MysticHLE Wrote:The thing is, if it doesn't encode it into anything else and is stored as it is, it doesn't quite fully explain how the web forms for logging into your account on the site would not work while the resetting password form does. I would think it would be standard practice to use a same input form for a password field? Nonetheless, here's still hoping that this method works. lol
1) Go to Nexon.net
2) In upper left right under where it says "free signup" click the option "already a member click here" When you do this the "free signup" button is replaced with login fields. Under the login fields there are 3 options
- Find ID: Requires you to fill out an Email and a birthdate. If the email exist in their records and the birthday is correct then a email is sent to that address with the login ID.
- Find P/W: Requires you to fill out ID and Birthday.
- Find Pin: Requires you to log in, once logged in you click the "info button". And on the info page there is a button to send a pin reset email. Nothing happens to your pin until you open the email and click the link and then your pin is cleared and next time you log in you will be prompted to set it.
So easiest way to use this technique to protect your account is to first, do a Find ID. Then check your email. If you received an email and the ID is the account you intended then you will have the information (email, id, and birthdate) required to reset your password.
==============================
(Disclaimer, I'm not a cryptography expert, this is just hypothesis)
I was also kinda curious about the storage of the passwords. Like what MysticHLE pointed out.
Has anyone tried the same passwords just with the special characters stripped out. Example: ©opy©at = opyat. Stripping those characters might be a byproduct of security against sql injections.
Also I thought that the hashes used will may create collision prone keys (IE possibility that multiple passwords that once encrypted, are the same).
If this is true upon decryption an alternate (yet functional) password may be returned to the hacker and render this method useless.

