Results 1 to 2 of 2

Thread: Heartbleed Vulnerability and your Passwords

  1. #1

    Funcom Heartbleed Vulnerability and your Passwords

    Hello Everyone

    I'm sorry if this post gets quite technical in places. If you are not all that interested in the technical aspects, then please read the parts in bold and feel free to ask questions.

    I'm sure most of you have read the news about the OpenSSL vulnerability that has affected most of the internet in the past few days. I wanted to post a short update about how Funcom was affected and our recommendation on your password(s).

    Like most other sites, we use OpenSSL for our encryption when you are browsing using https. This affected our registration site(s), The Secret World's Chronicle site and our Item Shops. Once we heard about the vulnerability we immediately patched all of our sites and the work was completed at 10am GMT on the 8th April. Well before the vulnerability hit mainstream media.

    Why is this vulnerability so serious?
    Well the short story is, it allowed an attacker to read the process memory of the web server in 64kb chunks.

    Due to the way our technical setup works, this actually affected us less than many other sites. We only use our web servers as a pass-through for data, rather than actually using the web server to execute code (ala Apache+mod_php).

    However there is important information stored in the web server's memory, such as the security certificate that we use to encrypt your requests. Also its possibly that information submitted to the web servers resided in memory for a short period of time while it passed through the web server.

    All our security certificates will also be re-issued to ensure that any data that was leaked is no longer valid.

    What should I do to protect myself?
    We have decided not to enforce password changes on everyone. This is extremely disruptive and since we have no evidence that passwords are compromised, we don't believe it will help.

    You are of course free to change your passwords, and we'd also recommend doing so regularly.

    Funcom does however recommend the following for ALL users:
    1. It is very important that you use SEPARATE password for at least Email, Online Banking, PayPal and Game Logins.

    We understand that remembering multiple passwords is difficult. Having a separate password for every site is the gold standard, and to do that you really need to have a password manager (KeePass, LastPass etc)

    2. Never use your game password to log into anywhere other than register.funcom.com (or game variants) and the game itself.

    Don't use it on fan sites, guild sites, your favorite music message board etc. The admins of these sites do great work, but the more places you use the same password, the more exposed you are.

    3. If your password is in this list, change it: http://www.symantec.com/connect/blog...words-all-time

    The next version of our registration site will simply ban this list from being used.

    4. Your email password is your MOST important password.

    Please keep in mind that if your email password is compromised, then all your passwords can be reset. This is a very common way that we see game accounts getting hacked.

    5. Any password that you make should be LONG (ideally more than 10 characters!).

    This isn't as hard as it sounds and really does make your password much more secure. If you only use lowercase letters then an 8 character password has 208 billion combinations, actually not that many for a modern processor especially if the data is only weakly encrypted. If you double that to 16 characters then there are actually 43608742899428 billion combinations.

    To put that in context, if its 200 meters to the end of your street, with an 8 character password you were only making them walk to the end of the street to crack it. With a 16 character password you are now making them walk around the planet over 1 million times.

    If you add in uppercase letters and numbers then it is even harder to crack, but an 8 character mixed case+numbers password is only about 1000x harder than an all lowercase password, so length of password is critical.

    If you don't want to use a password manager, then come up with a system for passwords. For example if your standard password is WkF3g99X, then add something to it for each site, i.e. FuncomWkF3g99X, PaypalWkF3g99X, SteamWkF3g99X etc. In doing so you have just created a unique password for each site, while only having to remember one password.

    Password security is no longer about someone you know guessing your pet's name and date of birth. It’s about websites being compromised, databases being stolen and your password being cracked using a rainbow table. The longer and more unique your password is, the less likely it will be in a rainbow table.

    6. Even after all of this… your brother/sister* is the most likely person to hack your account
    Sad, but true, we get cases of this every single day. Don’t leave your IPad lying around the house logged into your email or give them your game password.

    * This may also apply to your loving girlfriend/wife/boyfriend/husband, your mother or house mates (because you pwned them last night in the arena).



    I'll also make a thread in the general discussion forums. If you have any questions about password security, I will be happy to answer them today as best I can.

    Regards,
    Alex Cowan (aka Lucien)
    Billing Director

  2. #2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •