EVE Search - Dear CCP, get rid of your cache of old passwords.

All Channels

EVE General Discussion

Dear CCP, get rid of your cache of old passwords.

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Pages: 1 [2] 3 :: one page
Author	Thread Statistics \| Show CCP posts - 2 post(s)
Hannott Thanos Notorious Legion 44	Posted - 2012.04.27 08:23:00 - [31] - Quote Jafit wrote: Hannott Thanos wrote: To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 +ù 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that How about MyLittlePonyFriendshipIsMagicApplejackPinkiepieRarityFluttershyRainbowdashTwilightsparkle as a password? I'm not saying that's my password... ...I'm saying that's my password. 4.800.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.0000.000.000.000.000 years-ish. Should be doable, right?
Zora'e Nasty Pope 9	Posted - 2012.04.27 08:29:00 - [32] - Quote While it IS a minor inconvenience at times to have to change passwords, and make sure it isn't an older one you have used before I find it rather refreshing that they won't allow you to use a password you've used before. Of course, over 4 accounts keeping track of your passwords can be a minor pita but it's a small price to pay for the added security it brings to my account overall. I am FOR not allowing you to sue a password you used before. But hen, I am also an extremely security conscious person as well. ~Z In EVE Online...-á-áA Friend will calm you down when you are angry after getting Ganked.., but a Best Friend will fly along beside you commanding a Strike Group singing "Someones Gonna Get It!!!".-á ~Zora'e
Francisco Bizzaro 63	Posted - 2012.04.27 09:19:00 - [33] - Quote Hannott Thanos wrote: Jafit wrote: Hannott Thanos wrote: To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 +ù 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that How about MyLittlePonyFriendshipIsMagicApplejackPinkiepieRarityFluttershyRainbowdashTwilightsparkle as a password? I'm not saying that's my password... ...I'm saying that's my password. 4.800.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.0000.000.000.000.000 years-ish. Should be doable, right? No, you just have to apply a little AI. Just look at him: square jaw, crew cut, air force shades, Test. I would have guessed it on the third try.
Akirei Scytale Test Alliance Please Ignore 1051	Posted - 2012.04.27 09:23:00 - [34] - Quote Humans don't think like machines. You have to beat both. If your long password is easy to remember, its easy for a human being who knows you to figure out through deduction and a few days of trial and error (if they care). Its gotta be long, avoid any consistent capitalization scheme, have intentional typos, and be a completely nonsensical grouping of words, to be a truly strong password. TEST Alliance BEST Alliance
Entity X-Factor Industries Synthetic Existence 251	Posted - 2012.04.27 09:46:00 - [35] - Quote Barakach wrote: Personally, I like to use SHA512(Password+Salt), where and password is the byte array of the password string and the salt is a 16byte crypto strength random value. Maybe I should use a 32byte salt?... hmmm... So much CPU power these days. Tsk, just one round of SHA512? GòªGûæGûæGûæGûæGûæGûæGòæGûæGûæGûæGòöGòùGûæGòæGûæGòæGûæGòöGòùGûæGòªGòæGûæGòöGòùGòöGòªGòùGòöGòù GòæGûæGòöGòùGòöGòùGòöGòúGûæGòöGòùGòáGûæGûæGòáGûæGòáGòùGòáGò¥GûæGòæGòáGûæGòáGò¥GòæGòæGòæGòÜGòù Gò¬GòÉGòÜGò¥GòæGûæGòÜGò¥GûæGòÜGò¥GòæGûæGûæGòÜGò¥GòæGòæGòÜGò¥GûæGò¬GòÜGò¥GòÜGò¥GòæGûæGòæGòÜGò¥ Got Item?
leviticus ander CATO.nss 149	Posted - 2012.04.27 09:50:00 - [36] - Quote Barakach wrote: Voith wrote: Tinnin Sylph wrote: Dear CCP Please remove the security feature you put in place to ensure I don't do something to compromise my account. Many Thanks Some Dumb Pubbie Given the rate at which MMOs are being hacked I wouldn't call them storing anything a security feature. MMOs aren't being hacked, computers are getting infected from people clicking "yes" on everything that pops-up. Storing an old hash isn't really a security issue, but I don't agree with forcing the end user to not use an old password. That should be up to the user. Personally, I like to use SHA512(Password+Salt), where and password is the byte array of the password string and the salt is a 16byte crypto strength random value. Maybe I should use a 32byte salt?... hmmm... So much CPU power these days. 32 BYTE salt? or 32 bit salt? 32 bytes would probably chock a lot of computers out there, and would cause the authentication server to hang itself. 32 bit, while decent is a little weaker than I'd expect for anything decently modern, I would probably go with 56 or 64 bit, light enough for mass authentication, but strong enough to seriously deter most malicious users. and yeah, people clicking through warning boxes and generally being totally ignorant of the basic function of a computer is what's causing most issues today.
