By - supersonic159
Because of the sticky posts limit (2), we will put the links to all the megathreads here:
[Gacha & Drops Megathread](https://www.reddit.com/r/Genshin_Impact/comments/kgrlk7/weekly_gacha_and_drops_megathread_december_20_2020/)
Some other relevant threads:
[Pre-installation has begun](https://www.reddit.com/r/Genshin_Impact/comments/kh8oko/preinstallation_has_begun/)
[Version Summary Page](https://www.reddit.com/r/Genshin_Impact/comments/kgn78l/genshin_impact_12_the_chalk_princes_the_dragon/)
[Zhongli and GEO changes (beta)](https://www.reddit.com/r/Genshin_Impact/comments/kg69n8/mihoyos_official_changes_to_zhongli_and_the_geo/)
My password so strong,even I keep forgetting it.
‘No one can know my password if I don’t even know it myself!’
That's actually one of the strong arguments *against* stringent password policies that require highly complex passwords and change them every 2-3 months. There were cases of people getting frustrated and wrote down their password on a stickie note and taped to their monitors.
But fortunately we have password managers now, and I highly recommend using them if you find it troublesome to remember your own strong passwords.
Ironically, saving password in a sticky note besides my monitor is safer than saving it in my computer now lol.
inb4 someone forgot their password manager password
How is password managers? how does it work? i've seen things like 1password but it all seems ***very*** complicated that with every press on the ''password'' field i can choose to create an ENTIRELY new password from every single login, and where it'd be stored and the seems.
i'm an idiot to technology so i'm curious...
No one actually explained it, so I think I'll give it a shot. A password manager (or password safe) is basically a secure storage service for all your passwords. The big problem with having passwords for a bunch of different websites is that even if you memorize one strong (long/random) password and use it everywhere, you still run the risk of a service being hacked and getting your password stolen. Suddenly all the services you used that password on are compromised and you can't even keep using that password since it was leaked.
So the idea is that you can memorize a single strong master password and use it to authenticate yourself on a password manager service (which hopefully takes their security very seriously), and then the service will create and handle passwords to all your websites/accounts, and you don't have to remember any of those since the password manager application will fill it out for you. That means that by just being reasonably sure you're the one using their service (usually asking for a fingerprint on mobile devices, or asking for some verification on PCs), you can have completely random, extremely long and unique passwords for each service, and never have to remember any of them. Just keep your master password (and possibly a recovery code) in a safe place and you're good to go.
Password managers like Bitwarden make account security easier.
Same luckily I noted it down somewhere.
You joke, but insane password policies at many places have led to that behavior quite often and led to many security breaches.
Nowadays a lot of sites require you absurdly secure password, and frequent changes.
"Fun" fact about it, some years ago, on another game, a friend of mine got every item and all gold on his game account stolen by his neighbor.
How did it happen? Basically he noted down his login details on a piece of paper that he placed right below his laptop on his desk, and one day he foolishly told his neighbor friend, who happened to play the game too, that he kept his password sheet there.
Result? A couple of days later the neighbor waited for the right moment and then sneaked in his room through his window, noted the password down and by the end of the week my friend found his character naked and no equipment ingame...
He eventually tracked down the items and discovered it was his neighbor selling them, and this way he discovered how he managed to do it, aka the sneaky part, since he never really had any way to get into his house lately, lol.
at least if it's your neighbour you can go beat them up
What do you mean?
Many companies require frequent unique password changes so lazy people start writing their passwords on a sticky note on the computer. Then the disgruntled janitor or anyone else with any access to the building strolls by and suddenly security breach.
Ohhh I see. What If I wrote it down on a notebook at home where only I know where it is?
That would certainly be better than leaving it right by the computer. As long as no one else has access to the notebook it's mostly fine.
So if you ever worked for a government agency or a company that has contracts from governments/banks, etc, very often they require you to create crazy long passwords with strict rules and you have to create a new password every 3 months or so, and you can' t use any of the past N passwords.
So obviously it's frustrating as hell and some people just started writing them down...
I can confirm. I worked for an office in my city's administration for a year, and you were required a unique password change every 2 months.
5 days prior you would get a notice on login with a yes/no to immediately change password, and after those 5 days, every login would redirect to the change password form instead of logging in, and it would stay like that until you changed it.
The last thread about being hacked was actually from someone who regretted pulling for Zhongli and wanted a refund; they made up a dumb story about how the "hacker" used all his primogems rolling for Zhongli but didn't sell the account
You guys remember the poster who claimed his password was 16 letters long even though the max length is 15?
>You guys remember the poster who claimed his password was 16 letters long even though the max length is 15?
Oh god I remember that one lol.
Which one? Link?
wait, when did it got deleted.
not "removed by mod" but "deleted by person that posted it", even.
idk i guess when OP figured that people were onto his lies lol
He deleted his entire reddit handle too
You can see him arguing in the comments, not so sure about that. He even types out his supposed password.
he did what?
and people still fell for it? are they....that gullible?
People believed a single screenshot of a Luxurious Chest was proof that chests respawned, that post had like over 5k upvotes.
So yes, people are that gullible.
Deletion is a very clear admission of guilt for me
You can also see his comments that are undeleted if you really want to know who the scum OP was.
u/DracoRubi was the guy lol
Man I just want a higher max password length cos my other password is 16 long and im 99% sure ill forget it if i cut it down
That’s sad...I saw a post about miHoYo refusing to give back another person account because the hacker topped up on it. I’m guessing this means that person wasn’t the original owner of that account either
It's not uncommon for account seller to reclaim the account after it was sold. They get your money and their accounts back.
And this, ladies and gentlemen, is why you do not buy account. No matter what the YouTube ads tell you
Better yet. Don't accept 'freebie accounts' from account rerollers who give out accounts out of the kindness of their hearts. Sure they may let you keep the account but they also retain important information such as original account handle, email, date of creation, UID. Not worth the risk. Imagine playing and enjoying the game a year from now and then that reroller decided to contact CS to get the account back?
Obviously it should seem fishy and makes sense to think the person who played for the year should be able to prove they're the owner, but CS reps are human like you and me and there's no guarantee they side with you.
The fandom wiki also has shitload of account selling site ads too. I tried reporting them to Google Ads countless times but they remain there every time I open the wiki!
Same. I have reported the ones on YouTube and Google doesn’t do anything. It’s so annoying
Some people are that desperate to buy an account with 5 star characters. That's crazy.
I saw one like this and when i said it sounded fishy, instant downvotes. I wonder if it was the same one.
It is the one...And most importantly 20k people believing in it.... Without a single doubt of internet made up story...Including the story of hacked after coop....
Oh.. whats even more sad, the one i run into people believing was like 2 days after a psa about how people can fake responses from cs..
all witchhunting idiots
Yeah if people slightly use their brain, they will notice if coop leads to hacked. Won't this sub will be spammed by coop hacked every moment....Yet no one care enough to do that...I was suggesting this idea and got a -50++ downvotes...Anything that's leads to positive side of mihoyo got auto downvotes...rip community...
lesson here is not to believe everyone on the internet
Thats the problem i have, how do we know which ones are legit and not? Security is an issue, but i dont want to spread false information because of a post that is fake. Wish people wouldnt make fake posts about a serious issue.
