# ImportantYour TCF account and Security

#### Wolf kin

##### Skeletron Prime
It's the pattern of how you type them forms a shape on the numpad.
Oh, that's neat

#### ManaUser

##### Brain of Cthulhu
Yes, password lenght matters the most for these things, but the example given is very vulnerable to a book attack (where it tries random common words).

Personal favourite for passwords is this method: Drawing patterns on my numpad.

Lets take a random cheatcode:

Its a circle 4862 triangle 1831 cross 1937 square 1793 circle 4862 square 1793.

Its super long and its easy to remember (especially when you base it on some cheatcode you use commonly, you cheat :3)
I don't agree with this logic. There are way more words than shapes. With four shapes and a length of 6, that's only 4^6, or 4096 possibilities. Where as if we use a conservative definition of common words and say there are only 1000 of them, 4 words gets you 1000^4, or 1,000,000,000,000 possibilities. And the fact that shapes aren't words is no real protection. There's no reason hackers can't put "4862" in their dictionary too, maybe some already have.

#### Clancy117

##### Spazmatism
WTF?! I need to check my Yahoo account!

#### SirGouki

##### Terrarian
...There are way more words than shapes. With four shapes and a length of 6, that's only 4^6, or 4096 possibilities. ...

You missed the more obvious problem of the fact that the resulting password is nothing but numbers.. Since each digit can only be 0-9 in that case, theres not many digits in the password, it would take a computer a few seconds to a few minutes to either figure it out, or lock your account out in a brute force attempt if you used it. Since most programmers know binary, hex, and decimal, being clever and adding a-f or converting it to binary wont make it any better (and could make it worse).

Want an easy to remember password?
Take 2 words from something you absolutely love. Randomly take a letter and capitalize it. Now randomly take a few random vowels and change them to digits that make sense to you. Now take a few more letters and replace them with supported special characters ( @#\$%^&*()-=_+"':;,.<>/?\|~`!) that make sense to you. Every character you add this way adds another layer of complexity to breaking your password. Why? each character is represented by digits to a computer.

one relevant way hackers crack systems:
So for a true brute force attempt, the example earlier of using nothing but numbers, for each digit you're only having to guess 10 times the number of digits + every possible variation. If I was to try breaking your password, the first thing I would do, assuming I don't know the length, is try every thing from single digits to repeating the numbers for every extra digit up to 32 digits long (I.E.: 0-9 then 00-99 with doubles, then 000-999 with triples, etc.). Now that I have eliminated that, I would search common patterns (2 4 6 8, 1 3 5 7, byte sizes (8 16 32 64 128), year numbers, month day year combinations in every order, etc.) If I still haven't found it, thats when I'd start just incrementing the thing by 1, starting from the first number I haven't eliminated (which in this cause would be 12), and skipping everything I've already eliminated. For a computer, this would only take a few seconds to a few minutes, depending on how fast the server lets you retry.

Obviously, I'm not talking about manually typing all this in, I'm talking about writing a program to send the appropriate commands directly to the webserver, then see how it responds.

So, how does adding all that extra stuff help? Well, there's 26 letters on a US keyboard, with 2 states. so thats 52 more things the hypothetical above program has to check. just mixing numbers and letters and caps, you get 62 possibilities PER CHARACTER. Up to 32 characters, thats a lot more information that has to be eliminated. add special characters, you get 10 more for the numbers, and 11 more with 2 states. That's 84 possibilities per character. Thats 84^32 possible combinations. We started at 10^32 combinations. And for every character you add, you're increasing the exponent. Now unfortunately, most password combinations require at least 1 lower, 1 upper, and 1 special character or digit. This actually makes it easier for the computer to find out what the password is, and there's an equation to determine the possibilities after applying that rule which means that can also be accounted for.

The cool thing is, anyone can, with very little programming knowledge ( and I mean VERY LITTLE), write a program that takes the number of characters as an input, and spits out a randomly generated string of characters that can be copied to a txt file so it can be copied and pasted into your log in and most websites that have smart web designers, do not limit you to a meager 32 characters (or they don't change the default at all, which would limit the MAX password size to at least 256 characters).

*Saving it using any form of autocomplete or built in password manager (which almost every web browser has anymore). All it takes is tricking your web browser into thinking its logging into one site, but it could be logging into someone elses. It doesn't matter what kind of encryption anyone uses, if you give your enemy (the "hacker") the very information they're after.

