2009-01-27, 02:00 AM
Judgment Wrote:I think they were able to obtain MSEA passwords because their rankings page was exploitable to display the characters log-in info or something. (That explains why their Rankings page is unavailable.)
Even then, the passwords should really only be stored on a server in their (special) hash function product. They don't need to know the password itself; if the user can provide a password that hashes to the value keyed to the user's login ID, then they're good to go.
(technically there could be infinite values that can hash to any one hash, but the odds of this happening are pretty much nil for good hash functions)