>Wish people wouldnt make fake posts about a serious issue.
Part of the problem is that it's not just outright malice, but more often shame or arrogance that obscures the facts. People simply aren't willing to admit or accept their account had worse security than they believed. There's an asymmetry in information with these hacking posts because all we the readers see is what the poster permits us which is almost never the full picture.
The other part is malicious advertising.
After all, if a game is “easily hacked” complete with “evidence” and there’s all sorts of loud shouting about their company not caring about the hackers and if you don’t believe “us” here have a screenshot or video of their “disgusting responses” and the “easily fixable” hacks running rampant... then wouldn’t it be safe to buy hacks for your accounts?
But don’t take my word for it. Buried inside r/huntshowdown, r/EscapeFromTarkov and r/apexlegends are some evidence from hacker forums of anti-anti-hacker activities...
The ones posting CS responses, be it screenshots or videos are very likely fake.
Yea.. thats what i said before i was downvoted to oblivion. :/ some people are just too credulous on the internet.
upvotes downvotes on this sub means jack shit don't worry, if you hate on MHY you get auto upvotes
If you even give a reasoning about gacha mechanics prepare to be called a shill or white knight and be downvoted to oblivion. Cause they _clearly_ know how a gacha game should be even though it's their first ever one.
This. Like, Zhongli *is* (was?) bad, but I've been in numerous gacha games, and *none* has outrage over a weak character as heated as this sub. Heck, in GBF one of the beloved characters (Song) has shit kit, and remain shit after a rebalance that basically does nothing, and while *everyone* expressed disappointment, they do so in a civil manner and not go treating Cygames (the dev) like it was a devil spawn.
That's kinda the problem with this community, anything that is below average will lead to a witch hunt. Even if you explain to them things will get better, they'll lynch you with downvotes because everything has to be better _now_ and not later. They see this game as some sort of saint that isn't allowed to make mistakes because in their eyes, this is the "perfect game" that should meet their expectations.
I'm trying my best to accomodate them kindly, then they say some shit like "so what if it's a gacha? It doesn't justify them being greedy." Point is, gachas are always greedy, that's their entire business model. You wanting more free things out of them to get you that 5* you don't necessarily need is not how it works. It's a free to play game, but that doesn't mean that everything will be all attainable at once.
Man i got downvoted for saying I got 76 intertwined fates and 6 boss talent mats for albedo. Reddit GI community people really fked up their heads for some reason. Not all tho. Some are very decent.
decent ones usually way down below the thread or are being downvoted :P
Esp after last banner it was just hate after hate after hate posts, many people just left as a result, I dunno how people find it fun to complain so much
> many people just left as a result
I know a lot of people who do, both know personally IRL and as internet friends.
You see, one of the many problems of an echo chamber is that it's self-perpetuating. The people who don't share the sentiment will eventually leave because of the toxicity.
Sadly this very issue seems to be a problem in the world at large right now not just here.
You can only wish for that, as people love anything that will get attentions, fake or not.
Edit in: also as other commend pointed out, you won't believe how many people willing to not providing fact out of shame, or sheer confident that their account security is very good, which is, most of the time, not true.
And there's no way to prove it, really, because as in everything, everyone only reveal what "necessary".
Only thing you can trust is the one that has many info on security side, not just "account getting hacked".
For example, even with fear mongering and such as the post is really negative, the exploit shown in Web security post (got removed I believe) is real, just that it need to be authenticated first to do so, so it's technically not really a concern regarding getting hack, because you already been hacked.
Another one of the good read is Coop security related one, using known tools to capture network traffic to shown what sent their.
Otherwise, it can't really be prove.
wish people would stop believing random internet people and try to witchhunt a company on issues they have little ideas about
When he showed his pass it was 12 digits long too, and he claimed he used a password generator.
In the first days of release, there was a post from an account buyer who also posted on /r/paypal if he could chargeback a friend/family transfer cause he wanted to avoid taxes. These people are too fucking stupid to bother with. I don't know if mods have banned these threads at this point but they should if not.
The amount of times I've seen people ask in the questions thread whether [generic website claiming to sell primos for cheap/gives them for free] is legit was honestly so baffling. People are just actually stupid.
Yeah and then said it was 12 all along. I was roasting him for that. 😂🤣
and people still fcking believe all of these threads and start a witch hunt
can we stop now?
Oh gosh must of missed that one. Damn. I regretted rolling him but that's another level.
Anyone here ever played dofus? It's a 16yo mmorpg and I've seen soooo many times the old story: "sorry guys I'm quitting because I got hacked". 1/3 of the time is because they sold all in game currency for $, the other 1/3 is because they were account sharing with a "friend" and got everything stolen, and the others because they introduced login details into a fake website.
I've never been hacked before and according to this spreadsheet, I have hundreds of years before they can brute force me. Guess I should really thank you since I was worried yes. And by the good time for this, Xmas is a crazy period for bakers, games need to be the entertainment, not the anxiety source.
Well i hope you understand that all you need is having **"unique"** password for this game and your e-mail, you can have strongest possible 15 symbol password and no one will ever bruteforce it but nothing saves you if you used same password for ten or hundred different websites or if keep using it for many many years already, one of this websites could had been hacked and your e-mail and password leaked, and some websites doesn't even worth messing around in because there no benefit for hacker but there is benefit for them cause they get passwords.
Sorry if it was obvious for you, your wording just made me worried and I wanted to properly explain main point of having **"Unique"** password.
I use unique password for different games, mail have 2FA. I have a degree in IT and that's probably why my password are strong in the first place (over 12 characters with uppercase, lowercase, symbol and numbers. And easy to remember FOR ME 😉)
Lol, I went to a STEAM summer camp that made us do these online courses and games, with one talking about cyber security and passwords. Said come up with a short sentence or phrase, capitalize and liwercase specific letters, add in numbers and symbols, don't include obvious stuff in it (like your pet's name), and boom, you did good. This stuck with me and ever since I've always done 90% of my passwords like it, even school ones. It's not hard people, just write them down if you can't remember it.
**Preface**: This post, along with my opinion, isn't there to say Mihoyo has awesome/good/bad/terrible security. In order to determine that a comprehensive audit would be required, which obviously nobody is in the position to do so around here. What I'm trying to say is from *what we can gather*, their security doesn't seem to be out of line for a gaming company. I would be more concerned if Robinhood or Coinbase had similar system, but in the end it's always a trade off between accessibility, operational scalability, and security. I wouldn't be too surprised if Mihoyo suffers a major backend breach next week, I also wouldn't be too surprised if no major breaches *ever* occurs in the lifetime of Genshin. But for now, I don't see reasons to be stressed out as long as you follow the advice here.
Thank you /u/supersonic159 for writing this post, as a mod of two large subs myself I fully understand the importance of clear and factual communication.
