Pages: 1 2 3 :: [one page] |
|
Author |
Thread Statistics | Show CCP posts - 2 post(s) |
Zed Jackelope
The Generic Pirate Corporation Fusion.
2
|
Posted - 2012.04.26 21:07:00 -
[1] - Quote
It would be nice to re-use old passwords, or just be able to cycle through passwords, if one wants to (which, if you haven't guessed, I do).
So do us a favor and get rid of your weird desire to save our passwords after we are no longer using them.. AFAIC, that's a security risk. |
Tanya Powers
Science and Trade Institute Caldari State
1162
|
Posted - 2012.04.26 21:10:00 -
[2] - Quote
Zed Jackelope wrote:It would be nice to re-use old passwords, or just be able to cycle through passwords, if one wants to (which, if you haven't guessed, I do).
So do us a favor and get rid of your weird desire to save our passwords after we are no longer using them.. AFAIC, that's a security risk.
Yes (they can) |
Tinnin Sylph
GoonWaffe Goonswarm Federation
155
|
Posted - 2012.04.26 21:10:00 -
[3] - Quote
Dear CCP
Please remove the security feature you put in place to ensure I don't do something to compromise my account.
Many Thanks
Some Dumb Pubbie Needs more tears. |
Kieron VonDeux
16
|
Posted - 2012.04.26 21:15:00 -
[4] - Quote
Zed Jackelope wrote:AFAIC, that's a security risk.
Actually, it is a security enhancement.
|
Florestan Bronstein
SniggWaffe YOUR VOTES DON'T COUNT
538
|
Posted - 2012.04.26 22:14:00 -
[5] - Quote
Zed Jackelope wrote:It would be nice to re-use old passwords, or just be able to cycle through passwords, if one wants to (which, if you haven't guessed, I do).
So do us a favor and get rid of your weird desire to save our passwords after we are no longer using them.. AFAIC, that's a security risk. they probably (hopefully) don't store the password (new or old) but a hash.
and any form of password reuse is bad, mkay? |
TWHC Assistant
19
|
Posted - 2012.04.26 22:19:00 -
[6] - Quote
Instead of denying the old passwords should they only warn about them. |
Voith
Republic Military School Minmatar Republic
82
|
Posted - 2012.04.26 22:36:00 -
[7] - Quote
Tinnin Sylph wrote:Dear CCP
Please remove the security feature you put in place to ensure I don't do something to compromise my account.
Many Thanks
Some Dumb Pubbie Given the rate at which MMOs are being hacked I wouldn't call them storing anything a security feature. |
supersexysucker
Uber Awesome Fantastico Awesomeness Group Ayn Sof Aur
82
|
Posted - 2012.04.26 23:05:00 -
[8] - Quote
I do not change my pw BECAUSE of CCPs dumb **** can't put in an old one... need a cap letter now, etc bullshit.
I WILL PICK MY OWN FUCKIN PASSWORD.
Be nice if someone would steal all CCPs stored old passwords rofl...
The mail they would need to send out would be LOL...
"Every password you ever used in eve online has been stolen, please make sure to change any accounts using any of these passwords, we enjoy fuckin you"
Also for the retart tinnin... why not ask CCP for an onscreen in game keyboard to enter log in info... I mean if we need to make PW's a *****... what about keyloggers PLEASE PROTECT ME FROM KEY LOGGERS CCP.
Sounds like a baby that needs someone to protect him... lul. |
Jafit
Dreddit Test Alliance Please Ignore
101
|
Posted - 2012.04.26 23:11:00 -
[9] - Quote
http://xkcd.com/792/
Also
http://xkcd.com/936/ |
Shian Yang
17
|
Posted - 2012.04.26 23:13:00 -
[10] - Quote
Voith wrote:Given the rate at which MMOs are being hacked I wouldn't call them storing anything a security feature.
Greetings capsuleer,
As you may know from your pod and ship security systems no passwords are stored in clear-text. They are stored as an (ideally) irreversible hash to prevent them from being discovered. This is safer than allowing the re-use of such passwords where an attacker may obtain an older password which may not currently be valid.
If, however, a capsuleer wishes to tie their nuts to the capsule and initiate a self-destruct sequence I see no reason for CONCORD to prevent them; providing they accept this nulls and voids any claims they may have to reimbursement.
Regards,
Shian Yang
|
|
|
CCP Sreegs
C C P C C P Alliance
1202
|
Posted - 2012.04.26 23:38:00 -
[11] - Quote
This will be reviewed when we institute the two factor option in the next couple of months. "Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012 |
|
Corina Jarr
Spazzoid Enterprises Purpose Built
710
|
Posted - 2012.04.26 23:40:00 -
[12] - Quote
Shian Yang wrote:Voith wrote:Given the rate at which MMOs are being hacked I wouldn't call them storing anything a security feature. Greetings capsuleer, ... If, however, a capsuleer wishes to tie their nuts to the capsule and initiate a self-destruct sequence I see no reason for CONCORD to prevent them; providing they accept this nulls and voids any claims they may have to reimbursement. Regards, Shian Yang I have both null and void in my cargo hold... how does this effect things? |
TWHC Assistant
20
|
Posted - 2012.04.26 23:43:00 -
[13] - Quote
CCP Sreegs wrote:This will be reviewed when we institute the two factor option in the next couple of months.
Kill moar bots!! \o/ |
Beekeeper Bob
Beekeepers Anonymous
102
|
Posted - 2012.04.27 00:12:00 -
[14] - Quote
Tinnin Sylph wrote:Dear CCP
Please remove the security feature you put in place to ensure I don't do something to compromise my account.
Many Thanks
Some Dumb Pubbie
Well, I guess being a Drone your used to being led by the nose....Other people prefer to make their own choices.