coolzero The Replicators Northern Associates. 23	Posted - 2012.04.27 10:32:00 - [37] - Quote when do we get the authenticator $!$#! have it for WoW have it for SWTOR now i want it for EVE please (using a android authenticator app for that btw.)
Vaerah Vahrokha Vahrokh Consulting 658	Posted - 2012.04.27 10:54:00 - [38] - Quote When I worked for a para-military company, we quickly learned that reusing password was good only in the programmers' heads. People would do the IMPOSSIBLE to circumvent it. 1) In the beginning they would just add a "1" after the password. 2) Requiring certain characters, they just added their birth year at the end of the password. 3) Requiring a minimum length, they just copy pasted their own name twice. 4) Reusing the passwords they just added incremental numbers or a combo of the above or the month of the changed password. When we made filters to screw them up on the above, they started writing the passwords on Post It attached to their monitors. When we involved their bosses to force them stop doing that, all went suddenly quiet for 2-3 months. We could not believe we had won against the End Users. We could not be fartest from the truth, in fact. A parent company team of inspectors came for a routine control and guess what did they find? The end users ALL opened the same Excel sheet one of them originally created. That Excel sheet had the full user names and passwords of the 1200 employees, all in clear of course. So, instead of better security, we achieve an huge piece of sh!t. Heads fell, reprimands were made, everything settled down. 2 more months of utter silence and guess what, one morning I randomly pass close to an End User and my eyes and my ********* fell to the floor together. They - the End Users - somehow created an MS Access forms "application" including the passwords (in clear of course!!!) of every employee, for multiple applications AND with search engine to make it easier to find and copy / paste them! The fight against the End Users is something beyond programmers' logic. Auditing \| Collateral holding and insurance \| Consulting \| PLEX for Good Charity Twitter channel
Scrapyard Bob EVE University Ivy League 899	Posted - 2012.04.27 12:09:00 - [39] - Quote Hannott Thanos wrote: To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 +ù 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that Using whole words, especially common ones means they can use a reduced dictionary of about 15,000 words and just try different combinations. Most english speakers know and use about 10k-15k common words, the full list of english words is generally around 300-350k words. Capitalizing or not capitalizing the first letter in each word gains you about 1 bit of complexity. So putting together 6 words could be a search space as small as: 15,000 ^ 6 = 11,390,625,000,000,000,000,000,000 If you add in some uncommon words, you can increase the search space to around 300,000 per word. 300,000 ^ 6 = 7.29e+32 Just because your password is N characters long, doesn't mean that it automatically has 90^N complexity. Not unless each position uses a randomly chosen character from the list of about 80 easily typed characters. (A-Z, a-z, 0-9 is 62 characters, plus another 28 symbols which are on most keyboards.) And if someone knows the common patterns like "word number word" or "word symbol word", then they can reduce the search space dramatically.
Scrapyard Bob EVE University Ivy League 899	Posted - 2012.04.27 12:11:00 - [40] - Quote coolzero wrote: when do we get the authenticator $!$#! have it for WoW have it for SWTOR now i want it for EVE please (using a android authenticator app for that btw.) If you read between the lines - when CCP talks about "two-factor authentication" it means that they are going to add authenticators. ETA is July 2012 - but that date could slip.
Scrapyard Bob EVE University Ivy League 899	Posted - 2012.04.27 12:19:00 - [41] - Quote Hannott Thanos wrote: l2F-ñsiQa = bad password (because you have to write it down, and it's too few characters) MyHorseIsActuallyAPony = retardedly good password (Long and makes no sense, so not in a dictionary, and you already remembered it for at least a few days just by reading it now) Changing passwords often = bad (because you make short ones to remember them, and after a while you start writing them down) It's a bit of a myth that writing down the password is automatically bad. Most people inherently understand controlling access to information that is written down on a sheet of paper. They can fold it over to keep it hidden from prying eyes, they can tuck it away in their wallet/purse, or keep it in a locked box/drawer. What you have to do is train them to (a) not put it somewhere silly like under the keyboard or in an open desk drawer and (b) that they are legally responsible if bad things happen due to the password leaking.