I originally came to this sub for the memes and fanart, but I did notice that account security has been a topic that's been brought up by many on many occasions, for obviously good reasons. Unfortunately unclear and sometimes less than factual information have been passed around by people, often with good intentions, but adding confusion to an already opaque topic that most don't have a lot of background knowledge of.
Since I have more than a decade's experience in application engineering, including working at some of your favorite (and least favorite) Silicon Valley companies, I reached out to the mod team offering to share some of my technical knowledge on this topic. I wouldn't call myself an expert in infosec (you'll never find me giving a talk at Defcon lol), but I do have enough background knowledge to address many of the issues here.
Please feel free to ask any questions here or make sure to let me know if you think I've said anything by mistake. Thanks and may the odds ever be in your favor during the next pull!
**Edit**: Someone people brought up the good question of brute forcing an 2FA number. I'd like to mention the info graphic showed in the post is for *local* access brute force. If you are making an API call for authentication, even without rate limit (which there likely is, otherwise they'd get DDoSed to death), there is a *built-in* cooldown: The roundtrip time of the API network call. For example, if a round trip takes 100ms for an API call, then the most attempts you can try is 10 per second. It would require 100,000 seconds, or rather, more than **27** hours to brute force a 6 digit 2FA number in that case. Even at 2.7 hours it's not something the hackers would spend on individual accounts. That is on top of the usual security practice, such as require a new code after X failed attempts, etc.
**Edit 2**: I just want to double clarify that at no point I'm trying to dismiss the usefulness and importance of MFA based login. It is *incredibly* valuable in practice, if not just for the fact that using an actual strong password is actually not very easy in practice (which is why I recommend password manager). It also effectively guards against other non-direct attacks such as phishing, keylogger, etc. If Mihoyo implements 2FA at sign in I would strongly recommend people to opt-in.
However If that isn't an option such as in this case, having a very strong password would offer *reasonably good* protection for the account of a gaming service, and *should* make it cost prohibitive for hackers to target you individually.
No questions, but thank you so much for saving this sub from being actively filled with baseless rants instilling fear into increasingly more people.
I had been so fed up seeing this unfounded fear being passed around like it’s common sense, building up so much unneeded sour tension in this sub perpetuated by jokes that I knew wasn’t going to go away without some help like yours.
It was so obvious their complaints, however long they were, could be shortened to “no 2fa, absolutely terrible!” Yet they still accumulate so many upvotes because creative wording can twist almost anything into believable facts.
Hopefully this is the point where it really settles down and people will begin to think critically about their security complaints. Or better yet, complaints in general. I’d hate to see another wave of facepalm-inducing outrage.
> thank you so much for saving this sub from being actively filled with baseless rants instilling fear into increasingly more people.
Honestly I don't blame most users. When people are in the dark or not familiar with a topic they tend to assume the worst. I mean I've done my share of reading WebMD and then diagnose myself with some kind of turbo brain tumor with a side of Ebola lol.
Our hope is to get some of the information out there, and I believe most people do *want* to actually learn more about this topic. The good thing is the knowledge and facts from this post is applicable *everywhere*, long after people stopped playing Genshin.
Assuming the worst like that is fine, what’s important is you should be **aware** that you are *assuming* so you can talk about it while being intellectually honest.
Don’t judge before you have a solid foundation for your assumption. Judging and then inevitably expanding from a badly formed assumption can very often create annoying and almost indestructible noises, which is what careless people tend to do, especially dangerous when a large group of people are as careless.
I’m grateful there are good people like you and the mods keeping the noises down with experience and knowledge/facts. I wouldn’t have the energy to interact too much with people who can’t be careful enough to think on their own.
its very fcking stupid, people who never studied cybersecurity are trying to give advice to people as to how it works, how can they have the gall to do this? should be ashamed
Most people I encounter are like that though.
The problem is being too stupid to understand logic and reason, and then secondly being too stupid to recognize they are stupid/ignorant.
Speaking as an engineer with a business management and business sales past. I have alot of experience dealing with trained professionals or just base level employees and its just kind of... human.. to be stupid.
The best thing to do is to teach people proper reasoning. However outside of professional and business applications you will commonly find people who dont care (because they have no risk or liability for their behavior).
people who try to give you advice about stuff they have no idea about are the worst lol
The facebook/online culture made it worse since they'll see something there and will spread that misinformation
i'm in IT and I deal with users a lot, the type of things they complain about sometimes would make you facepalm lol.
As a junior on security field, I thank you for clarifying account security for the public.
I hate those fear mongering post so much I wish I could do the same as you and explain a lot of thing, like the one post with network capturing, but my knowledge is still lacking and I can't simplify it, nor my English is good enough to even explain it.
Again, Thank you very much for taking your time to explain it, making this post possible.
First of all, thank you so much for your and u/supersonic159 's work on this. To be honest I've been skeptical of some of the rumors going around but I'm far from a security expert so the possibilities have been stressing me out a little.
A couple of questions, what exactly do you mean by "unauthorized phone numbers"? From your explanation it sounds like malicious parties are simply logging into accounts with compromised password and linking a phone number, and I'm not sure how it would be considered an exploit in regards to the phone number/2FA itself.
Secondly, do we have any way of knowing which users had their emails/phone #s exposed through the "Forgot Password?" function?
> what exactly do you mean by "unauthorized phone numbers"?
It means after I get into your account by compromising password, I now enter a phone number under my control as the secondary authentication endpoint. This way if I want to change email, then the SMS verification would be send to my phone, instead of yours. Then I now also have successfully added my own email to the account, thus completing the take over.
>Secondly, do we have any way of knowing which users had their emails/phone #s exposed through the "Forgot Password?" function?
I honestly don't know, and I suspect nobody has a concrete answer on that, even Mihoyo themselves.
I posted this in the thread, but I just saw you're the guy who would know the answer: "Still curious how account buyers get hacked. Don't you change the password, email, and phone number when you get the account? If they can get hacked after that, why can't a regular account? This means all they need is UID and username."
Props to the guy who waited 1 trillion years-
Do i have to worry if im a ps4 player?
Turn on 2FA on your psn account just in case, but overall ps players are safer;
Edit: just not safe from bad optimization friend TwT
>Edit: just not safe from bad optimization friend TwT
You understand us
༼ つ ಥ\_ಥ ༽つ
i didn't even know ps4 had 2fa lol thanks
They've come a long way from storing all passwords in plain text lmao.
If you're following strong and unique password guidelines, you should be fine.
as far as good password practice, you still have to practice other safe measures. You never rely on just one.
Finally a decent neutral security related post with a lot of useful information, no misinformation and no blind bashing or demands. Thank you, its a good read and I learnt a lot.
Same. Im sick of the fearmongering in this subo
i'm happy people are finally catching on that it ain't that bloody easy to get hacked
Exactly as long as you have common sense to not reuse passwords and use strong good passwords.
How can I play a game knowing that my acc will get hacked in 7qd years? Literally unplayable
7qd years, just in time for xiao banner. *Panic*
To be honest, the sheer fervor of belief in the strength of 2FA both surprised and concerned me a little, because while it is both a great security measure and increases the strength of security in any operation its used for, it is very far from infallible, and I think that too much faith in its power is probably one of the largest weak points of 2FA.