Looking to stamp out apiphobia in my lifetime..... |
supersexysucker
Uber Awesome Fantastico Awesomeness Group Ayn Sof Aur
82
|
Posted - 2012.04.27 00:16:00 -
[15] - Quote
CCP Sreegs wrote:This will be reviewed when we institute the two factor option in the next couple of months.
Or you could just give us a ******* warning and let us do WHAT we want. |
Beekeeper Bob
Beekeepers Anonymous
102
|
Posted - 2012.04.27 00:17:00 -
[16] - Quote
Shian Yang wrote:Voith wrote:Given the rate at which MMOs are being hacked I wouldn't call them storing anything a security feature. Greetings capsuleer, As you may know from your pod and ship security systems no passwords are stored in clear-text. They are stored as an (ideally) irreversible hash to prevent them from being discovered. This is safer than allowing the re-use of such passwords where an attacker may obtain an older password which may not currently be valid. If, however, a capsuleer wishes to tie their nuts to the capsule and initiate a self-destruct sequence I see no reason for CONCORD to prevent them; providing they accept this nulls and voids any claims they may have to reimbursement. Regards, Shian Yang
Congratulations on giving CCP the benefit of the doubt on their handling of passwords. Certainly their attention to detail in the past is cause for such fiath in their coding skills.
Looking to stamp out apiphobia in my lifetime..... |
Jonas Xiamon
76
|
Posted - 2012.04.27 00:48:00 -
[17] - Quote
The reason this is a security feature is simple, they aren't storing your password. (Unless they're actually that ********, which I doubt.)
They're storing an encrypted version of your password, which is virtually useless.
They're are ways of cracking these things, however, your concerns would be very misplaced to worry about that. Especially if you're the type of person who reuses passwords. I usally write one of these and then change it a month later when I reread it and decide it sounds stupid. |
Grumpymunky
Super Monkey Tribe of Danger
144
|
Posted - 2012.04.27 01:22:00 -
[18] - Quote
supersexysucker wrote:Or you could just give us a ******* warning and let us do WHAT we want. When I read this post, the voice in my head shouted the "WHAT" ... I don't know why it did that. It sounds weird.
Post with your monkey. |
Shian Yang
17
|
Posted - 2012.04.27 01:42:00 -
[19] - Quote
Grumpymunky wrote:supersexysucker wrote:Or you could just give us a ******* warning and let us do WHAT we want. When I read this post, the voice in my head shouted the "WHAT" ... I don't know why it did that. It sounds weird.
Greetings capsuleer,
I believe it sounds weird if you do not have any human offspring. Those with 2 - 5 year old children will understand why WHAT is emphasised in such a fashion as it is a common tantrum response.
Regards,
Shian Yang |
Barakach
R-ISK Shadow Operations.
59
|
Posted - 2012.04.27 02:58:00 -
[20] - Quote
Voith wrote:Tinnin Sylph wrote:Dear CCP
Please remove the security feature you put in place to ensure I don't do something to compromise my account.
Many Thanks
Some Dumb Pubbie Given the rate at which MMOs are being hacked I wouldn't call them storing anything a security feature.
MMOs aren't being hacked, computers are getting infected from people clicking "yes" on everything that pops-up.
Storing an old hash isn't really a security issue, but I don't agree with forcing the end user to not use an old password. That should be up to the user.
Personally, I like to use SHA512(Password+Salt), where and password is the byte array of the password string and the salt is a 16byte crypto strength random value. Maybe I should use a 32byte salt?... hmmm... So much CPU power these days. |
|
Degren
Red Federation RvB - RED Federation
153
|
Posted - 2012.04.27 03:22:00 -
[21] - Quote
Barakach wrote:MMOs aren't being hacked, computers are getting infected from people clicking "yes" on everything that pops-up.
Quote:clicking "yes" on everything
WHY CAN'T I CLICK THIS YES?! |
Voith
Republic Military School Minmatar Republic
82
|
Posted - 2012.04.27 03:38:00 -
[22] - Quote
Barakach wrote:Voith wrote:Tinnin Sylph wrote:Dear CCP
Please remove the security feature you put in place to ensure I don't do something to compromise my account.
Many Thanks
Some Dumb Pubbie Given the rate at which MMOs are being hacked I wouldn't call them storing anything a security feature. MMOs aren't being hacked, computers are getting infected from people clicking "yes" on everything that pops-up. Storing an old hash isn't really a security issue, but I don't agree with forcing the end user to not use an old password. That should be up to the user. Personally, I like to use SHA512(Password+Salt), where and password is the byte array of the password string and the salt is a 16byte crypto strength random value. Maybe I should use a 32byte salt?... hmmm... So much CPU power these days. You're wrong.
Trion, Blizzard, Cryptic and Sony have all had their Core DBs hacked.
Not the client infected with a Trojan, but their databases have been hacked and dumped. |
Scrapyard Bob
EVE University Ivy League
898
|
Posted - 2012.04.27 04:49:00 -
[23] - Quote
Zed Jackelope wrote: So do us a favor and get rid of your weird desire to save our passwords after we are no longer using them.. AFAIC, that's a security risk.
If they store them with unique salts and in hashed forum, it's not any more of a security risk then storing the current password.
|
Ai Shun
777
|
Posted - 2012.04.27 05:06:00 -
[24] - Quote
Barakach wrote:Storing an old hash isn't really a security issue, but I don't agree with forcing the end user to not use an old password. That should be up to the user.
Agreed, up to the user. If the user agrees to not claim reimbursement should their re-used password be used without their authorisation.