*Accessing websites that offer illegal copies of software. Most notably, the situations in which the coder has cracked the software themselves, not just providing the GOG version (or equivalent for non-gaming software). Think about it, this person or team was smart enough to code out, or code around, software that is specifically design to keep you from playing the game, or using the software, without paying for it. Of course they could just as easily hide something in there to store all your keypresses and automatically send them to the internet. Thats the easiest thing they could do. They could also put a trojan into the software that just steals the information right off of your hard disk, and then logs into your accounts and attempts to infect others (back in the late 90s, early 2000s, this was probably the most common way of being compromised with everyone who had internet using AIM, Yahoo IM, msn messenger, ICQ or IRC to communicate, not knowing they can download things through this, its also one of the ways spam spreads through the internet).

*Stating publicly that your system, OS, network, whatever is unhackable. I'm looking at Sony and Microsoft here, who have both done this(Playstation network has been taken down numerous times thanks to Sony's arrogance, Vista was the fastest cracked OS yet thanks to Microsoft daring them to do it). You know what you're doing here? Giving the hackers a challenge. From what I've listened to from Black hat conventions, DEFCON and others, this is exactly what many starters look for. A way to prove themselves. You do this and you're just making yourself another statistic.

edit: spoilered the walls of text, got more into it than I thought I would.

#### Kola17_97

##### Spazmatism
Watch Dogs 3: TCF Edition

#### Granger

##### Terrarian
You missed the more obvious problem of the fact that the resulting password is nothing but numbers
Thats assuming the input allows only numbers. For the actual password only the lenght actually matters (or rather, matters vastly more than all the complicated techniques people think of), since we're having alphanumeral + symbol password input all those are a possibility also. Want me to throw a letter, a symbol in there? Changes absolutely nothing besides making the password a bit longer (thus adding millions more combinations possible).

You're missing exactly the point the correct horse battery staple is about, just saying.
That said i want to strangle webdevs that limit the character choice and limit the lenght of a password. Let me use even unicode for all thats holy (and unholy), it merely being allowed makes the possible combinations skyrocket into absurd counts.

#### Jeckel

##### Terrarian
Brute force hacking passwords is not the main way passwords are hacked. Ignoring social engineering and stealing/buying plaintext database files that are on the net, rule-based dictionary attacks are the most common form of password cracking used and crackers use GPUs to vastly increase the speed of testing possible passwords against their hashed versions that they get from leaked databases. The common GPU that most people have in their computers at home can make upwards of 4 billion hash checks a second and higher dollar GPUs can do 10 billion checks a second. On top of that, a decent cracker will have multiple good GPUs operating in parallel, giving them upwards of 50 billion or more checks per second. Keep that number of 50 billion attempts per second in mind when I talk about search spaces below.

A search space is the number of possible passwords that could need to be checked against the hashed version of the password that crackers are trying to break. To figure out how large the search space is take the number of possible options for each part of the password to the power of the number of parts in the password. For example take a PIN, you know that the PIN is composed of exactly four numbers, so the search space of a PIN is 10^4 (there are 10 possibilities for each number, 0-9, and 4 numbers total), meaning their are 10,000 possible PINs.

What a rule-based dictionary attack means is that a hacker sets up rules that instruct the computer in how to create possible passwords. The most basic rules are brute force-like things, such as trying each number, 0-9, then try two characters where each character is 0-9, then try three characters the same way, then four, then five, etc. The given example of '48621831179348621793' as a random string of numbers is not terrible due to its length (search space of 10^20 or 100,000,000,000,000,000,000 or 100 quintillion), but since you are using the shape method, a commonly known pattern, it is actually just five things from a very small pool '4862 1831 1793 4862 1793' (search space something like 20^5 or 3,200,000, which is tiny). It would take a cracker mere minutes to write a rule for that pattern or even less time to download a rule set that already includes it, and it wouldn't add more than a few milliseconds to the cracking attempt to check that space.

LEET speak substitution is so common that any cracker worth their salt is going to include rules in their set taking this into account, meaning that all those 3s for Es and @s for As or Os is nearly worthless and don't increase the search space by any meaningful amount. It is seriously a waste of time to do this substitution with your passwords, your time, not the crackers as they don't care since at worst it just adds maybe a few seconds to their cracking attempt run the rules that search these spaces.

The currently best strategy, if you aren't using a password manager that generates strong random passwords, is to choose four to six words to create what is known as a passphrase.

Once you are using a passphrase, you have to keep in mind the dictionary attack aspect that is used by crackers. Knowing that people use words in their passwords, crackers have long been using lists of words and letting the computer combine those words together in various ways, including rules to try the words on their own, then try the words with numbers and symbols replacing letters in the common substitution patterns, and various other simple to complex things. The kind of stuff that would take a human forever to do, but a computer, especially one that utilizing multiple GPUs, can do tens of billions of times a sec.