If a user believes strongly enough in 2FA that they feel that they can relax on other aspects of security, like having a strong password, or checking that links are correct before clicking them, or thinks that they can't be phished... This kind of thinking could lead to being hacked even with 2FA upon all account operations, including login.
A simple example would be something like a phishing email to the user, that leads to a fake login portal; the user gives their UID and PW went prompted, while the fake portal harvests it and tries to log into the real service. The real service would send and request the entry of the 2FA code, and the fake portal would prompt the user to enter it, giving the correct code for the hacker to enter to the real service, compromising the account.
Of course, this example is quite specific and easily defeated by various means, but I would imagine that there are far more complex and subtle ways that a determined hacker could try to get around the use of 2FA.
I'm not saying that it isn't a great tool or that I wouldn't be glad to see it used on login to either or both miHoYo's website or the game itself (although, unless you change IP the game also doesn't require you to login each time which is also a weakness in security) but I found the seeming belief of 2FA as some kind of 'magic bullet/shield' as a bit bewildering and worrying.
> it is very far from infallible, and I think that too much faith in its power is probably one of the largest weak points of 2FA.
100% Correct. In fact that's why 2FA is called **TWO** factor authentication, because it still needs the first one, which is password.
The analogy is 2FA are like airbags in cars. Yes they are fantastic and all safe cars have it, but it doesn't mean you can just stop wearing seatbelts.
Additionally not all 2FA implementations are equal. They go from SMS to email to authenticator application to a RSA token generated by a piece of hardware that you plug into your PC. They offer various tradeoff in security and ease of use and cost of implementation.
2FA is definitely *great* to have, but like you said, it is not the magic bullet for security, and nor does it mean you can have a very weak password just because you have 2FA.
Ah, that really is a great metaphor...
The airbag only goes off and protects you if something already went wrong, and it's meant as a supplementary thing to greatly increase survival rate while not being intended as the main prevention. I might steal that if I have to explain it to someone, lol.
The 'cybersecurity triangle' can be difficult to conceptualize in how it would affect any one service someone is accessing I think, but it is probably something that would be beneficial for everyone to at least know about. So that it's easier to see what developers might be considering behind a decision they made and if someone thinks its the wrong choice, they can at least express why in a more constructive manner.
Also, a tip, if you arent sure if the site is legit, enter the wrong password. If it accepts it then its just a blank text field that accepts anything. This isnt perfect but it can help narrow down if its fake.
here is the biggest problem I see. If someone steals your iphone. You are basically fucked as your email is right there out in the open when you click mail. All your games/banks/paypal whatever is there. The code they send also goes to your iphone. Literally whoever has the phone is the owner of everything you own.
Which is why you should have a secure phone password too, but people would rather get in to their phone fast than have safe info.
Which is why phone security is such a hot topic nowadays!
Honestly, it's a bit scary how much we as a society rely on certain items for our identity. For a lot of people, their email serves as their whole 'digital identity', and their account security for many things is wholly linked to their only email. Naturally, if their phone is receiving emails, as well as playing host to all their other means of authentication, it's even more serious.
However, its just very difficult to not have that be the case, not to mention, inconvenient, so on an individual level all you can do is try to make sure your personal security decisions are the best they can be, like using different passwords, having a pattern or pin or whatever lock for your phone that's not "1111" etc, and hope that Samsung/Apple/whoever aren't making it super easy to break into a stolen phone. Oh, and not downloading strange phishing apps that record all the input to your phone, or going to dodgy repair shops that put screens in your phone that record input/output...
The other part is, breaking into anyone's security represents an investment of time and effort from the hacker, so if you don't stand out as a target by either being 'high value' (for whatever the hacker thinks is high value) or with truly terrible security (or falling for phishing schemes) you can probably get away with having just average security measures and hiding in the millions of people that also can be targets. 'Random' hacking can and does occur, but it's much rarer and the target is really unlucky in that case.
Not a nice sentiment, or reliable, because who knows what a hacker would consider valuable... Still, it's also not helpful to panic just because so much of your personal security is not really under your control.
Addtional [comment](https://www.reddit.com/r/Genshin_Impact/comments/kg3goz/psa_what_is_going_on_with_mihoyos_security_and/ggcbsin/) from /u/cookingboy
So let’s say my password takes 1 billion years to brute force. If I change my password (of equal strength) on the 999th million year, the hacker needs to take another billion years to brute force it?
That is not too bad actually. 1 billion years is not exactly short. I’m not even sure if I can live to 1 billion years.
> I’m not even sure if I can live to 1 billion years.
Not with that attitude
Even Kars will eventually stop thinking.
Drink some tea you'll make it that long.
Don't forget to eat your green leafy vegetables!
That statistic is the point at which they have a 50% chance of having guessed the password already. They could technically guess it on their first try.
The real threat is if the attacker somehow gets the password hashes from the database. Then they’re free to try as many passwords as fast as they can with no rate limiting. The best solution is to use a combination of maximum attempts (3-5) and a “difficult” hashing algorithm like bcrypt. The idea behind bcrypt is that it can be adjusted to take much longer than other hashing algorithms, thus slowing the attacker down significantly. Modern GPUs can guess billions of passwords every second (sha256/sha512), but if you adjust bcrypt to take 10ms to compute a password hash then you’re basically limiting it to 100/second which is fast enough to not slow down user logins noticeably but also slow enough to prevent an attacker from guessing the password (a few billion vs 100 per sec is a big difference). It’s also immune to a rainbow tables attack which is basically a giant list of hashes for known common passwords. I won’t get into the technical details but it’s a cool hashing algorithm.
To add onto what u/Kanel0728 said, also gotta keep in mind there's definitely more than one person poking around at a time.
Oh yeah... maybe 1 billion years is not so safe afterall... gotta make it 15 billion years just in case.
yeah whatever dude, we all know mihoyo is paying you guys to silence the reddit revolution. I won't read this post cause its all brainwashing propaganda /s
can't believe some people actually believe mods were getting paid to remove their shit echo chamber circle jerk posts about beaten to death game problem #48. I'm not even mihoyo white knighting, its just so absurd to believe that some reddit mods are even viable targets to bribe to improve public response.
It wouldn't even make sense if they were paid. Because leaks are still allowed on this sub whereas Genshin Impact's official discord has a no leaks policy (and I think a lot of us know Mihoyo hates leaks).
So if both were controlled by Mihoyo, there would already be a disconnect between this sub and other official forums in terms of what they allow.
Something something strategically placed leaks to advertise future content!!!!?!!?!?!?!?!?!!?
I'll second this, especially since the official discord *is* run by Mihoyo staff.
I was actually timed out my own password. Has to wait some minutes to try again. It is not that easy to get brute forced without being awared.
Hmmm, I don't think the brute force infographic is completely accurate, though. It's only true if the hacker in question can make attempts as quickly as their setup can flip bits. Something as simple as limiting things to one attempt per second can already make a 4-digit password take hours to brute force.
I got hacked. I'm 99% sure it's because I used a combo that got pwned a few years ago - which I chose because I can actually remember that combo, and when I created my account I wasn't yet sure if I'd care enough to stick around.