EVE Ambulation and Avatars as a separate game - see here |
Hannott Thanos
Notorious Legion
44
|
Posted - 2012.04.27 08:06:00 -
[25] - Quote
l2F-ñsiQa = bad password (because you have to write it down, and it's too few characters) MyHorseIsActuallyAPony = retardedly good password (Long and makes no sense, so not in a dictionary, and you already remembered it for at least a few days just by reading it now)
Changing passwords often = bad (because you make short ones to remember them, and after a while you start writing them down) |
Akirei Scytale
Test Alliance Please Ignore
1049
|
Posted - 2012.04.27 08:08:00 -
[26] - Quote
Zed Jackelope wrote:It would be nice to re-use old passwords
That's a bigger security risk. TEST Alliance BEST Alliance |
supersexysucker
Uber Awesome Fantastico Awesomeness Group Ayn Sof Aur
82
|
Posted - 2012.04.27 08:08:00 -
[27] - Quote
Really you KNOW ccp is salting the pws and all?
Cause I seem to remember sony you know a HUGE co... had the pws in PLAIN TEXT lol |
Hannott Thanos
Notorious Legion
44
|
Posted - 2012.04.27 08:15:00 -
[28] - Quote
To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 +ù 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that |
Akirei Scytale
Test Alliance Please Ignore
1049
|
Posted - 2012.04.27 08:16:00 -
[29] - Quote
Hannott Thanos wrote:To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 +ù 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that
Or one human being who knows your sense of humour decently with a couple hours to burn.
The ideal is a lot more nonsensical than "MyHorseIsActuallyAPony" TEST Alliance BEST Alliance |
Jafit
Dreddit Test Alliance Please Ignore
105
|
Posted - 2012.04.27 08:18:00 -
[30] - Quote
Hannott Thanos wrote:To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 +ù 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that
How about MyLittlePonyFriendshipIsMagicApplejackPinkiepieRarityFluttershyRainbowdashTwilightsparkle as a password?
I'm not saying that's my password...
...I'm saying that's my password. |
|
Hannott Thanos
Notorious Legion
44
|
Posted - 2012.04.27 08:23:00 -
[31] - Quote
Jafit wrote:Hannott Thanos wrote:To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 +ù 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that How about MyLittlePonyFriendshipIsMagicApplejackPinkiepieRarityFluttershyRainbowdashTwilightsparkle as a password? I'm not saying that's my password... ...I'm saying that's my password.
4.800.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.0000.000.000.000.000 years-ish. Should be doable, right? |
Zora'e
Nasty Pope
9
|
Posted - 2012.04.27 08:29:00 -
[32] - Quote
While it IS a minor inconvenience at times to have to change passwords, and make sure it isn't an older one you have used before I find it rather refreshing that they won't allow you to use a password you've used before. Of course, over 4 accounts keeping track of your passwords can be a minor pita but it's a small price to pay for the added security it brings to my account overall.
I am FOR not allowing you to sue a password you used before. But hen, I am also an extremely security conscious person as well.
~Z In EVE Online...-á-áA Friend will calm you down when you are angry after getting Ganked.., but a Best Friend will fly along beside you commanding a Strike Group singing "Someones Gonna Get It!!!".-á ~Zora'e |
Francisco Bizzaro
63
|
Posted - 2012.04.27 09:19:00 -
[33] - Quote
Hannott Thanos wrote:Jafit wrote:Hannott Thanos wrote:To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 +ù 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that How about MyLittlePonyFriendshipIsMagicApplejackPinkiepieRarityFluttershyRainbowdashTwilightsparkle as a password? I'm not saying that's my password... ...I'm saying that's my password. 4.800.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.0000.000.000.000.000 years-ish. Should be doable, right? No, you just have to apply a little AI.
Just look at him: square jaw, crew cut, air force shades, Test.
I would have guessed it on the third try. |
Akirei Scytale
Test Alliance Please Ignore
1051
|
Posted - 2012.04.27 09:23:00 -
[34] - Quote
Humans don't think like machines.
You have to beat both. If your long password is easy to remember, its easy for a human being who knows you to figure out through deduction and a few days of trial and error (if they care).
Its gotta be long, avoid any consistent capitalization scheme, have intentional typos, and be a completely nonsensical grouping of words, to be a truly strong password. TEST Alliance BEST Alliance |
Entity
X-Factor Industries Synthetic Existence
251
|
Posted - 2012.04.27 09:46:00 -
[35] - Quote
Barakach wrote:Personally, I like to use SHA512(Password+Salt), where and password is the byte array of the password string and the salt is a 16byte crypto strength random value. Maybe I should use a 32byte salt?... hmmm... So much CPU power these days.
Tsk, just one round of SHA512? GòªGûæGûæGûæGûæGûæGûæGòæGûæGûæGûæGòöGòùGûæGòæGûæGòæGûæGòöGòùGûæGòªGòæGûæGòöGòùGòöGòªGòùGòöGòù GòæGûæGòöGòùGòöGòùGòöGòúGûæGòöGòùGòáGûæGûæGòáGûæGòáGòùGòáGò¥GûæGòæGòáGûæGòáGò¥GòæGòæGòæGòÜGòù Gò¬GòÉGòÜGò¥GòæGûæGòÜGò¥GûæGòÜGò¥GòæGûæGûæGòÜGò¥GòæGòæGòÜGò¥GûæGò¬GòÜGò¥GòÜGò¥GòæGûæGòæGòÜGò¥ Got Item? |
leviticus ander
CATO.nss
149
|
Posted - 2012.04.27 09:50:00 -
[36] - Quote
Barakach wrote:Voith wrote:Tinnin Sylph wrote:Dear CCP
Please remove the security feature you put in place to ensure I don't do something to compromise my account.
