.

[buchno]

I just realised something; if you're a person who easily forgets passwords, can't you take a common word (or the name of the site or something), calculate the SHA1-hash of it and use that as your password? It'll both be very secure and easily memorable!
...although, you probable won't remember the hash, so tools like LastPass or hash calculation algorithms are necessary.

Length would be a problem quite often.

Right, CRC(64) instead of SHA, then :)
...why do sites tend to have a maximum length on their users' passwords?

[megido-rev.M]

I just realised something; if you're a person who easily forgets passwords, can't you take a common word (or the name of the site or something), calculate the SHA1-hash of it and use that as your password? It'll both be very secure and easily memorable!
...although, you probable won't remember the hash, so tools like LastPass or hash calculation algorithms are necessary.

Length would be a problem quite often.

Right, CRC(64) instead of SHA, then
...why do sites tend to have a maximum length on their users' passwords?

There's really no valid reason for maximum length.
Anyway, concerning passwords the only reason to using its hash is just for length, only adjusting what needs to be kept secret.

[kitamesume]

I just realised something; if you're a person who easily forgets passwords, can't you take a common word (or the name of the site or something), calculate the SHA1-hash of it and use that as your password? It'll both be very secure and easily memorable!
...although, you probable won't remember the hash, so tools like LastPass or hash calculation algorithms are necessary.

Length would be a problem quite often.

Right, CRC(64) instead of SHA, then
...why do sites tend to have a maximum length on their users' passwords?

if we're still talking about online games, then they tend to have a max length of 20-24 characters, no idea why but yeah they do.
plus they tend to not allow special characters not within the standard keyboard layout, some even disallow ~!@#$%^&*

[Belmakar]

At one online game I used to play the case didn't matter... Also, it was only 6 to 12 alphanumeric characters, and there were no constraints on consecutive login attempts with wrong passwords. For security that didn't really matter, though, as neither the connection to the server nor the user credentals sent were encrypted at all...

[Tiffanys]

Well, for newer games with competent developers account security isn't that big of an issue. Guild Wars 2 for instance won't allow access to your account if you sign in from a new location unless you confirm the new location first via e-mail. If you have two-step authentication with your email provider then you're really quite safe.

Then there are other games like Blizzard's where they have keyfob Authenticators which would make it very difficult to steal one's account.

Generally though anyone that tells you that they're going to hack you in a game is likely an angry preteen with no actual capability of doing so. You can pretty much just shrug off anyone that says that.

The four biggest things:
1. Don't use your e-mail that you use for a game for anything else.
2. Use a unique password for everything, as long and as complex as possible (hacking a fansite where you use the same e-mail and password on would be far easier than hacking a game server).
3. Don't download anything stupid.
4. Don't click links in e-mails, never send anyone your information, and always triple check the address you're logging into is the official one.

[kitamesume]

Generally though anyone that tells you that they're going to hack you in a game is likely an angry preteen with no actual capability of doing so. You can pretty much just shrug off anyone that says that.

actually, pissing off those kind of derps is worth it. "ooh i'm scared, i think i just peed my pants, wait... bwahahahha!"

[FlyinPenguin]

Another question: Can somebody really find your IP just by having your Live or PSN screen name? What would they even be able to do with it? My router's firewall would block any kind of attack except by a true and experienced hacker right?

Is it dangerous to set up a DMZ only for a game system? That seems to be a recommend method of dealing with restrictive NATs. Aren't game systems too restrictive in how they can receive and execute code for hacking to be a real concern?

[Saras]

Another question: Can somebody really find your IP just by having your Live or PSN screen name? What would they even be able to do with it? My router's firewall would block any kind of attack except by a true and experienced hacker right?

Is it dangerous to set up a DMZ only for a game system? That seems to be a recommend method of dealing with restrictive NATs. Aren't game systems too restrictive in how they can receive and execute code for hacking to be a real concern?

No, they cannot. They have to have admin/mod privileges to see an IP attached to a name. They could find it out if you say played a game together.

If they have your IP, they can ddos you/find out your general location/look for open ports/harass your ISP in giving out more information on you.