HOWEVER, I'll also say that one thing dumb on MiHoYo's end is that you need a verification code to link your email, but DON'T need a verification code to unlink it. So apparently, if your account gets pwned the attacker can unplug the verification options, then perform a password reset without verification.
That, to me, sounds like a security oversight.
I recommend using a password manager if you don't have one already and don't include words in a password
Yeah that's how bruteforcing works, or dictionary attacks. They basically use common words and if you have a password like "carmanfast" it will break easily.
So now that mihoyo seems to have plans to address not only zhongli but geo in general and the account security thing has been laid out can we acknowledge how petty and toxic this sub has been? The amount of people threatening mihoyo staff and making them out to be evil while attacking anyone who liked the game was staggering. Just plain childish and disrespectful attitudes toward other players and the mods still runs pretty rampant and I honestly feel bad for anyone who has to filter through the posts because of what we see is the good stuff they must use bleach eye drops every night.
Dude, I feel the same having played since the 2nd week, the amount of people cursing and shilling about the game and MHY is enormous. Many said that they the game wouldn't last long and that its "competitors"(Destiny Beyond Light and Cyberpunk) will crush it by December, lo and behold, now look at how those game got treated? No better than Genshin did at launch.
While I agree that 2FA isn't critically needed as one might suggest I disagree about downplaying the illegally linking phone number exploit.
This is the best biggest security issue right now because I can almost guarantee that the vast majority of the player base does not have both email and phone number linked. Having a strong password should be common sense but reality is that it isn't so that security layer is crucial for a huge part of the player base.
I thought long and hard about this one before writing the section above on this topic.
You are right that it is a concern, however there is a good reason no gaming services I’ve tested offers full security at this level if you don’t have both phone and email linked. Both Steam and Battle.net allows you to change email without verification if you don’t have phone linked.
The reason for that is if you legitimately lose access to your email (which happens quite often), then you will instantly need to escalate to human support for email change. And what they can do during human support is also limited because unlike services like Coinbase, they can’t actually verify you via ID since they don’t know your real identity during account sign up in the first place. I
So it wouldn’t really be operationally scalable, which is why I was a bit surprised they even attempted to implement this security feature at this layer.
So they either had a bug, or intentionally “semi-faked” the implementation of a security feature that IMO isn’t necessary, both of which is a bit bizarre.
Not sure about Battle.net but difference with Steam is that 2FA is almost standard there so everything else is less important. And on top of that most big companies (Twitter/Google etc.) log your ip location as well as use verified cookies and don't let you simply login simply with password/username once you are on a different device or location.
Genshin has none of that which makes the additional security layer more important than the comparisons.
Losing your email is a none-issue as it is the prevalent method of identification for any kinds of user accounts on the internet. The fault lies 100% on the user if they somehow lose access to that and their Genshin account would be the last of their worries anyway.
Mihoyo should just simply fix that exploit as it would solve so many problems.
Or maybe they have already fixed it since the ingame mail a few days only suggested to link email or phone-number.
I don’t disagree here. There are plenty of things they can improve on. Detecting suspicious login would indeed be nice.
But everything listed here is to offer additional security *in case of* a compromised password. Which is why we’ve been pushing so hard on strong passwords since we can’t influence Mihoyo’s action.
Honestly it would just be much easier if they made account recovery and rollback painless.
If you got hacked, it's most likely because of your bad security practices e.g.: reusing passwords, using weak passwords (easy to brute-force, guess), sharing accounts, buying accounts, got phished (entering your account info on fake sites). 2FA probably won't save you if you don't follow at least the basics.
No, it can actually
But some guides like 'internet security for kids of 6' will be much better if paired with it
Correct. 2FA will always help. A weak password with 2FA will indeed be more secure than just a weak password.
Yep easy steps honestly. This goes for everything, not for genshin impact as well guys. Do it for social media, your other game accounts, anything you deem important on the internet. Make sure you do these simple practices everyday.
Wow this is extremely detailed and thorough. Thanks for putting in the time to make this!
Thank you mod for typing this down.
lame i said this back in nov and everyone downvote me. Of course i have poor communication skills and cant talk fancy like op here. Now somehow people are agreeing to it.
That's just how people is.
They just go with what they believe to be true, regarding the facts.
I remember the one post where OP prove that Coop is safe by showing what info got sent while in Coop, and what IP it sent to.
At the time it got only 1.4k upvoted, and got buried.
That's just how Reddit and the internet works, sadly.
because this reddit is dumb, if you posted something in the other direction, aka bashing mihoyo you'd be upvoted no matter how poor your communications are
its sad and it needs to change, many people are leaving this sub because of this
Ya there the popular opinion and the right opinion. Sometimes the opinion is right and popular but sometimes the right opinion clashes with the popular opinion and it is really hard to express yourself without being downvoted to hell
yep and some people will spread misinformation just to gain upvotes which is disgusting
To be fair, back in November we didn't have as much information about this as we do now. And it was written by a mod, not just some random dude on the internet. So naturally this post has a lot more credibility.
Like usual, most hacks occur because of weak passwords, not bad design decisions. This is not Twitter hack 2.0. A weak password is like leaving your front door open. An intruder does not need to break down the front door to burgle your home if it is already open. Similarly, a hacker does not need to break into the database to get your password and hack your account.
**Small to All Size Streamers! Be careful in your chats!**
While there are so many cases and stories of hacking, **if you ever see people on chat trying to tell you their account got hacked, please don't automatically believe them!**
I know this sounds terrible, but I recently had someone trying to build my sympathy for them saying ridiculous stuff to try and make me slip up to tell them some of my information.
**Information as simple as birthday, things you like, etc...** are things they can use to try and figure out people's passwords! **(This is why you need a Strong Password!)**
I know being nice and all to chat is how you grow and build a community, but I wanted to say this because I don't want some hacker/scammer to come to your stream and pretending to be nice while actually trying to get potential info for your password!
**I'm not saying you have to distrust everyone**, but rather be smart and be aware if they end up sounding fishy.
The way I was able to tell is I gave them advice on what they should do if it happens. (Contact Mihoyo, have account info prepared, etc)
When I was trying to be helpful, he got angry with me and then started losing patience because he clearly saw that I was not trying to answer any other question he asked. (He ended up asking when my birthday was... Which was random and odd)
**All in all, please be careful! Or make a password that isn't associated with you to make it harder to get hit by these scammers!**
**TLDR : Be wary of people trying to pull sympathy in your chat and when you see suspicious signs (no matter how small or huge) be aware of what you say! Also make a difficult password that doesnt relate to you!**
Shill! Shill! Unfortunately, the people that need to listen to this post the most are not the ones who will pay attention. It's much more fun for them to believe there's some hackerman running around stealing accounts left and right simply by coming into contact with them.