Many Thanks
Some Dumb Pubbie Given the rate at which MMOs are being hacked I wouldn't call them storing anything a security feature. MMOs aren't being hacked, computers are getting infected from people clicking "yes" on everything that pops-up. Storing an old hash isn't really a security issue, but I don't agree with forcing the end user to not use an old password. That should be up to the user. Personally, I like to use SHA512(Password+Salt), where and password is the byte array of the password string and the salt is a 16byte crypto strength random value. Maybe I should use a 32byte salt?... hmmm... So much CPU power these days. 32 BYTE salt? or 32 bit salt? 32 bytes would probably chock a lot of computers out there, and would cause the authentication server to hang itself. 32 bit, while decent is a little weaker than I'd expect for anything decently modern, I would probably go with 56 or 64 bit, light enough for mass authentication, but strong enough to seriously deter most malicious users. and yeah, people clicking through warning boxes and generally being totally ignorant of the basic function of a computer is what's causing most issues today. |
coolzero
The Replicators Northern Associates.
23
|
Posted - 2012.04.27 10:32:00 -
[37] - Quote
when do we get the authenticator $!$#!
have it for WoW have it for SWTOR
now i want it for EVE please
(using a android authenticator app for that btw.) |
Vaerah Vahrokha
Vahrokh Consulting
658
|
Posted - 2012.04.27 10:54:00 -
[38] - Quote
When I worked for a para-military company, we quickly learned that reusing password was good only in the programmers' heads.
People would do the IMPOSSIBLE to circumvent it.
1) In the beginning they would just add a "1" after the password. 2) Requiring certain characters, they just added their birth year at the end of the password. 3) Requiring a minimum length, they just copy pasted their own name twice. 4) Reusing the passwords they just added incremental numbers or a combo of the above or the month of the changed password.
When we made filters to screw them up on the above, they started writing the passwords on Post It attached to their monitors.
When we involved their bosses to force them stop doing that, all went suddenly quiet for 2-3 months.
We could not believe we had won against the End Users. We could not be fartest from the truth, in fact.
A parent company team of inspectors came for a routine control and guess what did they find?
The end users ALL opened the same Excel sheet one of them originally created. That Excel sheet had the full user names and passwords of the 1200 employees, all in clear of course.
So, instead of better security, we achieve an huge piece of sh!t.
Heads fell, reprimands were made, everything settled down.
2 more months of utter silence and guess what, one morning I randomly pass close to an End User and my eyes and my ********* fell to the floor together.
They - the End Users - somehow created an MS Access forms "application" including the passwords (in clear of course!!!) of every employee, for multiple applications AND with search engine to make it easier to find and copy / paste them!
The fight against the End Users is something beyond programmers' logic.
Auditing | Collateral holding and insurance | Consulting | PLEX for Good Charity
Twitter channel |
Scrapyard Bob
EVE University Ivy League
899
|
Posted - 2012.04.27 12:09:00 -
[39] - Quote
Hannott Thanos wrote:To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 +ù 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that
Using whole words, especially common ones means they can use a reduced dictionary of about 15,000 words and just try different combinations. Most english speakers know and use about 10k-15k common words, the full list of english words is generally around 300-350k words. Capitalizing or not capitalizing the first letter in each word gains you about 1 bit of complexity. So putting together 6 words could be a search space as small as:
15,000 ^ 6 = 11,390,625,000,000,000,000,000,000
If you add in some uncommon words, you can increase the search space to around 300,000 per word.
300,000 ^ 6 = 7.29e+32
Just because your password is N characters long, doesn't mean that it automatically has 90^N complexity. Not unless each position uses a randomly chosen character from the list of about 80 easily typed characters. (A-Z, a-z, 0-9 is 62 characters, plus another 28 symbols which are on most keyboards.)
And if someone knows the common patterns like "word number word" or "word symbol word", then they can reduce the search space dramatically.
|
Scrapyard Bob
EVE University Ivy League
899
|
Posted - 2012.04.27 12:11:00 -
[40] - Quote
coolzero wrote:when do we get the authenticator $!$#!
have it for WoW have it for SWTOR
now i want it for EVE please
(using a android authenticator app for that btw.)
If you read between the lines - when CCP talks about "two-factor authentication" it means that they are going to add authenticators.
ETA is July 2012 - but that date could slip. |
|
Scrapyard Bob
EVE University Ivy League
899
|
Posted - 2012.04.27 12:19:00 -
[41] - Quote
Hannott Thanos wrote:l2F-ñsiQa = bad password (because you have to write it down, and it's too few characters) MyHorseIsActuallyAPony = retardedly good password (Long and makes no sense, so not in a dictionary, and you already remembered it for at least a few days just by reading it now)
Changing passwords often = bad (because you make short ones to remember them, and after a while you start writing them down)
It's a bit of a myth that writing down the password is automatically bad. Most people inherently understand controlling access to information that is written down on a sheet of paper. They can fold it over to keep it hidden from prying eyes, they can tuck it away in their wallet/purse, or keep it in a locked box/drawer.
What you have to do is train them to (a) not put it somewhere silly like under the keyboard or in an open desk drawer and (b) that they are legally responsible if bad things happen due to the password leaking. |
Steve Ronuken
Fuzzwork Enterprises
383
|
Posted - 2012.04.27 12:26:00 -
[42] - Quote
Edit: ability to read = minimal FuzzWork Enterprises http://www.fuzzwork.co.uk/ Blueprint calculator, invention chance calculator, isk/m3 Ore chart-á and other 'useful' utilities. |
Barakach
R-ISK Shadow Operations.
60
|
Posted - 2012.04.27 12:38:00 -
[43] - Quote
leviticus ander wrote: 32 BYTE salt? or 32 bit salt? 32 bytes would probably chock a lot of computers out there, and would cause the authentication server to hang itself. 32 bit, while decent is a little weaker than I'd expect for anything decently modern, I would probably go with 56 or 64 bit, light enough for mass authentication, but strong enough to seriously deter most malicious users. and yeah, people clicking through warning boxes and generally being totally ignorant of the basic function of a computer is what's causing most issues today.