Steve Ronuken Fuzzwork Enterprises 383	Posted - 2012.04.27 12:26:00 - [42] - Quote Edit: ability to read = minimal FuzzWork Enterprises http://www.fuzzwork.co.uk/ Blueprint calculator, invention chance calculator, isk/m3 Ore chart-á and other 'useful' utilities.
Barakach R-ISK Shadow Operations. 60	Posted - 2012.04.27 12:38:00 - [43] - Quote leviticus ander wrote: 32 BYTE salt? or 32 bit salt? 32 bytes would probably chock a lot of computers out there, and would cause the authentication server to hang itself. 32 bit, while decent is a little weaker than I'd expect for anything decently modern, I would probably go with 56 or 64 bit, light enough for mass authentication, but strong enough to seriously deter most malicious users. and yeah, people clicking through warning boxes and generally being totally ignorant of the basic function of a computer is what's causing most issues today. 32bytes is nothing. SHA512 has a performance about 100MB/core. Assume 32bytes for the password string(on the large end) and another 32bytes for the salt, that's ~1.6mil hashed passwords per second, ignoring SHA512 object creation time. Not only would your DB not be able to keep up, but a 10Gb link would have a hard time. Actually, most single cores cannot handle 10Gb/s of network stack. You would actually be spending more CPU time handling packets to feed the SHA512, than actually computing SHA512. I admit that there are many other variables like allocating a buffer to store the concatenated salt+string and a myriad of many other things, but CPU time is not an issue.
Jafit Dreddit Test Alliance Please Ignore 107	Posted - 2012.04.27 15:44:00 - [44] - Quote Francisco Bizzaro wrote: Hannott Thanos wrote: Jafit wrote: Hannott Thanos wrote: To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 +ù 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that How about MyLittlePonyFriendshipIsMagicApplejackPinkiepieRarityFluttershyRainbowdashTwilightsparkle as a password? I'm not saying that's my password... ...I'm saying that's my password. 4.800.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.0000.000.000.000.000 years-ish. Should be doable, right? No, you just have to apply a little AI. Just look at him: square jaw, crew cut, air force shades, Test. I would have guessed it on the third try. I look like this in real life. Check out this beta dude, I bet he doesn't even lift.
Mr Kidd Center for Advanced Studies Gallente Federation 546	Posted - 2012.04.27 16:07:00 - [45] - Quote CCP Sreegs wrote: This will be reviewed when we institute the two factor option in the next couple of months. Is that the next couple of months this year or last year? Joking....I'll just assume you guys are working hard to get it going soon(tm). We want breast augmentations and sluttier clothing in the NeX!
Zed Jackelope The Generic Pirate Corporation Fusion. 5	Posted - 2012.04.27 23:27:00 - [46] - Quote 1. "What ifs" What if someone is able to get a copy of the used passwords, encrypted, and some breakthrough tomorrow allows them to be easily deciphered? 2. Re-use. I cannot say what others do, but I have separate sets of passwords for differing services. I use 'boogers' for pretty much any crap site I don't care about. Same with games, all my games use the same couple of passwords. However, its my choice to use those same passwords. And as I feel I take enough care with my browsing not to get key logged, I feel there's absolutely no difference between reusing old passwords and someone's silly mention of stringing a couple of random words into a password that's never changed? Taking 1 and 2 into account, with ALL your old EVE passwords saved... how many of you are screwed if tomorrow some magic fairy quantum computer dust allows some script kiddy to the list of every password everyone in EVE has ever used? Ever. 3. Password reset. Its annoying, but with 30 mackinaw accounts, eventually I do forget a password.. this just means I have to go through the whole retrieval process. And with this "added security enhancement", instead of simply cycling between 2+ passwords.. I have to make up and remember an entirely new one. Conclusion: Its my account, my choice. You can warn the mouth breathing **** clickers all day, but if I choose of my own free will to reuse an old password, CCP shouldn't be stopping me, nor storing my old ones. Just want to say EVER one more time.
