Geometry Dash Security | A Guide
Sept 13, 2016 17:38:23 GMT -5
Tygrysek, VennDe, and 29 more like this
Post by kasai on Sept 13, 2016 17:38:23 GMT -5
Note: If anybody has any suggestion to add to this guide, please post it.
Quick update:
RobTop himself came topraise criticize this post, pointedly how dire of a situation I believed the system was in.
He explained the server used something called BCrypt, which is a encryption system designed to withstand certain types of hash tests (password attacks). He also emphasized that, despite this, it's always good to have a different password for each site, as well as good passwords (I have details on this below).
If you want to see RobTop's post, it should be down there somewhere.
Hi, Kasai here. I decided I’d make a guide on geometry dash account security, because of the things going down recently.
Unless you’ve been living under a rock for the past few days, you’ve probably seen this thread:
The thread pretty much explains that many network enthusiasts would love to target a game system with millions of players, made by one guy. Hopefully you can understand how dire of a situation this could become.
As MgostIH put it:
“Look at my arguments inside those messages, and then check this website: haveibeenpwned.com/PwnedWebsites
Do you think geometry dash wouldn't be a perfect target for crackers? A server coded by 1 guy alone, demonstrated to be weak several times and with about a million of users registered online. Passwords may be hashed (Probably without a salt), but sniffing the incoming data isn't hard at all, considering that the password is poorly encrypted when sent.
Lack of https connection, requests that look so similar to each other that it's practically impossible to get the actual IP of a potential attacker. It's not a matter of IF it gets breached, it's more a question of WHEN will it be”
So, yeah, not good.
Of course, with this impending doom upon us, which may or may not be in the near future, let’s address how to survive the “Geometry Dash Apocalypse”.
Step 1: Password re-use
When people find a way to get into the geometry dash password system, password re-use is the biggest thing they’re looking for. Most people don’t want to have a separate password for different sites, so they just use the same, or similar password instead. The problem being, if one of your passwords is discovered, a large amount of your accounts could be affected. This includes steam, banking accounts, google accounts, etc. The webcomic XKCD does a good job explaining this:
So this means, of course, all your passwords should be different. Not slightly different, but completely different. YOUR INTERNET ACCOUNTS’ PASSWORDS SHOULD HAVE NO RELATION WHATSOEVER. Write your passwords down in a book if you have to, but make sure none of them are the same, or similar.
Step 2: Password strength
This one isn’t as important, because Geometry dash will be breached either way, in all likelihood. Still, it’s good to make your passwords strong. They should be lengthy, have a variety of letters, numbers, and symbols, and stay away from words, especially common ones.
Some tools you can use for stronger passwords, and remembering them:
www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/
howsecureismypassword.net/
Don't just use the information from these sites, go beyond it. The best password crackers are going to be way better than the stuff these sites estimate. I've already explained this, but people don't seem to get it: THE PASSWORD CRACKING ESTIMATION TIME SITE IS SIMPLY AN ESTIMATION. REAL PASSWORD CRACKERS WILL BE MUCH MORE POWERFUL THAN THIS.
Let me give you an example:
A descent desktop computer will be able to perform about 2 billion hash checks per second, some can do up to 40 billion or more. Your password will likely use the most frequent characters in passwords. If we take the top 40 characters, and brute force EVERY POSSIBLE COMBINATION, how long would it take?
The password cracking site says it would take about 224 million years to crack a password 16 characters long. But, how many of those passwords are going to use uncommon characters?
Not many, because they're uncommon.
I ran the numbers, and using a conventional desktop computer, guess how long it would take to crack that 16 character password?
About 4 minutes on average.
If you had a computer designed for password cracking?
13.5 seconds. Done.
YOU CANNOT RELY ON THE WEBSITE LISTED TO CHECK YOUR PASSWORD STRENGTH, IT'S FOR ESTIMATION ONLY.
If you really want to make your password stronger, you should have NO WORDS, AND USE AS MANY RANDOM AND INFREQUENT CHARACTERS AS POSSIBLE.
Here's a data sheet of password character frequency, use it:
a 7.52766
e 7.0925
o 5.17
r 4.96032
i 4.69732
s 4.61079
n 4.56899
1 4.35053
t 3.87388
l 3.77728
2 3.12312
m 2.99913
d 2.76401
0 2.74381
c 2.57276
p 2.45578
3 2.43339
h 2.41319
b 2.29145
u 2.10191
k 1.96828
4 1.94265
5 1.88577
g 1.85331
9 1.79558
6 1.75647
8 1.66225
7 1.621
y 1.52483
f 1.2476
w 1.24492
j 0.836677
v 0.833626
z 0.632558
x 0.573305
q 0.346119
A 0.130466
S 0.108132
E 0.0970865
R 0.08476
B 0.0806715
T 0.0801223
M 0.0782306
L 0.0775594
N 0.0748134
P 0.073715
O 0.0729217
I 0.070908
D 0.0698096
C 0.0660872
H 0.0544319
G 0.0497332
K 0.0460719
F 0.0417393
J 0.0363083
U 0.0350268
W 0.0320367
. 0.0316706
! 0.0306942
Y 0.0255073
* 0.0241648
@ 0.0238597
V 0.0235546
- 0.0197712
Z 0.0170252
Q 0.0147064
X 0.0142182
_ 0.0122655
$ 0.00970255
# 0.00854313
, 0.00323418
/ 0.00311214
+ 0.00231885
? 0.00207476
; 0.00207476
^ 0.00195272
0.00189169
% 0.00170863
~ 0.00152556
= 0.00140351
& 0.00134249
` 0.00115942
\ 0.00115942
) 0.00115942
] 0.0010984
[ 0.0010984
: 0.000549201
< 0.000427156
( 0.000427156
æ 0.000183067
> 0.000183067
" 0.000183067
ü 0.000122045
| 0.000122045
{ 0.000122045
' 0.000122045
ö 6.10223e-05
ä 6.10223e-05
} 6.10223e-0
Step 3: Data backups
For many of you, data backups on Geometry Dash won’t be a problem, because you only usually save data. Others who may have people building or verifying on their accounts, however, will have to load the new save data the other user has created. What if the system is breached and all save files are wiped? You’ll essentially load an empty data file, and then your data will be gone forever.
For this reason, you should probably back up your data if you’re on steam (skip down to “creating backup files”):
support.steampowered.com/kb_article.php?ref=8794-yphv-2033
If you really want to be sure, save the backup file to dropbox or another file storing site.
These tips should help you stay safe in the event of a Geometry Dash security breach.
Hope you enjoyed,
-Kasai
Quick update:
RobTop himself came to
He explained the server used something called BCrypt, which is a encryption system designed to withstand certain types of hash tests (password attacks). He also emphasized that, despite this, it's always good to have a different password for each site, as well as good passwords (I have details on this below).
If you want to see RobTop's post, it should be down there somewhere.
Hi, Kasai here. I decided I’d make a guide on geometry dash account security, because of the things going down recently.
Unless you’ve been living under a rock for the past few days, you’ve probably seen this thread:
The thread pretty much explains that many network enthusiasts would love to target a game system with millions of players, made by one guy. Hopefully you can understand how dire of a situation this could become.
As MgostIH put it:
“Look at my arguments inside those messages, and then check this website: haveibeenpwned.com/PwnedWebsites
Do you think geometry dash wouldn't be a perfect target for crackers? A server coded by 1 guy alone, demonstrated to be weak several times and with about a million of users registered online. Passwords may be hashed (Probably without a salt), but sniffing the incoming data isn't hard at all, considering that the password is poorly encrypted when sent.
Lack of https connection, requests that look so similar to each other that it's practically impossible to get the actual IP of a potential attacker. It's not a matter of IF it gets breached, it's more a question of WHEN will it be”
So, yeah, not good.
Of course, with this impending doom upon us, which may or may not be in the near future, let’s address how to survive the “Geometry Dash Apocalypse”.
Step 1: Password re-use
When people find a way to get into the geometry dash password system, password re-use is the biggest thing they’re looking for. Most people don’t want to have a separate password for different sites, so they just use the same, or similar password instead. The problem being, if one of your passwords is discovered, a large amount of your accounts could be affected. This includes steam, banking accounts, google accounts, etc. The webcomic XKCD does a good job explaining this:
So this means, of course, all your passwords should be different. Not slightly different, but completely different. YOUR INTERNET ACCOUNTS’ PASSWORDS SHOULD HAVE NO RELATION WHATSOEVER. Write your passwords down in a book if you have to, but make sure none of them are the same, or similar.
