Heroes of Newerth passwords, when stored locally, use the vanilla MD5 hashing algorithm with no salts as mentioned in my previous post, which is trivial to crack especially with GPU acceleration. Also, the files are stored as world-writable on Mac and Linux, which means on multi-user systems anyone can login with your hash or steal and crack it later.
Strangely, Heroes of Newerth does not seem to consistently enforce password policy through the account registration form on their website. Although the 6 character length requirement for passwords is occasionally rolled out by HoN when security breaches occur, it is entirely possible to change your password to one character in length. Alternatively, you can register a new account and provide a similarly weak password. This is dangerous from a security standpoint as it allows trivial bruteforcing/guessing of accounts.
After email activation, the account was created successfully.
Despite many emails and forum posts back and forth to various HoN administrators and developers, this password policy issue has not yet been fixed over a period of several months. In an age where high profile websites get breached often and end up in the news, and where Pastebin password dumps proliferate, it is crucial for websites to enforce some type of password policy in order to set a minimum standard for password complexity, length, and rotation.
Video game security is a field often overlooked by both researchers and developers alike. Hopefully Heroes of Newerth will be more proactive with auditing security and enforce a strong password policy to protect their users in the future.
