Time To Change Your Password For Everything: Bohemia Interative Hacked - Polidicks

[QUOTE]We have unfortunately discovered that an illegal attempt has been made to access certain of our online websites, leading to the download of a database containing usernames, email addresses and encrypted passwords. Please note due to the encryption of the passwords it is very unlikely that anything nefarious can be done with this information. “We would like to reassure everyone that no other information such as credit card details is stored by us and thus was not at any risk from this illegal breach.[/QUOTE] Source: [url]http://www.pcgamer.com/2013/07/12/bo...sswords-taken/[/url] Steamrep had a banner going across their front page saying this: [QUOTE]Bohemia Active, makers of the ARMA series, have had their databases compromised. [U]PLEASE make certain to change your passwords and NEVER use the same password for Steam that you use anywhere else.[/U][/QUOTE] I totally use a different password than steam for everything.

this is not even scary anymore as it happens once per week. the solution I found is to have a different password for every single thing using combinations and write down each of them in a notebook.

[quote]Please note due to the encryption of the passwords it is very unlikely that anything nefarious can be done with this information.[/quote] This is the equivalent of stealing a top of the line safe. Sure, they have the safe now, but good fucking luck getting inside. (Except it's actually easier to crack open a top of the line safe than it is to crack the encryption.)

Well shit, I got Arma 2 on sale from their website last year. Using another password now though.

[QUOTE=Anthracite;41430741]this is not even scary anymore as it happens once per week. the solution I found is to have a different password for every single thing using combinations and write down each of them in a notebook.[/QUOTE] I use LastPass to generate and contain my passwords. Notebooks can be stolen and open; AES256 encryption is not so easy to crack.

[QUOTE=SGTNAPALM;41430773]I use LastPass to generate and contain my passwords. Notebooks can be stolen and open; AES256 encryption is not so easy to crack.[/QUOTE] Notebooks are impossible to crack remotely, so as long as he doesn't become the victim of a burglary, he is safe.

[QUOTE=Thund3rdome;41430837]Notebooks are impossible to crack remotely, so as long as he doesn't become the victim of a burglary, he is safe.[/QUOTE] He did say "notebooks can be stolen and opened", that's being a victim of burglary.

[QUOTE=dgg;41430862]He did say "notebooks can be stolen and opened", that's being a victim of burglary.[/QUOTE] When you compare AES256 vs a physical notebook, I think the risk of getting hacked is higher than getting burglarized. Not to mention safes and other physical blockades. Not to say that you can't setup several of these virtual keychains, but I still believe it's easier and less of a hassle to hack someone from your home. I'm not too familiar with hacking, but doesn't the ability to remove traces further increase the advantages of hacking someone vs breaking into their home?

passwords are encrypted move along

[QUOTE=Noss;41430959]passwords are encrypted move along[/QUOTE] And encryption is un-decryptable?

[QUOTE=Thund3rdome;41430878]When you compare AES256 vs a physical notebook, I think the risk of getting hacked is higher than getting burglarized. Not to mention safes and other physical blockades. Not to say that you can't setup several of these virtual keychains, but I still believe it's easier and less of a hassle to hack someone from your home. I'm not too familiar with hacking, but doesn't the ability to remove traces further increase the advantages of hacking someone vs breaking into their home?[/QUOTE] The FBI could get a team together to raid a place and buy a drill to open a safe. The FBI once tried to open a TrueCrypt container that was protected with AES256 encryption. [url=http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/]They tried to crack it for a year straight before they finally gave up.[/url] It would take a megacorporation or a very powerful government to even [I]begin[/I] to have the resources needed to crack this kind of encryption. Even then, with a proper password, it would take them thousands of years to get anywhere with it. Some cyber thief with a laptop and a couple dozen server farms won't be able to do it.

After all that's happened over the past couple years, I still haven't changed my password for anything. I like to live on the edge.

[QUOTE=SGTNAPALM;41431021]The FBI could get a team together to raid a place and buy a drill to open a safe. The FBI once tried to open a TrueCrypt container that was protected with AES256 encryption. [url=http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/]They tried to crack it for a year straight before they finally gave up.[/url] It would take a megacorporation or a very powerful government to even [I]begin[/I] to have the resources needed to crack this kind of encryption. Even then, with a proper password, it would take them thousands of years to get anywhere with it. Some cyber thief with a laptop and a couple dozen server farms won't be able to do it.[/QUOTE] About the TrueCrypt container: Passwords are stored in plaintext in the container, correct?

[QUOTE=SGTNAPALM;41430773]I use LastPass to generate and contain my passwords. Notebooks can be stolen and open; AES256 encryption is not so easy to crack.[/QUOTE] unless you have some very valuable accounts i doubt anyone is going to physically rob you for passwords. [QUOTE=Thund3rdome;41430976]And encryption is un-decryptable?[/QUOTE] according to wikipedia the nsa is comfortable using aes-256 for top-secret information. i think aes is pretty fucking secure.