> As far as we can tell, your account is not at risk if you adhere to using a strong and unique password. If you've done so then you should be reasonably confident in the safety of your account. Linking a phone number and email to your account will further enhance security. **The important takeaway is that you should not fear for your accounts safety. Your account can be secure with a strong and unique password, even in the absence of 2FA implementation at login.**
I would just like to point out that 2FA isn't just extra protection from hackers or leaked account info. It also protects accounts that are used in public places like gaming cafes and against local tampering (roommates, family members etc). Personally I'm more worried about someone in my house being able to access my account than I am of being hacked.
While I don't buy into all the hacked account scare stories, Mihoyo's security issues that needed reddit threads to raise attention for them to fix does make me think about if there are any other holes that haven't been discovered. Comments were saying those were really amateur mistakes and I don't have the background to confirm or deny that.
We had several "leaks" now with security issues. There is no reason to be not sceptical about the Account Security, especially if they only change stuff after it got public. (F5, BruteForcing Verification Codes etc.)
They didn't changed a single thing yet by there own to bolster their security. And yes 2FA isn't needed, but it makes it easier for everyone and even have account secure of people which don't know how to use proper passwords. That shit is "Win-Win" for both sides...
Hackers and cheaters who get banned do often complain and make up stories.
This was one guy who claimed to never have hacked in Overwatch and was banned but was [called out by their lead Jeff Kaplan](https://us.forums.blizzard.com/en/overwatch/t/i-was-falsely-banned-for-hacking/489420/69)
I just don't get it lol. If you hack and you get banned, just own up to the fact. You had your fun and you got caught, now live with your decisions or just get another account. The act of writing up a post explaining how you didn't hack when you clearly did just looks so embarrassing. How these people feel no shame is beyond me.
Has anyone actually been hacked from someone brute forcing their password? People like to use the word hacked when someone steals their accounts but I don't think it is likely that hacking was actually involved.
The "hacking" involved is clicking on "free primogems" advertisements and entering login credentials at nihoyo.com
hacking is included in all, including phishing.
Also, I'm pretty sure my old password (that I've used for about 8 years, with slight variant) got "Brute-forced", but not an online attack, rather an offline attack instead, basically my password hashes got leaked with database from somewhere, then someone got it, cracking it for a long time, then it just resurface in plain text, I can easily search for it now.
I was just saying that hackers use old passwords or phishing or social engineering, or sell accounts or primogems then claim to be the rightful owner. I think a lot of people think they are running haxxor apps that steal information from a co op session but really their tactics are more what a con man would use. The recent twitter hacker just used some very basic social engineering to "hack" twitter.
This is all well and good, and maybe my password wasn't incredible or what have you, but I've never dealt with my account being hacked this way anywhere else. Beyond that, I have tried time and again to contact Mihoyo, through email and in-game feedback, and have received no actual help. Even though I have evidence of my purchase history, created my account myself, and never even rerolled/had a second account until creating one AFTER this happened, to try and contact Mihoyo.
In the end my account was very much stolen away suddenly, and Mihoyo doesn't seem particularly interested in helping me. I'd say it's reasonable for people to worry. Account hacking might not happen to everyone, but once it does, actually getting it back certainly isn't guaranteed. Even if you've done nothing wrong, and even if you've spent money.
(Minor error, the link to u/Veritasibillity is invalid, it lacks another "L" in it's name in the body)
B.net does have 2fa just saying. Blizzard, just as steam, has their own authenticator.
So one thing I'm still worried about is I'm the original creator of my account, I'm completely f2p and can't buy anything in game atm, if I get hacked and the hacker buys something can I still get my account back if I provide enough info and screenshots to cs?
All people who've reported on this problem area, say no, they wont rollback.
That's between you and cs, I won't be able to answer that.
A major benefit of 2FA outside of the obvious better account security is it also gives Mihoyo a better foundation for customer service (and would cut down on hacked/security posts here)
A lot harder for someone to try to lie about getting hacked and having a horrible CS response when you can immediately see if they had 2FA enabled or not. Without it as a feature, there's always gonna be a larger than normal grey area of dubious truth.
I would like to see some hard guidelines for making a hacked/security post though. *Uncropped* CS responses with the initial ticket/emails included for one.
~~Imagine if MHY was this transparent, professional and communicative regarding concerns about their game.~~
EDIT: After looking at past official notices, I can see they're trying their best. Not perfect ofc but I was being snarky for no reason especially after they JUST released a post about tentative changes to Zhongli and geo resonance.
What could they do, even?
If they are the one posted this, all the people will see is company trying to justified themselves.
~~Acknowledgment of the issue for one thing if it's genuine.~~ Choosing to stay silent is a valid option where needed but all this talk of something important as account security needs to be addressed especially when money is involved.
And you speak for all people I assume?
EDIT: They addressed security awhile back and I missed it
They did though? Their posted twice, saying it wasn't their security that was the problem. But we all know how people responded to that.
I just checked the notice board on the official site and you're right, I missed it somehow both there and on reddit. Coupled with the Zhongli adjustment post that just came out with impeccable timing, that is egg on my face and I accept it.
Nah. It happens.
No, obviously I don't talk for all the people, sorry for not clarifying that my comment is my own opinion about it.
They already put out a notice about this, if people missed it that's their problem
if people don't believe them, that's also their problem
most of these people who cry have no idea what they are talking about
I highly recommend checking if your email address has been part of any databases of passwords that have been hacked in the past.
Eg if you had a Tumblr account a few years ago they had a data breach which meant hackers could see an encrypted version of your password.
They also have a page where you can put your password in to see if it's part of any hacked databases but USE THIS AT YOUR OWN RISK. After all, you are entering your password in this site. While I personally trust this website, that does not mean you should take my word for it. Use your own judgement.
>They also have a page where you can put your password in to see if it's part of any hacked databases but USE THIS AT YOUR OWN RISK. After all, you are entering your password in this site. While I personally trust this website, that does not mean you should take my word for it. Use your own judgement.
Funny enough HIBP itself also warns you not to enter your currently used passwords on that page.
The alternative they offer is a downloadable dump of hashed passwords (Warning it's pretty big) and you can check your passwords offline instead.
Well speaking as someone who's account is still currently compromised after a week of waiting for MHY to respond.... can confirm its proabably my fault. The pass I was using was a non unique complex password but at one point it was the password I was using on my email which Ive just learned was breached a few times (checked on haveIbeenpwned). That being said Ive sent in all proof of purchase (over 200 canadian to date) and was told to wait for a recovery email... Still waiting a week later and nothing. I just want my dandelion tights waifu back.
Use unique passwords guys I learned the hard way that even if you cycle through a bunch that doesn't mean they wont get you.
I feel you. My email was also pwned, I changed passwords on everything a while back but just recently wanted to log back into genshin after taking a break only to see it's not registered under my email anymore. Been waiting about 1 1/2 weeks for a response, submitted my UID and CC statements as proof I am the original owner.
But according to the people of this thread, everyone who doesnt do it perfectly is someone who deserves to get hacked. If I read everyone's intention right, hackers DESERVE accounts of people who aren't fully 110% informed on passwords. /s
Honestly reading though the "positivity" of not having more secure options, and the "positivity" of everyone having to be some expert in security to do it (yes knowing all the little stupid things about password doesnt make you a layman anymore) just makes me cringe.