32bytes is nothing. SHA512 has a performance about 100MB/core. Assume 32bytes for the password string(on the large end) and another 32bytes for the salt, that's ~1.6mil hashed passwords per second, ignoring SHA512 object creation time.
Not only would your DB not be able to keep up, but a 10Gb link would have a hard time. Actually, most single cores cannot handle 10Gb/s of network stack. You would actually be spending more CPU time handling packets to feed the SHA512, than actually computing SHA512.
I admit that there are many other variables like allocating a buffer to store the concatenated salt+string and a myriad of many other things, but CPU time is not an issue.
|
Jafit
Dreddit Test Alliance Please Ignore
107
|
Posted - 2012.04.27 15:44:00 -
[44] - Quote
Francisco Bizzaro wrote:Hannott Thanos wrote:Jafit wrote:Hannott Thanos wrote:To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 +ù 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that How about MyLittlePonyFriendshipIsMagicApplejackPinkiepieRarityFluttershyRainbowdashTwilightsparkle as a password? I'm not saying that's my password... ...I'm saying that's my password. 4.800.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.0000.000.000.000.000 years-ish. Should be doable, right? No, you just have to apply a little AI. Just look at him: square jaw, crew cut, air force shades, Test. I would have guessed it on the third try.
I look like this in real life.
Check out this beta dude, I bet he doesn't even lift. |
Mr Kidd
Center for Advanced Studies Gallente Federation
546
|
Posted - 2012.04.27 16:07:00 -
[45] - Quote
CCP Sreegs wrote:This will be reviewed when we institute the two factor option in the next couple of months.
Is that the next couple of months this year or last year? Joking....I'll just assume you guys are working hard to get it going soon(tm). We want breast augmentations and sluttier clothing in the NeX! |
Zed Jackelope
The Generic Pirate Corporation Fusion.
5
|
Posted - 2012.04.27 23:27:00 -
[46] - Quote
1. "What ifs" What if someone is able to get a copy of the used passwords, encrypted, and some breakthrough tomorrow allows them to be easily deciphered?
2. Re-use. I cannot say what others do, but I have separate sets of passwords for differing services. I use 'boogers' for pretty much any crap site I don't care about. Same with games, all my games use the same couple of passwords. However, its my choice to use those same passwords. And as I feel I take enough care with my browsing not to get key logged, I feel there's absolutely no difference between reusing old passwords and someone's silly mention of stringing a couple of random words into a password that's never changed?
Taking 1 and 2 into account, with ALL your old EVE passwords saved... how many of you are screwed if tomorrow some magic fairy quantum computer dust allows some script kiddy to the list of every password everyone in EVE has ever used? Ever.
3. Password reset. Its annoying, but with 30 mackinaw accounts, eventually I do forget a password.. this just means I have to go through the whole retrieval process. And with this "added security enhancement", instead of simply cycling between 2+ passwords.. I have to make up and remember an entirely new one.
Conclusion: Its my account, my choice. You can warn the mouth breathing **** clickers all day, but if I choose of my own free will to reuse an old password, CCP shouldn't be stopping me, nor storing my old ones.
Just want to say EVER one more time. |
Ai Shun
782
|
Posted - 2012.04.27 23:53:00 -
[47] - Quote
Zed Jackelope wrote:how many of you are screwed if tomorrow some magic fairy quantum computer dust allows some script kiddy to the list of every password everyone in EVE has ever used? Ever.
About the same number that would be screwed when a psychic predicts our passwords. Maybe a bit more though. EVE Ambulation and Avatars as a separate game - see here |
Barakach
R-ISK Shadow Operations.
62
|
Posted - 2012.04.28 15:36:00 -
[48] - Quote
Zed Jackelope wrote:how many of you are screwed if tomorrow some magic fairy quantum computer dust allows some script kiddy to the list of every password everyone in EVE has ever used
Might as well stop going to work to enjoy today, because an asteroid may hit tomorrow and kill everyone.
My post makes the assumption CCP is using industry standards. |
Ntrails
Merch Industrial Goonswarm Federation
74
|
Posted - 2012.04.28 15:49:00 -
[49] - Quote
Jonas Xiamon wrote: They're storing an encrypted version of your password, which is virtually useless.
That is not at all true. The issue is that when someone has downloaded a database of salted and hashed passwords there are no limits to the brute force attacks they can use to get the original password - they can test hundreds of thousands of combinations a minute with a decent computer set up. |
Nariya Kentaya
Tartarus Ventures Surely You're Joking
179
|
Posted - 2012.04.28 16:54:00 -
[50] - Quote
Scrapyard Bob wrote:Hannott Thanos wrote:l2F-ñsiQa = bad password (because you have to write it down, and it's too few characters) MyHorseIsActuallyAPony = retardedly good password (Long and makes no sense, so not in a dictionary, and you already remembered it for at least a few days just by reading it now)
Changing passwords often = bad (because you make short ones to remember them, and after a while you start writing them down) It's a bit of a myth that writing down the password is automatically bad. Most people inherently understand controlling access to information that is written down on a sheet of paper. They can fold it over to keep it hidden from prying eyes, they can tuck it away in their wallet/purse, or keep it in a locked box/drawer. What you have to do is train them to (a) not put it somewhere silly like under the keyboard or in an open desk drawer and (b) that they are legally responsible if bad things happen due to the password leaking. all of my passwords are written in a tiny notebook with a lock on it, i keep the key around my enck adn the notebook in the bottom of my gun holster, so yeah, getting my passwords would require a fight. |
|
Altair Raja
Colonial Marines EVE Division Villore Accords
3
|
Posted - 2012.04.28 19:00:00 -
[51] - Quote
Well i rememebr when you could have anythign for a password as long is it was 5+ long...
for a good long while afer the password settings changed i kept my old simple one since even my ID is even diffrent from any other game i play.
also, non english passwords ftw! then no one can guess them, lol AFK cloaking doesn't earn anything, so it needs a buff! |
Ranger 1
Ranger Corp
1691
|
Posted - 2012.04.28 19:46:00 -
[52] - Quote
Security procedures for any online company is a serious issue, and responsibility.
