Last week, we had the first *documented* case where such an attack was used to take over a forum account. There surely were previous cases, but we only got third hand knowledge of them and they might have been people tricked into using fake "/login <username> <password>" commands. Or people promising to get you to max level on HFT. The cracked password was a not entirely random two word combination.
The system can still be secure, but you need to pick a really, really good password. Here's a not too shabby suggestion as a base:
Correct the password guessing times in this comic down by a factor of 100000. That is, consider the password hash database of your authority stolen. So... better make that five words. And random improvement: Pick one or two of the words from a different language. It's important that you really pick random words and not the first words that come to your mind; then your password will be RedViolinHammerCar.
Another great source for passwords are password generators; I personally use MasterPassword. It works this way: You pick a single, reasonably good master password you can memorize. The app is locked with that password. In the app, for each site, you generate an entry. Then the program takes your master password and the site name and generates a site specific password deterministically. It's never stored, always generated on the fly. The master password also is stored nowhere, a verification hash is. Hash and master password never leave your device. Even if you lose the site database to a bad guy, it's completely worthless without your master password. Caveat: You'd think you can reconstruct the database if you know your master password... but there also is a long random salt that enters password generation (a good thing). That one you need to back up.
If you use MasterPassword, put the password length to at least 10, better 12.
As another safety precaution, if the account you now use for authentication in the game has additional important functions (Forum moderator, for example), consider using a second account for the ingame stuff. You can ask your server admins to set up aliases between the two. I ran out of email addresses to use, so I guess I'll be Sock@forums for the near future
I'll start working on a new token based authentication implementation where no exploitable information is passed over the server ASAP. It'll be in the 0.2.8 branch, at least the server side part. The client also needs to talk directly to the authority now, I'm not sure whether the 0.2.8 infrastructure is up to that without hiccups.
Take care.
=======================
Technical bits: Authentication on servers works by sending a hash of a hash of the password over the game server to the authority. The first hash is salted, that means it's not only a hash of the password, but also a per-user fixed bit of data. The second hash is nonced, that is also mixed with a random element the server chooses and also the server's IP. The hashes are not easy to invert, nobody knows yet how to do that. We knew it was crackable by brute force, but everything bar quantum encryption is. So at the time we implemented this, we all thought this was secure enough.
Unfortunately, we were wrong. In the past years, several big sites were hacked and password hash databases were stolen and published. Many of them used non-salted hashes, so only the password entered the stored hash; those can be cracked in bulk. You do this by having a good password guessing function, letting it generate lots of passwords, generating the hash from them and then comparing them to all the known password hashes. People started using dedicated hardware (GPU arrays and FPGAs) for massive parallel attacks. After each wave and each new database leak, people understood better how your average users pick their passwords. Every time, they improved their password guessing functions, found more passwords and gained even more experience. Where we stand now, machines are really, really good at guessing passwords. They know all your schemes.
"But our hashes are salted and nonced, surely that makes a difference?" You ask. Yes, it does, but only a little. Plain hashes mean that you can crack a thousand passwords as quickly as you can crack one because you can go at all of them at once. With salts or nonces, you have to crack each password individually. But if all you want is one password, you don't care about that. What makes the problem worse is that we picked the simplest and fastest hash function. That means brute force attacks can try really a lot of passwords; even if it's just CPU based, we're talking about around a hundred million password guesses per second.
