| Pages: [1] 2 :: one page |
|
|
| Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Zurrar
Gallente
Epiphyte Mining and Exploration
Majesta Empire
   |
Posted - 2009.08.30 00:42:00 -
[1]
Well reading that one guys post about being hacked after he sold/bought a toon.
Let me say this-
If you are going to buy a character, you are required to give your account name over so the seller can transfer the account (if memory serves me right).
What this does is enables someone to do a dictionary/brute force attack that quickly enters words from a notepad file.
IF you sell a character, change your password to a randomly generated password.
IMO if you dont know what to do, first 2 of your first name, last 2 of your last, and the last 6 of your social/citizen id will work wonderfully to prevent brute force attacks.
IF there has been a change in the releasing of account names to sell a character let me know and ill edit out this post.
|
Blane Xero
Amarr
The Firestorm Cartel
|
Posted - 2009.08.30 00:44:00 -
[2]
Don't you give them a character on the accounts name and not an account name?
_____________________________________
Haruhiist since December 2008
 Originally by: CCP Fallout
:facepalm:
|
Lance Fighter
Amarr
|
Posted - 2009.08.30 00:46:00 -
[3]
Originally by: Zurrar
What this does is enables someone to do a dictionary/brute force attack that quickly enters words from a notepad file.
Welcome to your standard dictionary attack? I dont get it.
step 1 - Goto random.org
Step 2 - goto string generator
step 3 - click the checkboxes
step 4 - pick one of the choices. The ones it gave me were:
7LAHP4uoKe
ePGQ8m2RdN
43AipVI6zz
1iP5qFIiCx
uDz93wkbM2
eylYqb0mDA
uE22oVTg1r
5LjOtUIYdI
fx6AjLFFd1
8eM2Q1R7jX
not that im using any of those, but thats an idea at least. From there, keep it on a txt file on your desktop, or, like i did, memorize it. Takes a little time, but is ultimately worth it.
* Please use signatures that are EVE-related and do not discuss moderation - Fallout
|
Khemul Zula
Amarr
Keisen Trade League
|
Posted - 2009.08.30 00:57:00 -
[4]
Best random password generator...take a keyboard and a ferret. Get the ferret really really really hyper (this requires absolutely no effort) and drop it on the keyboard.
Instant random password.
|
Jinx Barker
Caldari
GFB Scientific
|
Posted - 2009.08.30 02:07:00 -
[5]
A password of 27-35 characters long, a phrase, with some inserted numbers and characters works best. My password is 45 characters long, and I doubt very much it could get broken in any reasonable amount of time by a brute force attack.
|
Agent Known
Apotheosis of Virtue
|
Posted - 2009.08.30 02:15:00 -
[6]
Originally by: Khemul Zula
Best random password generator...take a keyboard and a ferret. Get the ferret really really really hyper (this requires absolutely no effort) and drop it on the keyboard.
Instant random password.
This IMO. 
Brute force crackers have a lot of difficulty cracking passwords with special characters (which make dictionary attacks useless) because it expands the possibilities so much. Use them. A password that you know and is secure is better than a randomly generated password most of the time....but I guess that depends.
Also, with the random passwords you have to keep it stored someplace...and don't say "store it in a password manager" because those require a master password...which would be its weakness. Writing it down exposes the password to other people if they find it...and storing it plaintext obviously defeats the purpose. So...make a password you know, and mix in characters like $ ^ & % ; [ ] ' / ? into them. Some sites don't allow this, but I think EVE does...
|
Lance Fighter
Amarr
|
Posted - 2009.08.30 02:18:00 -
[7]
Originally by: Agent Known
Originally by: Khemul Zula
Best random password generator...take a keyboard and a ferret. Get the ferret really really really hyper (this requires absolutely no effort) and drop it on the keyboard.
Instant random password.
This IMO.
Brute force crackers have a lot of difficulty cracking passwords with special characters (which make dictionary attacks useless) because it expands the possibilities so much. Use them. A password that you know and is secure is better than a randomly generated password most of the time....but I guess that depends.
Also, with the random passwords you have to keep it stored someplace...and don't say "store it in a password manager" because those require a master password...which would be its weakness. Writing it down exposes the password to other people if they find it...and storing it plaintext obviously defeats the purpose. So...make a password you know, and mix in characters like $ ^ & % ; [ ] ' / ? into them. Some sites don't allow this, but I think EVE does...
I routinely memorize a password to something important, even if its 10, 12, 16 characters long. It only takes a half hour or so, and if it really is important, it is well worth the time.
