Posting Freak
Posts: 1,711
Threads: 10
Joined: 2008-07
Gender: Male
Sexual Orientation: Straight
Country Flag: canada
IGN: Beserked
Server: Scania
Level: 200
Job: Hero
Guild: Synergy
You can change your password up to twice a day (Resets at 12am PST).
But this is a great method =]
Still screwed if they find out the email attached and hack your account via redeeming pass.
Posting Freak
Posts: 18,970
Threads: 319
Joined: 2008-07
2010-01-19, 02:23 AM
(This post was last modified: 2010-01-19, 02:26 AM by Takebacker.)
Spideyjvc Wrote:I'm not sure how you can check your email for your own account, to tell you the truth.
http://wiki.answers.com/Q/How_do_you_fin...Maplestory
@above: That isn't likely to happen, since these are not targeted attacks. It's just a quick hit and run. If they can't get into your account, they'll move on to the next one immediately.
Posting Freak
Posts: 9,882
Threads: 342
Joined: 2009-01
Spideyjvc Wrote:The last thing you want to do is verify if you know the email by resetting your password. You'll never get that password email, and thus lose your temp password.
Wait. Resetting your password, to verify your e-mail? :f6: If there's a way to ScrewedVille, this has got to be it.
Posting Freak
Posts: 1,268
Threads: 73
Joined: 2008-08
Thanks bunches, dear.
Locked both the hubby's accounts, since he doesn't have access to MS at the moment anyway. Now I can rest easy and not worry about DCing overnight.
Junior Member
Posts: 9
Threads: 1
Joined: 2008-11
Spideyjvc Wrote:So what do you do?
Create a password that cannot be used, even if it was cracked. Initially, my theory was to use a password with special text characters in it. This would make it EXTREMELY difficult to crack, if this group has the MD5 hashes. However, you cannot copy+paste into the Maplestory client, so that part of my plan was ruined. But then I realized that this password didn't work even on Nexon's site.
Does anyone know if the passwords were encrypted in Nexon's database? I was under the impression that md5 was near imposable to crack but a simple google search seems to prove that wrong (I didn't test it tho). So i suppose it could have been encrypted and the hackers just ran a crack algorithm on all the passwords and it wouldn't matter.
I guess this isn't really the place for this kind of question... but does the MD5 algorithm creating non-unique strings make it more or less vulnerable?
Anyways, great find. You are surely a critical thinker.
Posting Freak
Posts: 4,302
Threads: 256
Joined: 2008-07
Gender: Male
Level: 251
Spideyjvc Wrote:The last thing you want to do is verify if you know the email by resetting your password. You'll never get that password email, and thus lose your temp password.
To make sure you have the birthday correct, you need the birthday to change your password anyway. Go to your account page and verify there. I'm not sure how you can check your email for your own account, to tell you the truth.
You can request a PIN reset via email. If I remember correctly, it doesn't go into effect unless you receive the email and click the link.
Or what Steve suggested.
Senior Member
Posts: 456
Threads: 38
Joined: 2008-08
BombsAway Wrote:It's clear that their goal isn't to get anything, it's just revenge because they were treated badly. And they're taking it out on everyone.
Then why would they bother to strip accounts and sell everything for mesos in shops rather than npc the stuff? The simply can't target people and are going on accounts at random, but there's so many accounts to go through (and so many are worthless), that it just takes a while.
Senior Member
Posts: 345
Threads: 36
Joined: 2008-07
2010-01-19, 03:14 AM
(This post was last modified: 2011-07-13, 01:26 PM by Hiepocrite.)
.
Posting Freak
Posts: 9,129
Threads: 484
Joined: 2009-03
Gender: Female
Hotshot Wrote:Then why would they bother to strip accounts and sell everything for mesos in shops rather than npc the stuff? The simply can't target people and are going on accounts at random, but there's so many accounts to go through (and so many are worthless), that it just takes a while.