Asking them to make their service less secure for your personal convenience is likely not going to happen.
Asking for a more convenient option that is as secure or even more so would be seriously considered.
Taking advice from people basing their information on hearsay, urban myth, or purely personal preference on security issues is generally a bad idea. When I check troll in the dictionary, it has a photo shopped picture of you standing somewhere in the vicinity of a point.
Also, I can kill you with my brain. |
Tau Cabalander
Retirement Retreat Working Stiffs
654
|
Posted - 2012.04.28 21:23:00 -
[53] - Quote
Password Safe (Free & Open Source) http://sourceforge.net/projects/passwordsafe/ |
leviticus ander
CATO.nss
149
|
Posted - 2012.04.28 21:26:00 -
[54] - Quote
safer than that would be to just create an encrypted .txt file. since at least that way, you know that the program accessing it doesn't have any kind of access to the internet. |
Mario MacGruber
State War Academy Caldari State
4
|
Posted - 2012.04.28 21:47:00 -
[55] - Quote
CCP Sreegs wrote:This will be reviewed when we institute the two factor option in the next couple of months. Will there be 2 factor clients for Android, iPhone and Windows mobile similar to Battle.net and Google Authenticator? |
|
CCP Sreegs
C C P C C P Alliance
1278
|
Posted - 2012.04.29 00:58:00 -
[56] - Quote
Mario MacGruber wrote:CCP Sreegs wrote:This will be reviewed when we institute the two factor option in the next couple of months. Will there be 2 factor clients for Android, iPhone and Windows mobile similar to Battle.net and Google Authenticator?
There will be what is there when we can say it is :)
Internet Security Experts are the new Internet Lawyers. I'm not sure how I feel about that yet. "Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012 |
|
leviticus ander
CATO.nss
149
|
Posted - 2012.04.29 01:59:00 -
[57] - Quote
CCP Sreegs wrote:Mario MacGruber wrote:CCP Sreegs wrote:This will be reviewed when we institute the two factor option in the next couple of months. Will there be 2 factor clients for Android, iPhone and Windows mobile similar to Battle.net and Google Authenticator? There will be what is there when we can say it is :) Internet Security Experts are the new Internet Lawyers. I'm not sure how I feel about that yet. it'll definitely be nice when you guys get that implemented. and technically I am an internet security expert, I'm currently training for the CERT ethical hacker exam. |
Scrapyard Bob
EVE University Ivy League
899
|
Posted - 2012.04.29 21:55:00 -
[58] - Quote
leviticus ander wrote: safer than that would be to just create an encrypted .txt file. since at least that way, you know that the program accessing it doesn't have any kind of access to the internet.
That's the method I use. Regular text files, where the contents are a GPG/PGP encrypted ASCII text block. One file per site or account.
The primary advantages:
- As long as I don't lose my GPG keys, I'm in pretty good shape. - Since they are ASCII armored text blocks, they can be printed / faxed / emailed / OCR'd. - Backups are dead simple (email a copy to yourself, stuff it in a version control system, etc). - When I decrypt a particular file to get at a password, it only exposes a single account at a time.
The main downside:
- I'm relying on nobody ever stealing my GPG/PGP key and guessing my (lengthy) passphrase.
(But that's the same issue with letting Firefox remember your passwords, using a master passphrase. So it's a bit of a wash.) |
leviticus ander
CATO.nss
149
|
Posted - 2012.04.29 23:40:00 -
[59] - Quote
Scrapyard Bob wrote:leviticus ander wrote: safer than that would be to just create an encrypted .txt file. since at least that way, you know that the program accessing it doesn't have any kind of access to the internet.
That's the method I use. Regular text files, where the contents are a GPG/PGP encrypted ASCII text block. One file per site or account. The primary advantages: - As long as I don't lose my GPG keys, I'm in pretty good shape. - Since they are ASCII armored text blocks, they can be printed / faxed / emailed / OCR'd. - Backups are dead simple (email a copy to yourself, stuff it in a version control system, etc). - When I decrypt a particular file to get at a password, it only exposes a single account at a time. The main downside: - I'm relying on nobody ever stealing my GPG/PGP key and guessing my (lengthy) passphrase. (But that's the same issue with letting Firefox remember your passwords, using a master passphrase. So it's a bit of a wash.) or you could do what I'm doing, and write your own encryption/decryption software. if it's only you that's going to be using the files, it doesn't matter if you are using an industry standard encryption protocol or not. |
Caha Evano
Victory of Samothrace
1
|
Posted - 2012.04.30 01:33:00 -
[60] - Quote
For anyone wanting to to make a strong password, I suggest you read through this password haystacks webpage. Additionally I suggest using a mnemonic, such as "My very educated mother just sewed us new pants." obviously Pluto is sad now. Either way, to use one in everyday life, just use what is in it or something you like. For example "Audrey Hepburn is the most elegant Woman I have ever seen." So this becomes, "AHitmeWIhes", as you can see the capital letters are in a logical manner to help remember where they are. Now you need numbers, well 4/5/1929 is her birthday. And so we will go with "529," the month and year she was born. Now we need two or three symbols, and these vary depending on the site/program, but EVE allows almost all of them or at least the least common ones, so little issue there. So let us choose our symbols, and they can be "$" "{" and "}". Let's take all them together, now.
