A serious talk about password security.

A couple days ago, sheep posted this in the news.

Sheep, let’s have a serious talk about redstoner.com password security.

Based on your programming skill, I would assume you have properly hashed and salted our passwords on the redstoner.com database. However, this gives me doubt.

Hash functions are designed to be so complicated they end up 1-way. They are used because in the case of a hacker finding a vulnerability and accessing the passwords file, the hacker will still have a hard time figuring out the true passwords because hashes cannot be reverse-engineered. However, this also means that if the passwords were properly hashed and salted, you shouldn’t be able to compare them with our minecraft accounts at all.

See what’s wrong here?

If our passwords are properly hashed, they should be in a state where you can’t use them to access our accounts without bruteforcing them first. This means that in order to be able to compare our passwords, you would need our plaintext passwords, without any protection or encryption. But you shouldn’t have our plaintext passwords if you hashed them.

I talked about this a bit in chat with Gap and Pan, and they said you were using some sort of Mojang API, which allowed you to compare our hashes, so that the plaintext password was never revealed. But this doesn’t make sense, because Mojang is smart enough to not do that.

1. That would be basically openly giving away all our minecraft passwords. You could hash every possible combination of characters, test each hash against a minecraft account using the API, and figure out the true password when the hashes matched.

2. Unless, of course, mojang openly gives away all their hashes already within the API, which would be even worse.

I think an explanation is needed. I don’t doubt that you secured our passwords, but this gives me reason to worry.

Thanks! -Uber