Azurlane just requires the code, no password, it works fine. You dont have to read a reddit thread to know how to use it and not get hacked either.
I see a lot of people here lumping people who claim they're hacked but aren't really with people who are legitimately hacked. I belong in the latter group and it feels like victim blaming at this point when people just say, *oh you must have bought your account it's your fault for getting hacked lulz*.
I have never reused any password for the past 10 years and I used a unique password and email combo for Genshin impact when I registered. My emails are clean from haveibeenpwned as well. And while I do not have tangible proof that I did not buy my account, my friends who also play this game know that I have never bought my account as I gave them a blow-by-blow of every reroll I made when I created my account during launch. I even got left behind by a day when I started because it took me a lot of rerolls to get the units I wanted for starting out.
Thankfully, when my account was compromised, the hacker did not change my account details to sell it to the highest bidder. What he did, however, was use up my saved Primogems (some bought and some F2P), deleted some of my artifacts and sold my one and only 5-star weapon at the time for Mora. He did pull me Childe but that's only because I'm only 10 wishes away from guaranteed pity (which I intended to do in order to pull for Ayaka for when she releases).
Of course when I reached out to support, I was met with further disappointment that I not only am not eligible for a rollback, I am also SOL about the used Primogems that I was saving for a future banner. And all that nothing took over 2 weeks of communication with their lackluster customer service. There are far worse situations out there than mine but I cannot wholeheartedly agree to the gist of this post which is that Mihoyo **can** improve their security but it's hardly needed when cases like mine exist.
For the record, I am not accusing you of lying.
But let’s think this through logically. Considering there are no known methods to “crack” a strong password, your account breach would have to be from either their backend server or through another mean.
I am going to rule out a backend breach as well because those would not be targeted attacks, you’d be seeing people losing account in masses, and by that I mean millions of accounts.
So there are a few possibilities I can think of:
1. Your password is unique, but not strong. A password that is consisted of dictionary words can still be brute forced, especially a short one.
2. Possible victim of phishing. Have you ever entered your credential on any other sites? Apparently some scam sites claimed to offer Primogem by asking you to login.
3. This one is more likely than people like to admit. Do you have roommates/friends/family that have access to your computer or phone or PlayStation and would have messed with your account?
4. If you play on PC, your computer may be compromised. A keylogger would render your password useless in this case. But if that’s the case I’d be more worried about my bank account logins.
I’m sure I’m missing other scenarios, but those are just some examples.
The key problem is he shouldn't have to have a degree to use the security system. It's like having a door where you have to turn the key just the right way or the door unlocks after 5 minutes.
The system is as secure as the worst case.
I understand your skepticism, I would probably think the same had I not been affected by it. Here are my answers to the possibilities you have mentioned:
>Your password is unique, but not strong. A password that is consisted of dictionary words can still be brute forced, especially a short one.
For the record, I have an IT background. The password I have used at the time this happened (deleted for privacy).
>Possible victim of phishing. Have you ever entered your credential on any other sites? Apparently some scam sites claimed to offer Primogem by asking you to login.
As I mentioned, I know my way around computers and especially the internet. I have not logged in with my Genshin account credentials other than in-game and in the official forum (for which I check the URL before typing anything in).
>This one is more likely than people like to admit. Do you have roommates/friends/family that have access to your computer or phone or PlayStation and would have messed with your account?
The person I'm living with is (deleted for privacy).
>If you play on PC, your computer may be compromised. A keylogger would render your password useless in this case. But if that’s the case I’d be more worried about my bank account logins.
This is possible but then again, I have not seen any breaches on any other accounts I have that I regularly log in through my computer. I also usually run a Malwarebytes scan and only run/open untrusted executables or files in a sandbox (and only if I really have to).
Like I said, my scenarios only cover *some* of the possibilities. I would explore others first before believing that there is either a systematic security gap that only resulted in your account losing primogems and not affecting others, or we made breakthrough in computing tech that made cracking strong passwords feasible and that tech was applied to hack your Genshin account.
Neither of those seem very likely to me, I’m sure the answer is out there somewhere.
I thought your password can be long only 15 characters. Or am I getting something wrong?
That is correct. The character limit is 15 characters.
Wow, this is an eye opener, had no idea this was going on, i tried 2FA a few days ago but mihoyo’s website wouldnt work properly, but ill try again. Been hacked before and its not pleasant at all.
Are mihoyo prohibited using symbols on the password ? Trying using tilde, underscore,even @ but still i cant use it.
For those wondering how to easily pull off a strong password, here’s a relevant xkcd: https://xkcd.com/936/
I haven’t read anything on this issue. Is this problem only pertain to pc accounts and not consoles?
What is Mihoyo's reasoning for not implementing 2FA in a vastly popular game like Genshin Impact where so much money is involved? or Why is Mihoyo against 2FA in the first place? Also, it doesn't matter how strong or unique your password is if the encryption method Mihoyo uses is already cracked. As far as I know, there is no barrier to login to someone's account as soon as I know their ID/Pass. There should definitely be a second step verification while logging in from a new device otherwise this account trashing fiasco won't stop. And Mihoyo keeps saying there is no data breach, how are the credentials getting pulled then?
I literally just got a legit mail from mihoyo with a verification code that i didnt ask, but its in French.
Im literally sweating.
Part 1/2 (curse you reddit and your tiny character limit)
This entire thread smells of forced Mihoyo PR stunt. In particular trying to undermine the value of 2FA.
I have studied security academically, as well as practiced it professionally analyzing as well as building/updating security systems related to authorization and authentication. I do not want to start some "fear mongering" discussion, however the credibility of this so called "cybersecurity expert endorsed" post is very worrying given how unprofessional and suspicious the wording is.
* "Cybersecurity Expert" is nothing like a buzzword, you might as well say you're "an Engineer". It would more useful to state actual qualifications and field you've practiced in. Based on "responses" to worries, and assuming the opinion of said expert wasn't watered down and tampered with the original posters own bias, the statements provided offer a lot of hand waving and very little in terms of (professionally accepted) proofs to the claims. I'm not trying to say that if it was an amateur security expert their opinion can't be trusted, but any opinion, even coming from a seasoned professional that doesn't provide tangible proof that can be checked by a independent party or is by a independent party, can not be trusted—security is very much like math and medical field, there is only correct, there is no half-correct or kind-of-correct, since anything less then ideal will lead to someone potentially losing their livelihood.
* 15 character password limited passwords are insecure for 2020. If they were "minimum 20 characters" or something similar then an argument could be made that people (in particular people who dont care) are forced to use something unlikely to be a reused/compromised password. The main problem is "passwords" are just insecure concept in and of themselves. The most famous hacking disasters in history (such as the epic/xbox one) all stemmed from trusting password security. In particular this year, all professional businesses that are security conscious are moving to two-factor as MANDATORY for all their systems. The "password" is slowly becoming simply your "pin code to send verification".
> As far as we can tell, your account is not at risk if you adhere to using a strong and unique password. If you've done so then you should be reasonably confident in the safety of your account. Linking a phone number and email to your account will further enhance security. **The important takeaway is that you should not fear for your accounts safety. Your account can be secure with a strong and unique password, even in the absence of 2FA implementation at login.**
Citation of actual independent analysis on how this is secure.
