
League of Legends database compromised, passwords hashed without salt - Strom
http://euw.leagueoflegends.com/news/league-legends-account-security-alert
======
confluence
Is it just me or have the number of announcements on HN about password leaks
gone up in the last few weeks?

I think availability bias is kicking in, with each additional announcement,
more links about announcements are posted (for karma) or more sites feel like
they can announce, under the cover of larger leaks, that they themselves have
been compromised.

Probably just me.

[1] - <http://en.wikipedia.org/wiki/Availability_heuristic>

~~~
mistercow
It seems to me that there have been a few more lately than usual. I'm all for
it though; the only way sites are going to start treating passwords
responsibly is if they're embarrassed into doing it.

------
SoftwareMaven
I'm nearly positive the US code salted the hashes (it's been a long time since
I was in that code :). I say US code because (again, memory is dim) I think
they had a partnership with a company in the EU and that (might have) included
authentication.

The platform guys at Riot were the sharpest group of engineers I've worked
with. Smart and able to get stuff done without bike shedding. They did stuff
right.

~~~
mrb
It is possible to tell the passwords were unsalted because: _"We compared
encrypted password hashes and discovered that 11 passwords were shared by over
10,000 players each"_ and one of the points of salting is to make impossible
to identify identical passwords from the hashes.

~~~
chc
Not really. You get that with per-password salting, but having a single salt
for your whole database is not uncommon. Since the main point of salting AFAIK
is to ward off rainbow tables, it's better than nothing.

EDIT: As noted in the comments, the way I put this originally was kind of flip
and misleading and I apologize for creating confusion. My point was that I've
seen a number of places do it that way, so just throwing at at your problems
doesn't necessarily fix everything.

~~~
drivebyacct2
What?

So if I have access to that salt, I generate a new rainbow table and get a
huge percent of your users.

The point of salting is to make rainbow tables no more efficient than brute
forcing. If each user has a unique salt, there's literally no benefit to
generating a rainbow table.

~~~
bobobojer
Out of curousity - is it a salt if you do something like this:

salty = md5(md5(pw) . pw . 'poniesaremagical' . md5(username));?

It is per-user... how is it different than using a timestamp which will be as
unique as username?

~~~
Jach
Technically yes, but don't use md5 for anything security-related ever. It's
broken. <http://www.mscs.dal.ca/~selinger/md5collision/> is just one example.
(I also remember reading some years ago that md5s within md5s can make the
resulting hash more vulnerable to certain attacks but I don't have any formal
knowledge in cryptology to say for sure.) Use bcrypt/scrypt and you're
automatically protected from both rainbow tables and brute force.

~~~
mwyvern
H(Salt . H(Password)) is a lot like an hmac (minus the secret part and the
padding). I'm not sure about the pre-image vulnerability mentioned on
wikipedia's md5 page, but as for collision vulnerabilities, according to
wikipedia's hmac page, "HMACs are substantially less affected by collisions
than their underlying hashing algorithms alone. Therefore, HMAC-MD5 does not
suffer from the same weaknesses that have been found in MD5."

------
thaumaturgy
We can't actually tell much about their password storage mechanism from that
post. For one, they mention "encrypted hashes", which might mean encryption,
might mean hashes, or might mean both; for two, they don't describe how they
determined which users had weak passwords. If they were using some kind of
reversible encryption scheme, it's possible that they ran that function
against their database and determined common passwords that way.

I'll give them the benefit of the doubt, unlikely as it may be, because if
they were in fact doing something as stupid as SHA1 or MD5 or ROT13, and they
still opened their post with "Keeping player information secure is very
important to Riot", then somebody needs to be strangled as an example to other
mealy-mouths.

I also take issue with telling your users what kind of passwords to use. If
you're storing passwords correctly, and if you're blocking brute force
attempts, it _almost_ doesn't matter what password your users are using.
(Almost: somebody could still try "password" on an account and get lucky if
it's one of the 10,000 accounts with that password.)

~~~
jemfinch
"We compared encrypted password hashes and discovered that 11 passwords were
shared by over 10,000 players each."

You can't do that with salt. That's half the point of salting.

~~~
thaumaturgy
Of course you can. It's just more computationally expensive.

I realize that it's super unlikely that that's what they did, but that doesn't
change the fact that at the moment all we know about their password storage
system comes from a badly worded PR piece.

------
kirinan
It says encrypted not hashed, these are not the same thing. Encryption uses
keys and without the keys you can't get the value without a huge brute force
effort. Hash without salt can be broken trivially. It'd bad either way but
encrypted is way better than leaked hash.

~~~
teamonkey
I was going to ask: is there actually any benefit salting a password that will
be encrypted?

~~~
drivebyacct2
Despite the other reply you got (which was my original 'lol'), no, there isn't
an advantage to salting a password that is going to be encrypted with
symmetrical encryption. I mean, what would that even mean?

Encrypt("salt"+"password", key) = ENCRYPTED_DATA

Decrypt(ENCRYPTED_DATA, key) = "salt"+"password"

~~~
dmak
In short, it is BEST to HASH with a salt. Hash with a salt and don't use
symmetrical key encryption methods.

~~~
drivebyacct2
Yup, always hash with a salt (or use an algorithm that does it for you). I
added another example below for this guy. And yes, definitely don't use
symmetric encryption.

------
gcr
LinkedIn, LastFM, League of Legends... What is with this disturbing trend of
websites beginning with L being cracked all in the same week?