Ai Shun 782	Posted - 2012.04.27 23:53:00 - [47] - Quote Zed Jackelope wrote: how many of you are screwed if tomorrow some magic fairy quantum computer dust allows some script kiddy to the list of every password everyone in EVE has ever used? Ever. About the same number that would be screwed when a psychic predicts our passwords. Maybe a bit more though. EVE Ambulation and Avatars as a separate game - see here
Barakach R-ISK Shadow Operations. 62	Posted - 2012.04.28 15:36:00 - [48] - Quote Zed Jackelope wrote: how many of you are screwed if tomorrow some magic fairy quantum computer dust allows some script kiddy to the list of every password everyone in EVE has ever used Might as well stop going to work to enjoy today, because an asteroid may hit tomorrow and kill everyone. My post makes the assumption CCP is using industry standards.
Ntrails Merch Industrial Goonswarm Federation 74	Posted - 2012.04.28 15:49:00 - [49] - Quote Jonas Xiamon wrote: They're storing an encrypted version of your password, which is virtually useless. That is not at all true. The issue is that when someone has downloaded a database of salted and hashed passwords there are no limits to the brute force attacks they can use to get the original password - they can test hundreds of thousands of combinations a minute with a decent computer set up.
Nariya Kentaya Tartarus Ventures Surely You're Joking 179	Posted - 2012.04.28 16:54:00 - [50] - Quote Scrapyard Bob wrote: Hannott Thanos wrote: l2F-ñsiQa = bad password (because you have to write it down, and it's too few characters) MyHorseIsActuallyAPony = retardedly good password (Long and makes no sense, so not in a dictionary, and you already remembered it for at least a few days just by reading it now) Changing passwords often = bad (because you make short ones to remember them, and after a while you start writing them down) It's a bit of a myth that writing down the password is automatically bad. Most people inherently understand controlling access to information that is written down on a sheet of paper. They can fold it over to keep it hidden from prying eyes, they can tuck it away in their wallet/purse, or keep it in a locked box/drawer. What you have to do is train them to (a) not put it somewhere silly like under the keyboard or in an open desk drawer and (b) that they are legally responsible if bad things happen due to the password leaking. all of my passwords are written in a tiny notebook with a lock on it, i keep the key around my enck adn the notebook in the bottom of my gun holster, so yeah, getting my passwords would require a fight.
Altair Raja Colonial Marines EVE Division Villore Accords 3	Posted - 2012.04.28 19:00:00 - [51] - Quote Well i rememebr when you could have anythign for a password as long is it was 5+ long... for a good long while afer the password settings changed i kept my old simple one since even my ID is even diffrent from any other game i play. also, non english passwords ftw! then no one can guess them, lol AFK cloaking doesn't earn anything, so it needs a buff!
Ranger 1 Ranger Corp 1691	Posted - 2012.04.28 19:46:00 - [52] - Quote Security procedures for any online company is a serious issue, and responsibility. Asking them to make their service less secure for your personal convenience is likely not going to happen. Asking for a more convenient option that is as secure or even more so would be seriously considered. Taking advice from people basing their information on hearsay, urban myth, or purely personal preference on security issues is generally a bad idea. When I check troll in the dictionary, it has a photo shopped picture of you standing somewhere in the vicinity of a point. Also, I can kill you with my brain.
Tau Cabalander Retirement Retreat Working Stiffs 654	Posted - 2012.04.28 21:23:00 - [53] - Quote Password Safe (Free & Open Source) http://sourceforge.net/projects/passwordsafe/
leviticus ander CATO.nss 149	Posted - 2012.04.28 21:26:00 - [54] - Quote Tau Cabalander wrote: Password Safe (Free & Open Source) http://sourceforge.net/projects/passwordsafe/ safer than that would be to just create an encrypted .txt file. since at least that way, you know that the program accessing it doesn't have any kind of access to the internet.
Mario MacGruber State War Academy Caldari State 4	Posted - 2012.04.28 21:47:00 - [55] - Quote CCP Sreegs wrote: This will be reviewed when we institute the two factor option in the next couple of months. Will there be 2 factor clients for Android, iPhone and Windows mobile similar to Battle.net and Google Authenticator?

