Thread: RSPS Password Grabbing [Security Flaw]

Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22
  1. #11  
    Owner of Dawntained

    Mgt Madness's Avatar
    Join Date
    Oct 2011
    Age
    28
    Posts
    3,380
    Thanks given
    1,429
    Thanks received
    958
    Rep Power
    2168
    This is a legitimate issue for big servers that save passwords in plain text, personally experienced it
    Attached image
    Reply With Quote  
     

  2. #12  
    Registered Member
    rebecca's Avatar
    Join Date
    Aug 2017
    Posts
    1,071
    Thanks given
    862
    Thanks received
    915
    Rep Power
    5000
    lmao, so obvious but a good thread, seems like this only affects the brain dead ruse people mostly
    Reply With Quote  
     

  3. #13  


    Omar's Avatar
    Join Date
    Dec 2007
    Posts
    279
    Thanks given
    640
    Thanks received
    783
    Rep Power
    5000
    Not a terrible thread, even if everyone memes on it. Ideally, if you're going to allow saving of credentials, you'd probably want to store some sort of token unique to the machine rather than the actual password.
    Attached image
    Reply With Quote  
     

  4. #14  
    WVWVWVWVWVWVWVW

    _jordan's Avatar
    Join Date
    Nov 2012
    Posts
    3,046
    Thanks given
    111
    Thanks received
    1,848
    Rep Power
    5000
    Don’t forget the servers that store player passwords as plain text. I’ve seen it a million times, always bring it up and nobody ever cares.
    Attached image
    Attached image
    Reply With Quote  
     

  5. #15  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    28
    Posts
    870
    Thanks given
    630
    Thanks received
    957
    Rep Power
    5000
    Quote Originally Posted by _jordan View Post
    Don’t forget the servers that store player passwords as plain text. I’ve seen it a million times, always bring it up and nobody ever cares.
    The thing is though, if a server is doing this just to grab the passwords of another rsps - I’m sure this would be the least of your worries as it’s probably doing much worse things in the background.
    Reply With Quote  
     

  6. Thankful user:


  7. #16  
    Extreme Donator

    JayArrowz's Avatar
    Join Date
    Sep 2008
    Posts
    104
    Thanks given
    99
    Thanks received
    107
    Rep Power
    810
    Lets not forget that most servers dont add a lockout to invalid logins. End up being able to bruteforce the pw
    Reply With Quote  
     

  8. Thankful user:


  9. #17  
    Registered Member

    Join Date
    Feb 2010
    Posts
    3,253
    Thanks given
    1,145
    Thanks received
    909
    Rep Power
    2081
    Quote Originally Posted by JayArrowz View Post
    Lets not forget that most servers dont add a lockout to invalid logins. End up being able to bruteforce the pw
    are you joking? unless the user is subject to a lucky dictionary attack (using an incredibly common password, short password, or password that uses common words) brute forcing a password is not easy at all
    Reply With Quote  
     

  10. #18  
    Registered Member
    Join Date
    Apr 2021
    Posts
    53
    Thanks given
    22
    Thanks received
    17
    Rep Power
    70
    Quote Originally Posted by Fire Cape View Post
    are you joking? unless the user is subject to a lucky dictionary attack (using an incredibly common password, short password, or password that uses common words) brute forcing a password is not easy at all
    Please wait connecting... = 3 seconds per try. That is incredibly slow for a bruteforce. Not only that, dictionary attacks actually usually use leaked database passwords, especially if you use multiple leaks from the same scene, think RSPS. It is an issue
    Reply With Quote  
     

  11. #19  
    Registered Member

    Join Date
    Feb 2010
    Posts
    3,253
    Thanks given
    1,145
    Thanks received
    909
    Rep Power
    2081
    Quote Originally Posted by Kesniet View Post
    Any dev that takes their work serious knows the number one rule for your users' safety is to never store passwords and preferably not even usernames in plain-text. It comes down to experience of the dev, but most reputable servers with good devs would most likely have the data encrypted or at least in an un-viewable format before saving it to any local files, at least I would hope. However, many use RSPS for learning so definitely a good tidbit to the unaware.
    password should be hashed, never stored and you should have timeouts and 2fa, that's if you're taking security seriously

    Quote Originally Posted by RSPS.Java View Post
    Please wait connecting... = 3 seconds per try. That is incredibly slow for a bruteforce. Not only that, dictionary attacks actually usually use leaked database passwords, especially if you use multiple leaks from the same scene, think RSPS. It is an issue
    ok if that is what he meant I can see how it would be an issue if someone is using a list of compromised passwords (that are reused) but the actual act of bruteforcing is not quick, if your password is already on some list you're done for already...
    Reply With Quote  
     

  12. #20  
    Extreme Donator

    JayArrowz's Avatar
    Join Date
    Sep 2008
    Posts
    104
    Thanks given
    99
    Thanks received
    107
    Rep Power
    810
    Quote Originally Posted by Fire Cape View Post
    are you joking? unless the user is subject to a lucky dictionary attack (using an incredibly common password, short password, or password that uses common words) brute forcing a password is not easy at all
    No people don't use long passwords. They are easily bruteforced without any lockout and common pw lists in rsps.
    It's as simple as sending loads of login requests with diff passwords until server approves the request

    Quote Originally Posted by RSPS.Java View Post
    Please wait connecting... = 3 seconds per try. That is incredibly slow for a bruteforce. Not only that, dictionary attacks actually usually use leaked database passwords, especially if you use multiple leaks from the same scene, think RSPS. It is an issue
    Not limited to this can happen in parallel with X requests per second.
    Reply With Quote  
     

Page 2 of 3 FirstFirst 123 LastLast

Thread Information
Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


User Tag List

Similar Threads

  1. Replies: 13
    Last Post: 08-01-2012, 09:32 AM
  2. Rsa secure password manager
    By Killer 99 in forum Application Development
    Replies: 21
    Last Post: 02-24-2010, 03:22 PM
  3. Colby's Secure Password Manager
    By Colby in forum Application Development
    Replies: 23
    Last Post: 01-27-2010, 06:33 AM
  4. Replies: 6
    Last Post: 07-14-2009, 11:59 PM
  5. Fix found for net security flaw
    By DJ Dan in forum Software
    Replies: 0
    Last Post: 07-09-2008, 03:53 PM
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •