We often get requests from people who’ve lost access to their accounts. In almost all of these cases, these accounts are breached in one of three ways — the password to the account was shared with a third party, the password was weak, or the password was non-unique and was leaked from some other service’s data (“pwned”).
We can’t do much about password sharing, except to tell people “hey, stop doing that.” So please, do not share passwords!
Also, we can’t verify what happens to your data if you use a hacked or otherwise modified client or SDK. We’ve seen many reports of account information being stolen, only to discover the breached account was using a modified client or SDK (or both). In addition to being a violation of the Terms of Service, using a modified client or SDK opens you up to essentially anything that the person writing the software wants to do to your PC — so uh, don’t do that. Not just because it's against the rules, but because we don’t want you to lose your account.
We also see some situations where unofficial sites or apps will ask you for your VRChat login information. Don’t use those sites! Unless you’re entering your information into the official site or application, you have no idea if that data is being logged, saved, or otherwise breached.
As for weak passwords, well, we have to tell people to pick long, complex, memorable, unique passwords that are somehow also easy to enter using a VR keyboard. An almost impossible task, we know, which is why 90% of passwords in our system are just the word dumbledore*.
* this is not true, nor do we have any practical way of testing if it is true, but I bet it’s at least a little true
However, even if your password is reasonably complex, it can still show up in the wild. If, for example, you’ve used that password on a site that’s had a data breach, your password could still be floating around out there, just waiting to betray you.
Is “Pwned” Seriously Still a Thing People Say
Let’s talk about HaveIBeenPwned. HaveIBeenPwned (HIBP) is an online database of cracked passwords*. Many times, when a large data breach occurs — the kind that’ve happened at Yahoo, Adobe, Blizzard, DoorDash, Sony Online Entertainment, and, worst of all, BlueCross BlueShield of Tennessee — user passwords can end up being passed around in a giant torrent of Breached Passwords . Once that happens, hackers will download those giant Breached Password Piles and try them out on loads of different websites with loads of different users.
*technically, HIBP is a database of hashed versions of cracked passwords, which is a detail that’s extremely meaningful to those of you wearing the Security Hat, and extremely boring to the rest of you — it just means that one couldn’t directly use HIBP as an attack vector, because it doesn’t actually store the passwords.
We’ve been seeing more and more of that kind of attack lately, often from huge distributed networks. They usually don’t get far, but they can occasionally hit pay-dirt. This wholesale vandalry must be stopped!
With some recent changes, we’re not going to let you create new accounts with passwords that are on the list, or let you change your password to a password that’s on the list. If your password is similar tohunter2, password12345, or ;lkjhfdsa, you'll have to try again until you can generate a password that isn’t on Le Grande List Du Broken Passwords.
Of course, if your password is on the list, and you’re not currently involved in a password change, this change won’t affect you at all, and your account may be at risk of being breached. We’ve been crunching the numbers on this — look at the person to your left. Now look at the person to your right. One of you is using paranoidandroid as a password. In other words, there’s a pretty good chance that your password is vulnerable. You should change it.
If you’re worried that your password might be on the list — well, change it!
Wait, are you sending my password to some rando site?
Perhaps you are now worried that maybe we are sending your password, in plaintext, to a remote server that is controlled by someone who is not us. Let me reassure you — that is not at all how this works.
First we take the hash of the password. This is a version of the password that looks like random letters and numbers. This hash is pretty hard to reverse back into the password, but it’s not quite good enough to pass around safely.
Next, we chop off all but the first tiny bit of the hash. At this point, we’ve taken every password in the world divided them into about a million buckets, and figured out which of these buckets your password is in. We then ask HaveIBeenPwned to tell us all the hashes for all the pwned passwords in that bucket (typically around 500).
We can then compare your hash against the bucket they sent us. If any of them match, your password has been pwned, and we let you know.
If this is all too technical, read this instead: we use the magic of cryptography to test your password without ever revealing it (or any form of it) to anyone.
Okay, So What Do You Want Me To Do
In short, here’s what we’re asking you to do:
If you’ve got doubts that any of these three above conditions have been violated, change your password to something that’s strong and that you’ve never used anywhere else before.