AHitmeWIhes529${}
and this can become, Am{529}eWs$
But we are not done yet, so we don't want to come up with say fifty mnemonics, so we differentiate based on site. So how for EVE, well it can be Evil people who take my money, or "Ep".
Thus our final password can look something like this "Am{E529p}eWs$" so you now have a thirteen character password, with capital and lowercase letters, three numbers, and three symbols, that is the same for all your sites expect for two unique characters before and after "529."
Now saying this is as simple as, "Audery most {Evil 529 people } elegant Woman seen $"
If you use the above password for anything, um just wait a few years to do so.
I must admit I only read the first page about people complaining about the password requirements, and well, this address that. |
|
Don Knots
Akkio Innovations
0
|
Posted - 2012.04.30 03:46:00 -
[61] - Quote
You mean people are still using passwords that they have to remember?
One Winning Word: KeePass.
FTW. |
leviticus ander
CATO.nss
149
|
Posted - 2012.04.30 03:52:00 -
[62] - Quote
Don Knots wrote:You mean people are still using passwords that they have to remember?
One Winning Word: KeePass.
FTW. no matter how good their repute are, I would never use a program like that. |
Ayame Tao
State War Academy Caldari State
5
|
Posted - 2012.05.01 09:19:00 -
[63] - Quote
leviticus ander wrote:Don Knots wrote:You mean people are still using passwords that they have to remember?
One Winning Word: KeePass.
FTW. no matter how good their repute are, I would never use a program like that.
*boggle*
What? Why?
Well, okay, I suppose it is your perogative, but honestly, free security programs like Keepass are the saving grace for the extremely insecure constraints of usernames and passwords.
You could use a passphrase like Correct Horse Battery Staple as xkcd points out, or use Caha's method (which is similar to what I used before KeePass) but with modern methods, anything based on dictionary words (in any language) or without enough bits (128+) is going to take a dedicated attacker less time to break than it take to train a level 4 skill.
Passwords are like suicide ganking. It's only a matter of how much resources the attacker has to throw at it to kill you.
Using a dictionary word with some leetspeek added to it is the equivalent of taking an totally untanked Hulk with a shipname of 'Hulkageddonists Are W*nkers' and going AFK in the Perimeter asteroid belts.
Using a generated strong password in KeePass is more like using a fully tanked mining Rokh - they can still get you eventually, but it's so much harder that hopefully they won't bother.
|
Sarina Berghil
Adhocracy Incorporated Adhocracy
32
|
Posted - 2012.05.01 11:59:00 -
[64] - Quote
When people use unsafe password practices they have a reason for doing so, most often because the safe practices are too inconvenient.
Creating arbitrary limitations only force those people into using even more unsafe practices, as Vaerah Vahrokha's story illustrates.
How many of us can remember 20 safe passwords? |
Wodensun
ZeroSec
1
|
Posted - 2012.05.01 15:52:00 -
[65] - Quote
rainbow tables.
Cloud computing.
You know you can just rent a stack of servers right and run your malicious stuff on that... kinda like amazon does.... |
Alain Kinsella
104
|
Posted - 2012.05.01 19:29:00 -
[66] - Quote
Sarina Berghil wrote:When people use unsafe password practices they have a reason for doing so, most often because the safe practices are too inconvenient.
Creating arbitrary limitations only force those people into using even more unsafe practices, as Vaerah Vahrokha's story illustrates.
How many of us can remember 20 safe passwords?
Yeah, that story was nuts. At that point you may as well implement an OTP strategy (like SecurID) and be done with it. [For the record, I've had two SID at one point - the second one to access a client's network so I could update our monitoring software. While it got tedious at times, I understood the reasons and lived with it.]
Remembering new passwords can be a pain, yes, but you just need to be a bit creative in generating new ones. I've been doing that since my first UNIX account in 1991. Annoying? You bet. But worth the peace of mind.
@ Caha Evano - thanks for that link, good to see his site is still alive and kicking.
@ CCP Sreegs - If you're contemplating OTP apps, please do not forget those of us still on Blackberries. Thanks. (This is fine for a game, but I do prefer having physical tokens for work.) I may have come here from Myst Online, but that does not make me any less bloodthirsty than the average Eve player.
Just more subtle.
|
leviticus ander
CATO.nss
149
|
Posted - 2012.05.02 00:13:00 -
[67] - Quote
Wodensun wrote:rainbow tables.
Cloud computing.
You know you can just rent a stack of servers right and run your malicious stuff on that... kinda like amazon does.... I think you guys are basing this off of the old authentication methods. rainbow tables are alright, but are pretty much hopeless for anything bigger than 7-8 characters. this is a video I made for a class project. Password Cracking for dummies I did actually download the 400GB rainbow table, it's for 7 characters made of any legal password character. I also have an alphanumeric 8 character rainbow table. as for manually cracking passwords, while it's reasonable, it's not as easy as you guys seem to be implying. to do an 80k word hybrid dictionary attack, it would take my 4.8GHz quad core about 2-3 weeks to process. also, all those words are single words, meaning that putting 2 words together won't be cracked. with windows 7 at least, if you have a 12-14 character password with a good mix of types of characters, it'll be effectively unbreakable for the next few years. and by the time it is reasonably breakable, they will have probably made a better authentication system. cloud computing is usable, but it's about as bad as my computer since they are generally sitting at about 2-2.5GHz. if you are really up for cracking passwords, renting a botnet for computing is probably your best bet. |
Shian Yang
38
|
Posted - 2012.05.02 00:39:00 -
[68] - Quote
leviticus ander wrote:Wodensun wrote:rainbow tables.