Step 2: Password strength
This one isn’t as important, because Geometry dash will be breached either way, in all likelihood. Still, it’s good to make your passwords strong. They should be lengthy, have a variety of letters, numbers, and symbols, and stay away from words, especially common ones.
Some tools you can use for stronger passwords, and remembering them:
www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/
howsecureismypassword.net/
Don't just use the information from these sites, go beyond it. The best password crackers are going to be way better than the stuff these sites estimate. I've already explained this, but people don't seem to get it: THE PASSWORD CRACKING ESTIMATION TIME SITE IS SIMPLY AN ESTIMATION. REAL PASSWORD CRACKERS WILL BE MUCH MORE POWERFUL THAN THIS.
Let me give you an example:
A descent desktop computer will be able to perform about 2 billion hash checks per second, some can do up to 40 billion or more. Your password will likely use the most frequent characters in passwords. If we take the top 40 characters, and brute force EVERY POSSIBLE COMBINATION, how long would it take?
The password cracking site says it would take about 224 million years to crack a password 16 characters long. But, how many of those passwords are going to use uncommon characters?
Not many, because they're uncommon.
I ran the numbers, and using a conventional desktop computer, guess how long it would take to crack that 16 character password?
About 4 minutes on average.
If you had a computer designed for password cracking?
13.5 seconds. Done.
YOU CANNOT RELY ON THE WEBSITE LISTED TO CHECK YOUR PASSWORD STRENGTH, IT'S FOR ESTIMATION ONLY.
If you really want to make your password stronger, you should have NO WORDS, AND USE AS MANY RANDOM AND INFREQUENT CHARACTERS AS POSSIBLE.
Here's a data sheet of password character frequency, use it:
a 7.52766
e 7.0925
o 5.17
r 4.96032
i 4.69732
s 4.61079
n 4.56899
1 4.35053
t 3.87388
l 3.77728
2 3.12312
m 2.99913
d 2.76401
0 2.74381
c 2.57276
p 2.45578
3 2.43339
h 2.41319
b 2.29145
u 2.10191
k 1.96828
4 1.94265
5 1.88577
g 1.85331
9 1.79558
6 1.75647
8 1.66225
7 1.621
y 1.52483
f 1.2476
w 1.24492
j 0.836677
v 0.833626
z 0.632558
x 0.573305
q 0.346119
A 0.130466
S 0.108132
E 0.0970865
R 0.08476
B 0.0806715
T 0.0801223
M 0.0782306
L 0.0775594
N 0.0748134
P 0.073715
O 0.0729217
I 0.070908
D 0.0698096
C 0.0660872
H 0.0544319
G 0.0497332
K 0.0460719
F 0.0417393
J 0.0363083
U 0.0350268
W 0.0320367
. 0.0316706
! 0.0306942
Y 0.0255073
* 0.0241648
@ 0.0238597
V 0.0235546
- 0.0197712
Z 0.0170252
Q 0.0147064
X 0.0142182
_ 0.0122655
$ 0.00970255
# 0.00854313
, 0.00323418
/ 0.00311214
+ 0.00231885
? 0.00207476
; 0.00207476
^ 0.00195272
0.00189169
% 0.00170863
~ 0.00152556
= 0.00140351
& 0.00134249
` 0.00115942
\ 0.00115942
) 0.00115942
] 0.0010984
[ 0.0010984
: 0.000549201
< 0.000427156
( 0.000427156
æ 0.000183067
> 0.000183067
" 0.000183067
ü 0.000122045
| 0.000122045
{ 0.000122045
' 0.000122045
ö 6.10223e-05
ä 6.10223e-05
} 6.10223e-0
Step 3: Data backups
For many of you, data backups on Geometry Dash won’t be a problem, because you only usually save data. Others who may have people building or verifying on their accounts, however, will have to load the new save data the other user has created. What if the system is breached and all save files are wiped? You’ll essentially load an empty data file, and then your data will be gone forever.
For this reason, you should probably back up your data if you’re on steam (skip down to “creating backup files”):
support.steampowered.com/kb_article.php?ref=8794-yphv-2033
If you really want to be sure, save the backup file to dropbox or another file storing site.
These tips should help you stay safe in the event of a Geometry Dash security breach.
Hope you enjoyed,
-Kasai
Well done on the post, Kasai!
