Feeds

back to article Passwords pillaged from League of Legends wand-strokers

Passwords, email addresses, dates of birth and other sensitive data have been plundered from the player databases of fantasy strategy game League of Legends. Publisher Riot Games sent emails to its online role-players in West, Nordic and East Europe, and posted on its website, to warn that hackers had raided their account …

COMMENTS

This topic is closed for new posts.

security ninjas?

Really? what next I wonder - bear sharks?

ttfn

0
0
Anonymous Coward

SaS 70 II

I thought ninjas were on the SAS70 II list? I always tell people that when I am teaching....

- Ninjas

- Frickin Sharks with lazers

- Man traps

- Machine gun nests

- Razor wire

I can see what Riot have done wrong here. They need to implement the rest of the core controls.

0
0
Silver badge
Unhappy

Hash 'n' Bash

“Even though we store passwords in encrypted form only, our security investigation determined that more than half of the passwords were simple enough to be at risk of easy cracking,” Riot stated.

Why are they storing passwords at all, instead of using a one-way hash? Is it that the Riot spokes-muppet doesn't know the difference or they really are storing actual passwords?

The only reason you would store the actual passwords of your users is if you want to know what those passwords are, and you have to ask why they would want to know that?

0
2
Mushroom

Re: Hash 'n' Bash

Hmmmm

Maybe he has been told they were hashed, and not "we only store the hashes" because.... most of the media won't know the difference anyway.

A rainbow table will still give you the password (or a selection depending if its on a collision. Either way, if people have stupid passwords they are likely to be compromised even if they were just hashes.

1
0
Silver badge

Re: Hash 'n' Bash

A rainbow table will still give you the password (or a selection depending if its on a collision. Either way, if people have stupid passwords they are likely to be compromised even if they were just hashes.

While you can equally use a rainbow table (or any other method, for that matter) equally well on hashes as well as encrypted passwords, both cases require access to the cyphertext or hashes. If you work out a single password from a hash, you have compromised a single password. if you work it out from cyphertext then you have got the lot (even the more secure ones). In other words if you store encrypted passwords rather than hash values then it doesn't matter if some passwords are complex, a single weak password will compromise them all.

1
0
Silver badge
Joke

"sent emails to its online role-players in West, Nordic and East Europe"

Players in Asgard and Middle Earth are left in the cold?

Racists!

0
1
Silver badge
Joke

Re: "sent emails to its online role-players in West, Nordic and East Europe"

Well, the gods are in Asgard, and I don't think they have too much to worry about.

0
0
This topic is closed for new posts.