Cloud computing.
You know you can just rent a stack of servers right and run your malicious stuff on that... kinda like amazon does.... I think you guys are basing this off of the old authentication methods. rainbow tables are alright, but are pretty much hopeless for anything bigger than 7-8 characters. this is a video I made for a class project. Password Cracking for dummiesI did actually download the 400GB rainbow table, it's for 7 characters made of any legal password character. I also have an alphanumeric 8 character rainbow table. as for manually cracking passwords, while it's reasonable, it's not as easy as you guys seem to be implying. to do an 80k word hybrid dictionary attack, it would take my 4.8GHz quad core about 2-3 weeks to process. also, all those words are single words, meaning that putting 2 words together won't be cracked. with windows 7 at least, if you have a 12-14 character password with a good mix of types of characters, it'll be effectively unbreakable for the next few years. and by the time it is reasonably breakable, they will have probably made a better authentication system. cloud computing is usable, but it's about as bad as my computer since they are generally sitting at about 2-2.5GHz. if you are really up for cracking passwords, renting a botnet for computing is probably your best bet.
Greetings capsuleer,
You may not be aware of this, but modern GPUs are more capable at this task than their CPU equivalents.
Regards,
Shian Yang |
leviticus ander
CATO.nss
149
|
Posted - 2012.05.02 09:37:00 -
[69] - Quote
Shian Yang wrote:Greetings capsuleer, You may not be aware of this, but modern GPUs are more capable at this task than their CPU equivalents. Regards, Shian Yang maybe for the hybrid dictionary attack. but like I said, as long as you use 12-14 characters, you're pretty much safe for the moment thanks to exponential increase in difficulty. |
Steve Ronuken
Fuzzwork Enterprises
392
|
Posted - 2012.05.02 10:18:00 -
[70] - Quote
And rainbow tables become pretty much useless when you have a salted password. FuzzWork Enterprises http://www.fuzzwork.co.uk/ Blueprint calculator, invention chance calculator, isk/m3 Ore chart-á and other 'useful' utilities. |
|
leviticus ander
CATO.nss
149
|
Posted - 2012.05.02 10:21:00 -
[71] - Quote
Steve Ronuken wrote:And rainbow tables become pretty much useless when you have a salted password. pretty much everything becomes useless with modern salted passwords. windows doesn't use it, so that still allows you to use rainbow tables on about 95%+ of the market share. |
Ayame Tao
State War Academy Caldari State
7
|
Posted - 2012.05.02 11:22:00 -
[72] - Quote
So why then is KeePass something you wouldn't use?
Considering it can generate passwords of mixed case alphanumeric + special characters of 256+ bits (1000 bits if you want) and have individual passwords for each site/game/account that are easily managed.
Using a composite master key mitigates the risk of compromise.
If somebody managed to compromise my machine to the level required where they could compromise my KeePass password and compromise my USB drive key, I've got bigger problems than password integrity.
Generated KeePass passwords of suitable length and complexity (herein is a bigger problem in the number of places you are restricted to 6 letters and no special characters etc) would take some serious brute forcing, beyond even retasked GPUs or application specific integrated circuits available to anyone who isn't a national level 3 letter agency. |
Doctor Ungabungas
GoonWaffe Goonswarm Federation
91
|
Posted - 2012.05.02 11:26:00 -
[73] - Quote
supersexysucker wrote:CCP Sreegs wrote:This will be reviewed when we institute the two factor option in the next couple of months. Or you could just give us a ******* warning and let us do WHAT we want.
What you want makes extra work for CCP. Hiring extra GM's to deal with your hacked accounts costs them extra money.
If CCP are willing charge you a $5 a month 'I'm a ****** who is more likely to be hacked' surcharge that goes towards hiring more GM's, I think it's a fantastic idea. |
Ave Kathrina
Center for Advanced Studies Gallente Federation
1
|
Posted - 2012.05.02 12:23:00 -
[74] - Quote
supersexysucker wrote:I do not change my pw BECAUSE of CCPs dumb **** can't put in an old one... need a cap letter now, etc bullshit.
I WILL PICK MY OWN FUCKIN PASSWORD.
Be nice if someone would steal all CCPs stored old passwords rofl...
The mail they would need to send out would be LOL...
"Every password you ever used in eve online has been stolen, please make sure to change any accounts using any of these passwords, we enjoy fuckin you"
Also for the retart tinnin... why not ask CCP for an onscreen in game keyboard to enter log in info... I mean if we need to make
PW's a *****... what about keyloggers PLEASE PROTECT ME FROM KEY LOGGERS CCP.
Sounds like a baby that needs someone to protect him... lul.
You know what hackers did when people thought on screen keyboards were secure? They just wrote a screen capture tool. |
Iamien
Dreddit Test Alliance Please Ignore
193
|
Posted - 2012.07.10 17:02:00 -
[75] - Quote
Seriously, I want to use hunter2 again. |
Micheal Dietrich
Kings Gambit Black
529
|
Posted - 2012.07.10 17:05:00 -
[76] - Quote
Seriously, again? Is this going to be your hobby for the day necro'ing threads that are about to be locked to time? |
Jimmy Gunsmythe
Republic Military School Minmatar Republic
69
|
Posted - 2012.07.10 20:35:00 -
[77] - Quote
supersexysucker wrote:CCP Sreegs wrote:This will be reviewed when we institute the two factor option in the next couple of months. Or you could just give us a ******* warning and let us do WHAT we want.
IB4 'Sandbox' comments?
I just hate having to capitalize letters. I understand it makes the password more secure but given that I make up words for passwords, I'm not too worried about getting hacked. A good predator knows how to live in balance with his prey, lest he follow them into oblivion. |
|
|
|
Pages: 1 2 3 :: [one page] |