> When people bring up 2FA or MFA, most of the time they mean adding multi-factor authentication at *login* time. This is a very effective layer of additional security on top of passwords. **However despite popular belief, it is not** ***required*** **for good account security** if strong password practices are adhered to.
First off, you are making a statement with out any proof or backing or at least a citation. Anyone can say something dumb like "a 3 digit pin is totally secure", where's the proof? where's the analysis or mathematical backing on why it is secure?
Even a casual glance at the wikipedia would inform even the biggest layman that not only is it required, it's even actual law depending on where you live and how you interpret your "transactions" with genshin. eg. " The second [Payment Services Directive](https://en.wikipedia.org/wiki/Payment_Services_Directive) requires "[strong customer authentication](https://en.wikipedia.org/wiki/Strong_customer_authentication)" on most electronic payments in the [European Economic Area](https://en.wikipedia.org/wiki/European_Economic_Area) since September 14, 2019"
> Currently, there is a limit to failed password attempts, at which point you are prevented from trying for a period of time. Instead of pure brute force attempts however, hackers usually use dictionary attacks or previously compromised account data to get into accounts. If you are using a strong *and* unique password, it will protect against any of the methods above regardless. See [this infographic](https://i.redd.it/5g3ayy7pwxl51.jpg).
From what I've been told, it's 10 attempts per hour. How is it you don't have an actual number or provide said number?
This inforgraphic is also, with out mincing words, garbage. It does not state the test environment, it also does not project expected loss over time. Yes that's right, even though computer speeds on single cores might have stopped going up drastically, price per computing power is going down and more importantly access to computing power is slowly going up over time. What took 1 year a decade ago to compute may take a few days now. Factor in new algorythms that take advantage of multi-threading/multi-core and other miscelanious improvements and its worse then any doubling in computing power per single threads. There are security systems that do not have a projected loss, because typically the knowledge that would be vulnerable to brute forcing is not passed at all, or is not bruteforcable (ie. close to infinity possible values), passwords are definetly not one of them. Also we now live in the budding years of more and more sophisticated data analysis and machine learning and widespread public information. What is even "bruteforce" these days? The entire concept of "bruteforce" there requires definition; though that sort of infographic wouldnt be very good even 10 years ago.
> Unfortunately and unsurprisingly, just like many popular online services, **a large number of Genshin Impact users do not adhere to the best password practices.** This is likely the overwhelming cause for account breaches in Genshin, just like it is for the vast majority of other online services.
First statement is invalid. Recommended practice for having strong passwords is to find an **obscure** quote in an **obscure** book and use that. It's easy-enough to type, extremely long, and should you ever forget it you just find the book and you have your password. Contrary to popular belief special characters add very little, and simply make passwords hard, which in term leads to them being short (as people get annoyed by them). One extra characters to a password improves the strength of the password by far far more then any special character.
(For 2020) Other mandatory practices on password-only systems:
1. should be unique to said system (any forums, even if belonging to the same company, should be treated as different)
2. should be at least 40 character MINIMUM (ideally just use maximum allowed, usually 70, 120, etc if you're just generating a completely random one)
3. regardless of breach should be changed anyway every 10 years or every time a potential "security issue" that is even tangibly related to said product is reported
4. should be changed on a fresh system if you ever detect a system you were using was compromised
Yes the last two points are very much a pain in the ass, this is another reason passwords are very much out of fashion.
If you can rely on a 3rd party for secure login, simply do so. For example, if you can login with google into your account this avoid any 2FA and password problems, since you are in essence passing the problem to "how secure your google account is".
**Anyway**, the long and short of it is Genshin, as it is now, DOES NOT even allow you to properly adhere to most good password practices anyway.
Pheww..a lot things to unpack here.
First of all I never called myself a "cybersecurity expert", that's a silly title like you said and it's not even my specialized area. But I do think I know enough to cover the topics here.
>Even a casual glance at the wikipedia would inform even the biggest layman that not only is it required, it's even actual law depending on where you live and how you interpret your "transactions" with genshin. eg. " The second Payment Services Directive requires "strong customer authentication" on most electronic payments in the European Economic Area since September 14, 2019"
But 2FA is literally not a *required* security layer for any consumer gaming service I can think of. Can you point me toward one? Whatever Wikipedia says doesn't change the fact that vast majority of consumer web services do not *require* 2FA.
>This inforgraphic is also, with out mincing words, garbage. It does not state the test environment, it also does not project expected loss over time.
Considering the infographics is for local access, and in this case we are talking about web API calls, the bottleneck is the API round trip time and gateway level rate limit, which makes brute force even less feasible. It is very well documented how resource prohibitive it would be to brute force a strong password.
>15 character password limited passwords are insecure for 2020.
I recommend you this post: https://robnapier.net/brute-forcing-passwords
>There are security systems that do not have a projected loss, because typically the knowledge that would be vulnerable to brute forcing is not passed at all, or is not bruteforcable (ie. close to infinity possible values), passwords are definetly not one of them.
In the end you have to ask yourself a question of how much resource would a hacker devote to crack *individual* Genshin accounts? If the security provided requires more effort than it is worth, then I'd argue you've achieved *reasonable* security. We aren't talking about nation-state level targeted attack here.
So you have to look at this from more than just an academic point of view, but more from a *system engineering* point of view. A security system's job isn't to offer the most secure protection there is, as counter-intuitive as that may sound, it's to offer *reasonably good security for the use case*, while maintaining good user accessibility and operational scalability.
That's why I think it's misleading to use blanket statements like "2FA is required", because the *use case* matters a lot in security design and there is no one size fit all solution.
>This entire thread smells of forced Mihoyo PR stunt.
In the end if you find the security provided by a service to be not acceptable, then drop that service and in this case, just stop playing Genshin. I doubt that's something their PR team would say.
>In particular trying to undermine the value of 2FA.
Please see above, the value of 2FA is high, but I stand by my opinion of it not being a *required* security layer for a gaming service.
0/10 the final bullet point should’ve started with “next you are going to say!”
I just don't like them needing my phone number to improve Account security. Isn't there any better alternative?
Giving E-mail is okay but phone number is a different thing.
Is it bad to feel vindicated right now or should I wait a bit?
Thank you for this.
Thanks for the content!
Had to post...
Where the hell did you get that infographic? It is seriously misleading and needs to be taken down. The numbers can maybe, maybe make sense if the hacker is trying to guess your password locally on a supercomputer.
Even if we assume 100000 password checks per second (highly unrealistic if password check needs to happen over a network) it would take more than 6 days to brute force a password without special of length 6. (62\^5 permutations with repetition) Over 50 days if we include special characters (87\^6). And the numbers grow exponentially. Without special characters and with length:
7 - over 400 days
8 - over 25000 days
9 - over 1.5 million days
And in a more realistic scenario with 500 password checks per second, it would take 1314 days to crack a password of length 6, without special characters.
**So, there is no way in hell anyone's password was brute forced.**