2010-02-08, 07:20 AM
MissingLink Wrote:It's been said many times before, but worth repeating if it saves just one account:Rainbow tables wouldn't be usable if Nexon used a nonce/salt in their hashing algorithm (see: http://chargen.matasano.com/chargen/2007...out-s.html). As that article explains, if you store the salt in cleartext into the database, this is already enough to make rainbow tables essentially unusable. And the security would be even better if the salt was hashed and stored in a separate database on another server (and then you could configure that server to only accept IPs in Nexon's network).
Make sure that you have a decent password, 10-characters long minimum, with a random mix of numbers, lower case and upper case letters. Anything less than this may be be crackable using rainbow tables.
Examples of cracked passwords from project-rainbowcrack.com:
919003358553 cracked in 12 seconds, 12-digit, numbers only
ytnmallgl cracked 29 seconds, 9-digit, lower-case letters only
91e8uct92 cracked in 172 seconds, 9-digit, numbers and lc-letters
xHYqkUB2 cracked in 623 seconds, 8-digit, numbers, lc and uc letters
Note that simple reasoning would say an 8-digit numb+lc+uc should take:
62^8=218 trillion possibilities
Even assuming 1 billion tests per second should mean 218,000 seconds = 60 hours to crack.
NO, doesn't work that way.
So the only way to end this craze is for Nexon to upgrade security. At minimum, they need to start using a salt in their hashing algorithm (supposing that they do not already do so). It would be even better if they switched to a more secure hash algorithm and one without a known cryptanalysis (e.g., Eksblowfish, SHA-2 family, one of the SHA-3 Round 2 candidates, etc.). At this point, I suppose we need to (somehow) force/convince them to do it because it's now 1.5-2 months(?) and counting since these hackings started.