So, you can't just throw any words together for your passphrase. Let's use the example of four words, say 'persontimeworldhand', which seems strong because it is long, search space of 26^19 or 766,467,270,000,000,000,424,856,248 or... umm.. a whole freaking bunch. But, that is just an illusion, because no one is going to brute force that, trying every combination of letters until they happen to hit on the right ones.

Instead, the crackers use lists of words, say the 20,000 most common words, so the search space is 20,000 to the power of 4 (that is 160,000,000,000,000,000 or 160 quadrillion possible combinations). That, again, still seems like a large search space. However, all four of the words (person, time, world, and hand) are in the top 10 from wikipedia's list of most common nouns, meaning that the search space is only 10 to the 4th power (that is only 10,000). That is a trivially small number of combinations and would take no time to crack.

So, when choosing the words of your passphrase, you have to be a little more cunning, because the crackers damn sure are going to be doing so. Don't use actual phrases, 'icameisawiconquered' is probably in the crackers' dictionary. Don't choose common words, at least one or two of the words should be pretty uncommon, perhaps chosen from another language or even from a made up language like Klingon or Lord of the Rings (though the latter two, along with Harry Potter words, are probably relatively the most common options possible). Add a symbol or two into the mix. Don't put the symbols between the words and don't use a common substitution like LEET speak, just put a @ or _ or ! or whatever randomly into one or two of the words. The key is not to use a pattern that the crackers could write a rule for. The example 'persontimeworldhand', as said above, is pretty crackable, but '[email protected]' is worlds better as it won't easily fit any logical substitution pattern or dictionary list.

The youtube channel Computerphile has done several excellent videos on this topic and I highly recommend watching them. Computerphile - Password Choice is a good place to start or if you only want the most relevant info to making a good password. If you want more in-depth info on how passwords are cracked with rule-based dictionary attacks, also check out Computerphile - Password Cracking.

I hope this is helpful in explaining a few things and busting a few myths about what does and doesn't make a secure password or passphrase.

#### Sigma90

##### Brain of Cthulhu
A "full" list of potentially affected sites are on GitHub: https://github.com/pirate/sites-using-cloudflare
22 MB zipped consisting "4,287,625 possibly affected domains" at the time of writing. If you're familiar with compression, you'll know that's a huge amount for a plaintext zipped file. It looks like the list is a list of sites using CloudFlare, i.e. those that would be "potentially affected".

As Tunnel King already mentioned: Some of the potentially-affected sites may contain offensive or illicit material. If you want to check, Ctrl+F for your site(s) and don't click any links.

(Note for mods/admins: If the inclusion of the above GitHub link is not acceptable, please remove it or let me know and I'll edit and remove it.)

#### Granger

##### Terrarian
but since you are using the shape method, a commonly known pattern, it is actually just five things from a very small pool '4862 1831 1793 4862 1793' (search space something like 20^5 or 3,200,000, which is tiny).
Yes, correct, however the patterns you use are limited only by your imagination, you could make a tree, anchor, house.... and so on, using only cross, circle, sqare and such isnt going to be very safe but ultimatively its the same thing as the passphrase in a different form, i use this because i personally find strings of shapes easier to memorize than strings of words.

Personally i feel that you can type these patterns way faster than words also but maybe thats just me. (since you dont have to move your hands at all if you have a numpad)

While we're at it on the topic of password (changing): Changing your password frequently is by and large pointless and can actually be detrimental to your password strenght (not to mention difficulty remembering which you are using *now*) since people often end up being lazy and use very similar passwords over and over (-> the attacker eventually learns the pattern(s) you use rendering future passwords inefficent), defeating the point of the password change in the first place (often incremeting some number on the password). This is expecially true when forced to which is another major gripe i have with many website's password management.

Generally you dont need to change your password often at all, i reccomend changing it only maybe once a year and when you suspect a breach or you learn of recent leaks happening.

#### Jeckel

##### Terrarian
Yes, correct, however the patterns you use are limited only by your imagination, you could make a tree, anchor, house.... and so on, using only cross, circle, sqare and such isnt going to be very safe but ultimatively its the same thing as the passphrase in a different form, i use this because i personally find strings of shapes easier to memorize than strings of words.

In concept it is similar to a passphrase, but the pool is much smaller. It is true that you can do more complex shapes and the more numbers in each shape is going to increase the strength to some point, but my point was that there are only so many shapes you can make using a 3x3 grid of 9 numbers and only one cracker has to write a rule for that shape and then every cracker can add it to their automated cracking attempts.

Most people aren't going to get into more complex shapes, like a tree '2587469', most are going to stick to the 3, 4, and 5 character shapes. Even if you can come up with 1,000 shapes (though I doubt there are more than 20 to 50 of them in total, because it isn't limited by imagination, it is limited by the number of random combinations of shapes in a 3x3 grid), you are still dealing with a pathetically small search space.