Because it's easier to enjoy revenge when there are tangible benefits.
Posting Freak
Posts: 4,302
Threads: 256
Joined: 2008-07
Gender: Male
Level: 251
Hm, would they even bother with an account with only a couple mil of items on it and no characters above 40? I'm wondering if I should bother taking any safety measures or not.
Even if I do lose what I still have left on MS, it wouldn't matter much, but it'd still be pretty jarring.
Senior Member
Posts: 550
Threads: 26
Joined: 2009-05
Gender: Male
Sexual Orientation: Straight
Awesome! Now I can protect my account!
That is, if my email wasn't dead and Nexon wasn't ignoring my ticket to change it. How long on average does Nexon take to answer tickets again...?
Posting Freak
Posts: 763
Threads: 89
Joined: 2008-08
2010-01-19, 03:41 AM
(This post was last modified: 2010-01-19, 03:44 AM by Goals.)
Why go though the trouble of typing up a hard password with a variety of hard symbols when one symbol will render the entire password useless. Locking your account should only take like 30 seconds at most. I would set up a general unuseable password for all my accounts on a wordpad to save time. Thanks a million though! I will be using this as my permanant account guard. ^__^
Hiep Wrote:How much safer would it be to use special characters like !@#$%^&*()_+./;'][? And do upper case letters make a difference?
Any single special character will make the password 100% safe. The main problem is if the hacker cracks your email, I think.
Posting Freak
Posts: 1,099
Threads: 29
Joined: 2009-10
Goals Wrote:Why go though the trouble of typing up a hard password with a variety of hard symbols when one symbol will render the entire password useless BECAUSE IT'S PRETTYFUL! Come on, why would you want ☆LetMeSing★ as a password?!
Goals Wrote:Any single special character will make the password 100% safe. The main problem is if the hacker cracks your email, I think.
Those work? I haven't tested them.
Senior Member
Posts: 470
Threads: 36
Joined: 2008-07
2010-01-19, 04:21 AM
(This post was last modified: 2010-01-19, 04:27 AM by MysticHLE.)
Spideyjvc Wrote:BECAUSE IT'S PRETTYFUL! Come on, why would you want ☆LetMeSing★ as a password?!
Those work? I haven't tested them.
I think he means only 1 single special character is needed along with the minimum requirement length.
There is one thing I'm skeptical though about this method...and that's how the server translates/encodes and stores these special characters. It's quite possible that these special characters that we're entering ends up getting turned into arbitrary regular characters upon storage. I'm not sure what kind of input templates Nexon server accepts/stores with...but take URL character codes for example...a %20 actually denotes a regular space character. So it may very well be possible that we enter our password as "©password" but it ends up being stored as "$2Dpassword" or some other sort, which would of course, prevent us from accessing our account from both the game and website since we wouldn't know that © gets turned into $2D upon encoding and storage. And of course at the same time, it might be entirely hashable still.
Just putting this out here for the possibility of this occuring. It may not be as fail-proof as we think - but let's hope it is.
Posting Freak
Posts: 4,302
Threads: 256
Joined: 2008-07
Gender: Male
Level: 251
MysticHLE Wrote:I think he means only 1 single special character is needed along with the minimum requirement length.
There is one thing I'm skeptical though about this method...and that's how the server translates/encodes and stores these special characters. It's quite possible that these special characters that we're entering ends up getting turned into arbitrary regular characters upon storage. I'm not sure what kind of input templates Nexon server accepts/stores with...but take URL character codes for example...a %20 actually denotes a regular space character. So it may very well be possible that we enter our password as "©password" but it ends up being stored as "$2Dpassword" or some other sort, which would of course, prevent us from accessing our account from both the game and website since we wouldn't know that © gets turned into $2D upon encoding and storage. And of course at the same time, it might be entirely hashable still.
Just putting this out here for the possibility of this occuring. It may not be as fail-proof as we think - but let's hope it is.