* Please use signatures that are EVE-related and do not discuss moderation - Fallout
|
Kaahles
E3 Corporation
|
Posted - 2009.08.30 02:27:00 -
[8]
Randomized passwords, especially the ones with special characters, are still the best ones but if you use them still have in mind that with time and enough effort any password can be brute forces or hacked some other way sooner or later (in most cases later… very much later) but you should still change them on a regular basis.
Btw I personally do not save them in a .txt file because if my PC should get infested with a Trojan without me noticing it (very unlikely but still, there is no 100% security if you’re hooked up to the internet) the ebil guy get’s your passes way to easy for my taste but there are ways to encrypt them too. The two most popular ways I know about is either to use TrueCrypt or KeePass for encryption (both are freeware/open source)
-----------------------------
OMG THE SKY IS FALLING!
Contract me all your stuff so I can save it! |
Shirley Serious
Amarr
The Khanid Sisters of Athra
|
Posted - 2009.08.30 02:57:00 -
[9]
Originally by: Blane Xero
Don't you give them a character on the accounts name and not an account name?
the account services menu asks for an account name for character transfers. Which means your account name which you cannot change is now compromised. A poor password that can be quickly found then allows the account to be stolen.
which is odd in a way, since doesn't the eula say you must not give out your account name? So anyone who's ever received a character should technically be banned?
That service needs to change, or character transfers disabled entirely, while this wave of attacks continues.
Yes.
Yes, I am. |
Lance Fighter
Amarr
|
Posted - 2009.08.30 03:09:00 -
[10]
Originally by: Shirley Serious
Originally by: Blane Xero
Don't you give them a character on the accounts name and not an account name?
the account services menu asks for an account name for character transfers. Which means your account name which you cannot change is now compromised. A poor password that can be quickly found then allows the account to be stolen.
which is odd in a way, since doesn't the eula say you must not give out your account name? So anyone who's ever received a character should technically be banned?
That service needs to change, or character transfers disabled entirely, while this wave of attacks continues.
I am of a mind to instead of asking for login name, you ask for a unique identifier that the receiver and you both must have the same. it might only be 5 or 6 characters long, but thats enough to not need an accuont name.
or perhaps instead, request an api key of the receiving party?
* Please use signatures that are EVE-related and do not discuss moderation - Fallout
|
|
|
Blane Xero
Amarr
The Firestorm Cartel
|
Posted - 2009.08.30 03:13:00 -
[11]
Originally by: Lance Fighter
Originally by: Shirley Serious
Originally by: Blane Xero
Don't you give them a character on the accounts name and not an account name?
the account services menu asks for an account name for character transfers. Which means your account name which you cannot change is now compromised. A poor password that can be quickly found then allows the account to be stolen.
which is odd in a way, since doesn't the eula say you must not give out your account name? So anyone who's ever received a character should technically be banned?
That service needs to change, or character transfers disabled entirely, while this wave of attacks continues.
I am of a mind to instead of asking for login name, you ask for a unique identifier that the receiver and you both must have the same. it might only be 5 or 6 characters long, but thats enough to not need an accuont name.
or perhaps instead, request an api key of the receiving party?
Or just use a Character on the existing accounts name like with GTC sales.
_____________________________________
Haruhiist since December 2008
Originally by: CCP Fallout
:facepalm:
|
Lance Fighter
Amarr
|
Posted - 2009.08.30 03:19:00 -
[12]
Originally by: Blane Xero
Originally by: Lance Fighter
Originally by: Shirley Serious
Originally by: Blane Xero
Don't you give them a character on the accounts name and not an account name?
the account services menu asks for an account name for character transfers. Which means your account name which you cannot change is now compromised. A poor password that can be quickly found then allows the account to be stolen.
which is odd in a way, since doesn't the eula say you must not give out your account name? So anyone who's ever received a character should technically be banned?
That service needs to change, or character transfers disabled entirely, while this wave of attacks continues.
I am of a mind to instead of asking for login name, you ask for a unique identifier that the receiver and you both must have the same. it might only be 5 or 6 characters long, but thats enough to not need an accuont name.
or perhaps instead, request an api key of the receiving party?
Or just use a Character on the existing accounts name like with GTC sales.
nahhh too easy.
* Please use signatures that are EVE-related and do not discuss moderation - Fallout
|
Banana Torres
The Green Banana Corporation
|
Posted - 2009.08.30 03:40:00 -
[13]
I like the logic, to prevent a brute force attack on your password change it.
Except, of course, you don't know if your new password is actually more susceptable to a brute force attack than your original password or not.
|
Lance Fighter
Amarr
|
Posted - 2009.08.30 04:01:00 -
[14]
Originally by: Banana Torres
I like the logic, to prevent a brute force attack on your password change it.