~~~
newobj
Well obviously the bad guys are just going through the phone book one by one.

~~~
Karunamon
Well we haven't had a good Microsoft service hack for a while. Microsoft Xbox
Live next?

------
facorreia
To me, it adds insult to injury when companies that fail to take the most
basic, well-known measures to protect their login databases always tell us how
much they value the security of user information.

That would only be acceptable if the next words were, "and therefore we have
fired the CTO and all programmers involved".

------
TwiztidK
I don't understand why this keeps happening. When someone designs the
user/password model for a website or software do they serious not even
consider properly encrypting the passwords? This is not rocket science,
implementing a relatively secure password hashing setup takes a minimal amount
of work. Hell, adding a salt is an extra field in the database, an extra line
of code when creating a user and an extra "+salt" when computing the hash.

I honestly think they spend more time coming up with ridiculous password
requirements than actually encrypting the passwords. Possible dialog:

Dev 1: The passwords must have at least one symbol, one number, no dictionary
words, and it can't be longer than 15 characters.

Dev 2: That'll be pretty secure, which hashing functions should we use? And
should we salt it?

Dev 1: I think MD5 should be secure enough and salts are just overkill.

~~~
drivebyacct2
Your post would be more convincing if you didn't inaccurately refer to this as
"encryption".

~~~
mfjordvald
Technically hashing is one-way encryption, so while ambiguous it's not exactly
completely wrong.

------
chc
Looks like it's only the EU databases that were compromised, so if you have an
NA account like I imagine most people here here would, no need to panic
(though changing your password anyway won't hurt anybody).

------
mrleinad
That sounds like a really proffessional letter to their users. Brief, honest,
precise, and they clearly state what their action items to prevent this from
ever happening again will be. I like it a lot.

~~~
smoyer
Is "info" acceptable in professional business communications now? I don't mind
that it's friendly and informal, but I also wouldn't call it professional.

------
astrodust
Is there a good authentication system that doesn't involve storing passwords,
hashed passwords, or encrypted passwords in the master database?

~~~
pcwalton
There's Secure Remote Password, which stores a non-reversible verifier
instead: <http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol>

Apparently it's quite tricky to implement properly though.

~~~
astrodust
It's also quite tricky to explain to your investors and your customers that
your password database was stolen.

Maybe some day there will be "Security as a Service" where someone helps you
do this properly.

~~~
timtadh
I believe @tptacek will gladly accept your money for this service. As will
Cigital.

------
mingpan
Keep in mind that the target audience of this post is a largely nontechnical
user base. These days, average people are getting a general idea of the
meaning of "encrypt" due to the prevalence of, e.g. SSL in e-commerce, but not
necessarily the meaning of "hash". Thus, it's not uncommon that places will
intentionally misuse these words in order to reach a nontechnical audience.

------
Flam
Just be sure you don't use your LoL password on any other game/email. The
hackers will very likely test the info against your email and diablo 3.

~~~
dmak
Your weakest link is the website with the weakest security. Now they will try
your password on your other accounts.

------
Freestyler_3
If they got my account info... not a big deal. all my high priority pass' have
unique passes managed by keepass.

------
dawkins
Ante one knows how they got access to the database?

------
larrik
European servers only, according to their release.

------
keymone
every beginner scripting kiddie now knows to at least salt their hashes

who is working for riot then? seriously who?

------
drivebyacct2
Good god, this topic is discussed to death and yet there are spreading very
inaccurate, insecure crap in this thread. I think everyone needs to stop
giving advice and speculating about what is "good" and defer to a security
expert or a set of codified best practices. I just don't understand how some
people seem to understand salting, hashes or encryption but not enough to
understand why unique-per-user salts are important, why asymmetric and
symmetric encryption differ or why encryption has nothing to do with this
style of password storage. If you don't understand these things, _stop giving
security advice in these threads_.

~~~
Karunamon
>but not enough to understand why unique-per-user salts are important

I don't think that's been covered in this thread. If the main point of salting
is to make rainbow tables ineffective, a single DB-wide hash still does that.
Presumably if a hacker gets a copy of your entire database, they still don't
have a copy of your hashing function with that salt. So then they're reduced
to brute force.

Something else that I just thought of is, if you're salting per user, where
does that salt get stored? A secondary database?

..And then come to find out it's been discussed down thread. Oops.

~~~
tzs
Any competent security architect will assume that if the bad guy gets a copy
of the entire password database he also gets a copy of the entire codebase,
all design documents, installation instructions, and operations manuals, and
designs the system to be secure against that.

------
gcb
What's not compromised this week?

Anything special happening? Is it Friday 13 and stoner dot something again?
Heck even the kitchen computer at my grandmas house may have been target this
week... Hopefully that one had salt. Tum dum tiss.