I mean, if it works for you, then by all means, use it, but it isn't as secure as an equal number of random numbers or as secure as a properly chosen passphrase due to their being vastly more words than their are patterns of numbers in the 3x3 grid of a numpad.

While we're at it on the topic of password (changing): Changing your password frequently is by and large pointless and can actually be detrimental to your password strenght (not to mention difficulty remembering which you are using *now*) since people often end up being lazy and use very similar passwords over and over (-> the attacker eventually learns the pattern(s) you use rendering future passwords inefficent), defeating the point of the password change in the first place (often incremeting some number on the password). This is expecially true when forced to which is another major gripe i have with many website's password management.

Generally you dont need to change your password often at all, i reccomend changing it only maybe once a year and when you suspect a breach or you learn of recent leaks happening.

This is all completely true, spot on.

#### Sigma90

##### Brain of Cthulhu
The longer password / passphrase thing also only works if long passwords are actually supported. Microsoft, for example, limits you to 16 characters (or used to limit it; not sure if the limit was removed). A limit of 8-16 characters is somewhat common, usually on the sites that need the most security (e.g. banking sites). Even worse, some sites silently truncate password that are too long.
The limitation is ridiculous for two reasons: 1) it provides an upper bound (and/or lower bound) to how long the password must be, making brute force attacks more feasible. And 2) if they're storing passwords properly, the length doesn't matter because the resultant hash will always be the same length regardless of password length.

#### Granger

##### Terrarian
^
Yeah, the more limitations are given, the more information (and limiting search space ranges) the attacker has, resulting in them being able to adjust their filters specifically to this and fasten their search.

• Password has to be 8 letters long.
• Password must be shorter than 16 letters.
• Password must contain a capital letter, lower case letters, a symbol and a number.
• Password may not be one that has been used previously.

All ed limitations that give attackers more information than they should have. A password should be as unpredictable as possible and these things force you to use certain patterns any attacker simply can flick a checkbox on for merely by knowing these limitations exist.

In a similar vein, its why brute force attacks alone are pretty rare, the real threat is social engineering (which we're, ironically, making ourselfes vulnerable to by explaining the patterns we use here), phising and keyloggers which can defeat any password and precautions you take easily if you're not careful.
Hacking very much is about gathering intel rather than "hacking" like its shown in the movies. The more you know about a system the better you can try and find vulnerabilities (or in passwords case, patterns).

Lastly and thats pretty depressing when you think about it, any system and password is gonna get hacked eventually. IT secturity is all about delaying it and changing/fixing when breached. If you're interrested look into hacking teams FOR secturity who hack their own systems to improve it. Very interresting topic.

#### zeek games

##### Terrarian
I created my acount today

#### Aurora3500

##### Moderator
Staff member
Moderator
I created my acount today

Hello Zeek Games,

1st off, welcome to TCF, we're always happy to have new members. Posting in Threads to introduce yourself in this manner is considered off-topic however, and we require posts to be related to the Thread Topic when members post.

If you want to introduce yourself to the Community, feel free to create a Thread in this section: https://forums.terraria.org/index.php?forums/introductions.89/ by clicking the "Post New Thread" button on the top right, where you can share anything you wish to share about yourself.

Feel free to always PM myself or any Staff Member if you have questions or concerns.

#### Khaelis

##### Plantera
Came across this earlier, but never said anything because I was aware of the issues and I've made the appropiate changes to keep myself secure. But I thought I'd make this comment to give a bit of an update on some stuff related to the Yahoo email fiasco that happened last year.

Here's another update to that issue: https://www.theregister.co.uk/2017/02/16/yahoo_forged_cookie_hack_risk/?mt=1488341522716

Basically hackers can forge login cookies to access your Yahoo email accounts, if they're smart enough to do it or know where to obtain them. Yahoo is essentially no longer a safe email to use, as far as I can understand. I didn't want to do it, but my yahoo emails have already been set for deactivation and deletion in the coming months and new emails have been made. I suggest anyone who still uses Yahoo for their email services to make the switch to Google Mail (gmail) or another safer option.

Going to tag @Aurora3500 @Matsu and @Tunnel King to let them know of this issue.

#### MarioKart7z

##### Plantera
Is a Yahoo email account the same thing as a Yahoo answers account?

#### Khaelis

##### Plantera
Is a Yahoo email account the same thing as a Yahoo answers account?

If you can acccess email services with the account, then it probably means "yes."

#### MarioKart7z

##### Plantera
If you can acccess email services with the account, then it probably means "yes."
Well i'm not too worried, lately i've been using Blur (a plugin for Firefox) to replace my passwords with randomly generated ones that even I don't get to know, but it also remembers the passwords for me