Except, of course, you don't know if your new password is actually more susceptable to a brute force attack than your original password or not.
Sure, if you change it to something silly like 'apple', your just asking to get hacked. If you go for something a bit less silly, like zero, theyd have to work their way through the entire alphabet to get to you
* Please use signatures that are EVE-related and do not discuss moderation - Fallout
|
El'Niaga
Minmatar
Republic Military School
|
Posted - 2009.08.30 04:04:00 -
[15]
Originally by: Lance Fighter
Originally by: Banana Torres
I like the logic, to prevent a brute force attack on your password change it.
Except, of course, you don't know if your new password is actually more susceptable to a brute force attack than your original password or not.
Sure, if you change it to something silly like 'apple', your just asking to get hacked. If you go for something a bit less silly, like zero, theyd have to work their way through the entire alphabet to get to you
Length is more important than content when making a password to defeat brute force. The longer the password the longer it takes to break it and the more apt the hacker will move on. Regularly changing passwords is also a good idea. For the truly paranoid at least once a week, moderately paranoid once a month, slightly paranoid once a quarter, and at the very least once every 6 months.
|
Lance Fighter
Amarr
|
Posted - 2009.08.30 04:09:00 -
[16]
Originally by: El'Niaga
Originally by: Lance Fighter
Originally by: Banana Torres
I like the logic, to prevent a brute force attack on your password change it.
Except, of course, you don't know if your new password is actually more susceptable to a brute force attack than your original password or not.
Sure, if you change it to something silly like 'apple', your just asking to get hacked. If you go for something a bit less silly, like zero, theyd have to work their way through the entire alphabet to get to you
Length is more important than content when making a password to defeat brute force. The longer the password the longer it takes to break it and the more apt the hacker will move on. Regularly changing passwords is also a good idea. For the truly paranoid at least once a week, moderately paranoid once a month, slightly paranoid once a quarter, and at the very least once every 6 months.
brute force != dictionary attack
* Please use signatures that are EVE-related and do not discuss moderation - Fallout
|
Washell Olivaw
|
Posted - 2009.08.30 04:13:00 -
[17]
Does the EVE server actually allow a brute force attack or does it flag/temp ban the account after a dozen tries?
It's one of the easiest things to block server side and I can't imagine CCP isn't countering it.
Originally by: Signature
Everybody has a photographic memory, some people just don't have film.
|
El'Niaga
Minmatar
Republic Military School
|
Posted - 2009.08.30 04:17:00 -
[18]
Originally by: Washell Olivaw
Does the EVE server actually allow a brute force attack or does it flag/temp ban the account after a dozen tries?
It's one of the easiest things to block server side and I can't imagine CCP isn't countering it.
Have no idea really :(
|
Saint Lazarus
Spiorad ag fanaiocht
|
Posted - 2009.08.30 04:21:00 -
[19]
Originally by: Washell Olivaw
Does the EVE server actually allow a brute force attack or does it flag/temp ban the account after a dozen tries?
It's one of the easiest things to block server side and I can't imagine CCP isn't countering it.
I would have assumed it does. seems silly not to, someone can typo their password once or twice but after the 15th attempt in under a minute somethings not right
And man theres some paranoid EvE players, security is one thing but a completely random 16 character long string? seems excessive to me. I just use a keyword+random date, changing both regularly. Hard to guess and easy to rememeber RAWR
-----------------
My EvE Comic
|
Washell Olivaw
|
Posted - 2009.08.30 04:26:00 -
[20]
Originally by: Saint Lazarus
I would have assumed it does. seems silly not to, someone can typo their password once or twice but after the 15th attempt in under a minute somethings not right
Indeed, don't even have to block or temp ban it, just disallow more than 3 tries a minute and you're suddenly looking at a hacktime in the tens of thousands of years for all 4 to 6 character letter/number/symbol combinations.
Originally by: Signature
Everybody has a photographic memory, some people just don't have film.
|
|
|
Kara Sharalien
|
Posted - 2009.08.30 04:53:00 -
[21]
Originally by: Khemul Zula
Best random password generator...take a keyboard and a ferret. Get the ferret really really really hyper (this requires absolutely no effort) and drop it on the keyboard.
Instant random password.
not completely. the size of a ferret and the distance between its legs would be similar over the whole of the ferret population.
by analyzing the average ferret Vs the average keyboard, it would be easy to write a brute force cracker designed specifically to beat your ferret-generated passwords.
|
Lance Fighter
Amarr
|
Posted - 2009.08.30 06:19:00 -
[22]
Originally by: Kara Sharalien
Originally by: Khemul Zula
Best random password generator...take a keyboard and a ferret. Get the ferret really really really hyper (this requires absolutely no effort) and drop it on the keyboard.