[QUOTE=Thund3rdome;41431073]About the TrueCrypt container: Passwords are stored in plaintext in the container, correct?[/QUOTE] You could theoretically just have a notepad document with a bunch of passwords listed in, yes. [editline]12th July 2013[/editline] [QUOTE=yawmwen;41431109]unless you have some very valuable accounts i doubt anyone is going to physically rob you for passwords. according to wikipedia the nsa is comfortable using aes-256 for top-secret information. i think aes is pretty fucking secure.[/QUOTE] Exactly. The chances of some random hacker cracking this are extremely limited when the US government has a hard time doing so themselves. As for being robbed, accidents happen. You might just get unlucky and a burglar comes in and ransacks your house. Then they might take credit cards, passwords, etc. They might not be targeting you, specifically, for your passwords, but the possibility of being robbed is still there. I'm not comfortable with taking that chance is all. [editline]12th July 2013[/editline] [QUOTE=Thund3rdome;41430976]And encryption is un-decryptable?[/QUOTE] There's no such thing as un-decryptable. However, there is such a thing as "so difficult to decrypt as to not be reasonably sound to do so."

Would it then be impossibly hard to keylog someones decryption key and use that to access the TrueCrypt container? Might be a much easier way than to actually try to crack the container.

To crack 128bit encryption it would take a PC that can guess 1 trillion keys per second 2 million million million years to crack Gooooooood luck

[QUOTE=Thund3rdome;41431189]Would it then be impossibly hard to keylog someones decryption key and use that to access the TrueCrypt container? Might be a much easier way than to actually try to crack the container.[/QUOTE] Possibly, if the mark isn't careful. A robber could conceivably break into somebody's house and rewire one's keyboard to pass through a bug inside the keyboard. One could then retrieve the bug at a later date or have it wirelessly transmit to a different location. This is very difficult to detect. However innovations such as dual-factor authentication limit the usefulness of solutions such as that. Or you could put a virus on their machine but if a mark is careful enough to encrypt their files in such a way it stands to reason that they have taken precautions against that as well.

Alright. Might consider using TrueCrypt in the future then.

wait, the ARMA games doesnt require any other activation but steam, no? then I am safe.

[QUOTE=Thund3rdome;41431189]Would it then be impossibly hard to keylog someones decryption key and use that to access the TrueCrypt container? Might be a much easier way than to actually try to crack the container.[/QUOTE] Well duh if you can get the password you don't have to crack anything :downs: [editline]12th July 2013[/editline] [QUOTE=SGTNAPALM;41431214]Possibly, if the mark isn't careful. A robber could conceivably break into somebody's house and rewire one's keyboard to pass through a bug inside the keyboard. One could then retrieve the bug at a later date or have it wirelessly transmit to a different location. This is very difficult to detect. However innovations such as dual-factor authentication limit the usefulness of solutions such as that. Or you could put a virus on their machine but if a mark is careful enough to encrypt their files in such a way it stands to reason that they have taken precautions against that as well.[/QUOTE] Of course lastpass does offer dual-factor authentication :)

[QUOTE=Thund3rdome;41430976]And encryption is un-decryptable?[/QUOTE] yep i'm sure the hackers are going to invest billions of dollars in a supercomputer so that they are able to play ARMA with stolen accounts

So will this affect anyone who's played ARMA 2/3 or is it just those who have accounts om Bohemia's site/forum?

[QUOTE=Anthracite;41430741]this is not even scary anymore as it happens once per week. the solution I found is to have a different password for every single thing using combinations and write down each of them in a notebook.[/QUOTE] I imagine it's an absolute BITCH to do simple logins with two dozen different passwords to search through for half a minute just to log in to Tumblr or Facepunch or something.

[QUOTE=Nitro836;41431369]I imagine it's an absolute BITCH to do simple logins with two dozen different passwords to search through for half a minute just to log in to Tumblr or Facepunch or something.[/QUOTE] Or you can just store your passwords mentally, like me (provided that you actually can).

Passwords changed.

[QUOTE=mobrockers;41431304]Well duh if you can get the password you don't have to crack anything :downs: [editline]12th July 2013[/editline] Of course lastpass does offer dual-factor authentication :)[/QUOTE] I should point out that if someone is willing to break into your house in order to place a bug on your computer in the way that I just described, you have more important things to worry about, such as how well you pay the team of armed guards that you hired.

The trick is to not log out.

[QUOTE=Nitro836;41431369]I imagine it's an absolute BITCH to do simple logins with two dozen different passwords to search through for half a minute just to log in to Tumblr or Facepunch or something.[/QUOTE] I use keepass with randomly generated passwords.

Thanks for showing TrueCrypt, now my legitimate G-rated movies are safe :)