(Disclaimer: I don't really know what I'm talking about.)
Well, that's an issue with character encoding. I doubt that Nexon's site transforms ©password into anything else, since © is in the default "Western" character codepage ( ISO-8859-1). For one thing, posting to Southperry doesn't do anything with it either; it shows up as a literal © in the source code.
However, if passwords don't handle Unicode (which is probably true), then Japanese characters or anything else not on the codepage will be turned into a sequence of other symbols, probably something like ÆÕ¼. Chances are, though, that this still produces an unusable password.
And in any case, entering in the same password with the same special characters and the same codepage in use should convert to the same other symbols and be accepted as a password, so if it doesn't, then you're probably safe.
Senior Member
Posts: 470
Threads: 36
Joined: 2008-07
The thing is, if it doesn't encode it into anything else and is stored as it is, it doesn't quite fully explain how the web forms for logging into your account on the site would not work while the resetting password form does. I would think it would be standard practice to use a same input form for a password field? Nonetheless, here's still hoping that this method works. lol
Junior Member
Posts: 9
Threads: 1
Joined: 2008-11
2010-01-19, 06:34 AM
(This post was last modified: 2010-01-19, 06:44 AM by SpikeAi.)
MysticHLE Wrote:The thing is, if it doesn't encode it into anything else and is stored as it is, it doesn't quite fully explain how the web forms for logging into your account on the site would not work while the resetting password form does. I would think it would be standard practice to use a same input form for a password field? Nonetheless, here's still hoping that this method works. lol
1) Go to Nexon.net
2) In upper left right under where it says "free signup" click the option "already a member click here" When you do this the "free signup" button is replaced with login fields. Under the login fields there are 3 options - Find ID: Requires you to fill out an Email and a birthdate. If the email exist in their records and the birthday is correct then a email is sent to that address with the login ID.
- Find P/W: Requires you to fill out ID and Birthday.
- Find Pin: Requires you to log in, once logged in you click the "info button". And on the info page there is a button to send a pin reset email. Nothing happens to your pin until you open the email and click the link and then your pin is cleared and next time you log in you will be prompted to set it.
So easiest way to use this technique to protect your account is to first, do a Find ID. Then check your email. If you received an email and the ID is the account you intended then you will have the information (email, id, and birthdate) required to reset your password.
==============================
(Disclaimer, I'm not a cryptography expert, this is just hypothesis)
I was also kinda curious about the storage of the passwords. Like what MysticHLE pointed out.
Has anyone tried the same passwords just with the special characters stripped out. Example: ©opy©at = opyat. Stripping those characters might be a byproduct of security against sql injections.
Also I thought that the hashes used will may create collision prone keys (IE possibility that multiple passwords that once encrypted, are the same).
If this is true upon decryption an alternate (yet functional) password may be returned to the hacker and render this method useless.
Posting Freak
Posts: 6,052
Threads: 182
Joined: 2008-07
Guess I'll be taking a break from MS for some time. I'll change my password into something unusable and find some game to fill my time inbetween...
Member
Posts: 201
Threads: 0
Joined: 2009-05
Russt Wrote:Hm, would they even bother with an account with only a couple mil of items on it and no characters above 40? I'm wondering if I should bother taking any safety measures or not.
Even if I do lose what I still have left on MS, it wouldn't matter much, but it'd still be pretty jarring. Probably depends on their mood at the time. If they've just had a couple of juicy hits, they might not bother. But then again, they bothered to npc (probably) clean 3x equipment, and shift 50+ slots of ores and refined stuff.
Won't Be Coming Back
Posts: 2,993
Threads: 286
Joined: 2008-08
Gender: Male
Interesting solution. I was going to say your plan could be backfired, but I forgot that the hacker does not know your dob, which technically means you're safe, because without knowing that, they cannot alter the current password on the site even if they have your current info. Nice going, Spidey ...for a man.
|