Instant random password.
not completely. the size of a ferret and the distance between its legs would be similar over the whole of the ferret population.
by analyzing the average ferret Vs the average keyboard, it would be easy to write a brute force cracker designed specifically to beat your ferret-generated passwords.
well, if you can write one, youll have tons of accounts, assuming you can randomly guess their account names
* Please use signatures that are EVE-related and do not discuss moderation - Fallout
|
Zeba
Minmatar
Honourable East India Trading Company
|
Posted - 2009.08.30 06:39:00 -
[23]
Seems to me the user id from the api key would be the thing to use for character transfers. Its linked to the account, cannot be used to hack it and good luck figuring out the api key to go with the user id to snoop the account info.
Quote:
[03:39:05] Emperor Salazar > HOLY **** ITS ZEBA
[03:39:20] Emperor Salazar > NEVER STOP POASTING
Zeba is the BEST! ~Mitnal |
Lance Fighter
Amarr
|
Posted - 2009.08.30 06:44:00 -
[24]
Originally by: Zeba
Seems to me the user id from the api key would be the thing to use for character transfers. Its linked to the account, cannot be used to hack it and good luck figuring out the api key to go with the user id to snoop the account info.
didnt even think of that, i forgot the user id is unique per account
* Please use signatures that are EVE-related and do not discuss moderation - Fallout
|
Furb Killer
Gallente
|
Posted - 2009.08.30 07:14:00 -
[25]
Even with a dictionary attack against someone who has an easy password, like apple, it takes many attempts before they got it (just check your own dictionary, and then the attacker must hope the password is english and actually a normal word, even if it is a normal word the first letter might be a capital, might be name of their pet ferret, etc). Dictionary attack will do fine against an encrypted word document, but considering that ccp would be pretty stupid if you could make 1000 login attempts in 10 minutes, i wouldnt worry too much about it.
|
The AEther
Caldari
Perkone
|
Posted - 2009.08.30 07:38:00 -
[26]
Originally by: Khemul Zula
Best random password generator...take a keyboard and a ferret. Get the ferret really really really hyper (this requires absolutely no effort) and drop it on the keyboard.
Instant random password.
alternatively if you have a cat give it some valerian pills, will work to the same end
Link to PVP University |
LaVista Vista
Conservative Shenanigans Party
|
Posted - 2009.08.30 07:41:00 -
[27]
Or just use a Yubikey.
|
Schalac
Caldari
Apocalypse Reign
|
Posted - 2009.08.30 08:11:00 -
[28]
Did you ever see a live ferret in a lit grill? I have and god damned if it isn't funny as hell.
And no, don't call PETA on me because we didn't intend for the grill to be lit when we put Scraps in there. We just planned on keeping him there for a few minutes while we went and gathered some items from a neighbors house and mom came out and started the grill for dinner not knowing Scraps was in there.
Still, it was damned funny when the grill started bouncing and a singed ferret jumped out of it.
SCHALAC HAS SPOKEN |
rubico1337
Caldari
Mnemonic Enterprises
|
Posted - 2009.08.30 08:12:00 -
[29]
Originally by: Kara Sharalien
Originally by: Khemul Zula
Best random password generator...take a keyboard and a ferret. Get the ferret really really really hyper (this requires absolutely no effort) and drop it on the keyboard.
Instant random password.
not completely. the size of a ferret and the distance between its legs would be similar over the whole of the ferret population.
by analyzing the average ferret Vs the average keyboard, it would be easy to write a brute force cracker designed specifically to beat your ferret-generated passwords.
african or european ferret?
Originally by: Lana Torrin
I'm getting pretty ****ed off with the supposedly hard core PvPers complaining about every little thing that gets changed. seriously, more tears than carebears.
|
Akita T
Caldari
Caldari Navy Volunteer Task Force
|
Posted - 2009.08.30 08:29:00 -
[30]
As long as people keep using passwords like "banana" or "oldbanana" instead of at least using "BanaNa" or "1Banana2" or "OneReallyOldBananaOrWasIt2" (which is still a relatively weak password compared to what else you can pull off)... meh... what can I say ?
I mean... you could have a password in the style of "IrHvdEmn's2 IrHvdEmn's2" (I really HATE vicious dogs ESPECIALLY my neighbour's two... TWICE!) which is not THAT hard to remember, but a pain in the posterior to crack compared to those above.
_
Info about our corp | Beginer's ISK making guide | Manufacturer's helper |
|
|
|
|
| |
|
| Pages: [1] 2 :: one page |
| First page | Previous page | Next page | Last page |