CCP Sreegs C C P C C P Alliance 1278	Posted - 2012.04.29 00:58:00 - [56] - Quote Mario MacGruber wrote: CCP Sreegs wrote: This will be reviewed when we institute the two factor option in the next couple of months. Will there be 2 factor clients for Android, iPhone and Windows mobile similar to Battle.net and Google Authenticator? There will be what is there when we can say it is :) Internet Security Experts are the new Internet Lawyers. I'm not sure how I feel about that yet. "Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

leviticus ander CATO.nss 149	Posted - 2012.04.29 01:59:00 - [57] - Quote CCP Sreegs wrote: Mario MacGruber wrote: CCP Sreegs wrote: This will be reviewed when we institute the two factor option in the next couple of months. Will there be 2 factor clients for Android, iPhone and Windows mobile similar to Battle.net and Google Authenticator? There will be what is there when we can say it is :) Internet Security Experts are the new Internet Lawyers. I'm not sure how I feel about that yet. it'll definitely be nice when you guys get that implemented. and technically I am an internet security expert, I'm currently training for the CERT ethical hacker exam.
Scrapyard Bob EVE University Ivy League 899	Posted - 2012.04.29 21:55:00 - [58] - Quote leviticus ander wrote: safer than that would be to just create an encrypted .txt file. since at least that way, you know that the program accessing it doesn't have any kind of access to the internet. That's the method I use. Regular text files, where the contents are a GPG/PGP encrypted ASCII text block. One file per site or account. The primary advantages: - As long as I don't lose my GPG keys, I'm in pretty good shape. - Since they are ASCII armored text blocks, they can be printed / faxed / emailed / OCR'd. - Backups are dead simple (email a copy to yourself, stuff it in a version control system, etc). - When I decrypt a particular file to get at a password, it only exposes a single account at a time. The main downside: - I'm relying on nobody ever stealing my GPG/PGP key and guessing my (lengthy) passphrase. (But that's the same issue with letting Firefox remember your passwords, using a master passphrase. So it's a bit of a wash.)
leviticus ander CATO.nss 149	Posted - 2012.04.29 23:40:00 - [59] - Quote Scrapyard Bob wrote: leviticus ander wrote: safer than that would be to just create an encrypted .txt file. since at least that way, you know that the program accessing it doesn't have any kind of access to the internet. That's the method I use. Regular text files, where the contents are a GPG/PGP encrypted ASCII text block. One file per site or account. The primary advantages: - As long as I don't lose my GPG keys, I'm in pretty good shape. - Since they are ASCII armored text blocks, they can be printed / faxed / emailed / OCR'd. - Backups are dead simple (email a copy to yourself, stuff it in a version control system, etc). - When I decrypt a particular file to get at a password, it only exposes a single account at a time. The main downside: - I'm relying on nobody ever stealing my GPG/PGP key and guessing my (lengthy) passphrase. (But that's the same issue with letting Firefox remember your passwords, using a master passphrase. So it's a bit of a wash.) or you could do what I'm doing, and write your own encryption/decryption software. if it's only you that's going to be using the files, it doesn't matter if you are using an industry standard encryption protocol or not.
Caha Evano Victory of Samothrace 1	Posted - 2012.04.30 01:33:00 - [60] - Quote For anyone wanting to to make a strong password, I suggest you read through this password haystacks webpage. Additionally I suggest using a mnemonic, such as "My very educated mother just sewed us new pants." obviously Pluto is sad now. Either way, to use one in everyday life, just use what is in it or something you like. For example "Audrey Hepburn is the most elegant Woman I have ever seen." So this becomes, "AHitmeWIhes", as you can see the capital letters are in a logical manner to help remember where they are. Now you need numbers, well 4/5/1929 is her birthday. And so we will go with "529," the month and year she was born. Now we need two or three symbols, and these vary depending on the site/program, but EVE allows almost all of them or at least the least common ones, so little issue there. So let us choose our symbols, and they can be "$" "{" and "}". Let's take all them together, now. AHitmeWIhes529${} and this can become, Am{529}eWs$ But we are not done yet, so we don't want to come up with say fifty mnemonics, so we differentiate based on site. So how for EVE, well it can be Evil people who take my money, or "Ep". Thus our final password can look something like this "Am{E529p}eWs$" so you now have a thirteen character password, with capital and lowercase letters, three numbers, and three symbols, that is the same for all your sites expect for two unique characters before and after "529." Now saying this is as simple as, "Audery most {Evil 529 people } elegant Woman seen $" If you use the above password for anything, um just wait a few years to do so. I must admit I only read the first page about people complaining about the password requirements, and well, this address that.

Pages: 1 [2] 3 :: one page
First page \| Previous page \| Next page \| Last page

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.