Pages: 1 [2] 3 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 1 post(s) |
Aineko Macx
|
Posted - 2010.03.10 08:38:00 -
[31]
Originally by: Jimmae
Originally by: RedClaws I've always been a bit confused about those authentication keys.
Why do I need a physical thing to generate this extra password? Why can't it be a site you go to?
Those tokens contain a predictable salt based random number generator. The authentification server knows the salt and can at any given time predict the code a token generates.
There are also challenge-response based tokens.
Those are also based on a secret key known only to the server and your token. The server sends you a random number which you have to input into the token. A response is computed using both input and secret as parameters. Then answer is sent back to the server, which can repeat the computation and compare results and thus confirm that you are in possession of the token.
If the token is plug-able (not requiring user interaction), there are additional security issues, because if your machine is compromised, a hacker could simply redirect the challenge to your token live and use the response to log in on another machine. There are ways to solve this too, but it gets more complex with each layer of additional protection...
|
Herio Mortis
Dark Nebula Academy O X I D E
|
Posted - 2010.03.10 09:06:00 -
[32]
Yet another voice for authenticators.
There is also the option of mobile phone software authenticators, which should be a low cost option.
|
RedClaws
Amarr Dragon's Rage E C L I P S E
|
Posted - 2010.03.10 09:22:00 -
[33]
Edited by: RedClaws on 10/03/2010 09:22:05 What about a mobile phone application? Wouldn't that work as an authenticator? It's just code right, no special hardware required?
The biggest issue is the fact that you'll need to buy and transport an authenticator, which will probably cost you around 15Ç. If the cost is removed I don't see what could be stopping CCP from supporting this.
Edit: oh lol previous post already mentioned mobile apps.
|
Vadimik
Gallente
|
Posted - 2010.03.10 09:40:00 -
[34]
Being a person that actually uses a different pair of login/password for every account I have (yes, that includes gaming accounts, forum accounts, all of them) and having dozens of accounts, I can only confess that a "16 characters with a mix of lower case, capitals and numbers" isn't exactly something I can remember a few dozens of.
Plus, I can't stress enough that it's the weaker link in the chain that is of most concern. And that link being (quite likely) the e-mail account. Once that one is hacked, you can just request a password for all of the linked accounts, no matter if those passords were "qwerty123" or a "32-characters string with special symbols".
Though hardware authenticators would be a nice touch indeed. Solves the problem of E-mail hacking (if implemented correct) in a way, too.
|
Wod
Gallente Fallen Pandas
|
Posted - 2010.03.10 10:09:00 -
[35]
So after reading the blog I decided it was time to change passwords for my 3 accounts. To my suprise when I had changed to new passwords none of them worked.
Petition sent and waiting for an answer. - "* CCP Tuxford can no longer shut down TQ on a whim."
|
Trancefo Delcroix
|
Posted - 2010.03.10 10:42:00 -
[36]
Just a suggestion; perhaps having to log on twice (with 2 passwords) could reduce the problem a lot without much work to implement it...
|
Destination SkillQueue
Are We There Yet
|
Posted - 2010.03.10 11:17:00 -
[37]
Originally by: Trancefo Delcroix
Just a suggestion; perhaps having to log on twice (with 2 passwords) could reduce the problem a lot without much work to implement it...
There isn't really any point doing that. A single good password, that only you know and don't use anywhere else will achieve the same benefits. You can do that without any cost on your own. Implementing an authenticator system is a much better option, if you want to get added security for your account.
|
Gravecall
|
Posted - 2010.03.10 11:49:00 -
[38]
I'd be another fan of the idea of being able to buy a random code generator or USB key that you can connect to your account so it's needed to log in, but as I indicated in the other recent blog discussion I'd like it if we could just use the one for all our eve-online accounts, rather than one per account.
|
Nidia Masters
Noir. Noir. Mercenary Group
|
Posted - 2010.03.10 12:21:00 -
[39]
Thanks for reminding us to change passwords, CCP.
Before downtime I decided it was time I redid mine, now basically I can't log into my alt account because no matter what I set the password to, it's invalid, I have to reset the password just to be able to access my own account.
This going to get fixed soon?
|
Yakia TovilToba
Halliburton Inc.
|
Posted - 2010.03.10 12:27:00 -
[40]
A lot of the mal-ware on the Internet specifically targets gamer accounts. RMT in online gaming is a huge racket - your login details are a valuable commodity and the pitfalls are many. Keyloggers and trojans - all geared towards the destruction of your accounts lay in wait, poised to strike when you open that file or go to that website. Phising schemes abound and social engineering is rife, on an Internet that often seems without law or consequence. One cannot be too careful - it's not paranoia when they're really out to get you.
If the world is so dangerous, why don't you increase the account security ? You know exactly that a (rather high) percentage of players won't do the steps you've listed and will get hacked anyways. Or will get hacked despite of those steps because some new hacking methods come along. Why not offer (for an extra rl-$-fee) a security level that is used in online banking (transaction numbers for each transaction, where the list [containing hundreds of numbers] is shipped by mail), which we could use for the login process ?
|
|
Skyrape
|
Posted - 2010.03.10 13:03:00 -
[41]
""""The cost in resources is high for Customer Support, with highly trained and experienced GMs working almost exclusively...""""
Really? highly trained and experienced?
And I was under the impression that all GM's are some ******s who can only copy paste the same dull annoying reply everytime you ask them a question or petition about an issue. Even when game DEVELOPERS agree of bugs and issues, GM's still post the same insipid replies.
|
Salyan
|
Posted - 2010.03.10 13:05:00 -
[42]
Originally by: Wod So after reading the blog I decided it was time to change passwords for my 3 accounts. To my suprise when I had changed to new passwords none of them worked.
Petition sent and waiting for an answer.
Also having this problem... even copy/pasting into change password fields to ensure no typos does not work... Old password, new password, both no go.
Now currently using the forgot password password, which was sent by e-mail :( Petition sent.
|
NeoFusion
Caldari Freelancer Union Unaffiliated
|
Posted - 2010.03.10 13:44:00 -
[43]
Originally by: Salyan
Originally by: Wod So after reading the blog I decided it was time to change passwords for my 3 accounts. To my suprise when I had changed to new passwords none of them worked.
Petition sent and waiting for an answer.
Also having this problem... even copy/pasting into change password fields to ensure no typos does not work... Old password, new password, both no go.
Now currently using the forgot password password, which was sent by e-mail :( Petition sent.
Same problem here too. Petitioned.
|
Louis deGuerre
Gallente Amicus Morte Void Alliance
|
Posted - 2010.03.10 14:00:00 -
[44]
Edited by: Louis deGuerre on 10/03/2010 14:00:00 Bummer guys, but the irony is delicious.
Quess I'll wait a bit before changing my pw.
There's some good stuff in that wiki !
/me votes for sms authentication. Sol: A microwarp drive? In a battleship? Are you insane? They arenÆt built for this! Clear Skies - The Movie
|
Shandas
Gallente Garoun Investment Bank
|
Posted - 2010.03.10 14:03:00 -
[45]
How about another simple step?
Let people know when someone is trying to access their account and fails.
Toss them an email warning them. Let them know when they log in, '3 failed login attempts since (insert date).' This would allow people to take steps and change their password. It could even come with a warning telling the user it might be time to change their password and scan their computer.
What about allowing players to specify an IP that can access their account. Like 555.555.55.* or 555.555.*.* or even one static address. That would go a long way to helping prevent the hacking of accounts.
How about a few simple security measures from you guys, that really should be in place already, before you start anything large. I mean you how old and the only security you have is a user name and password... You guys are supposed to be cutting edge, the king of MMOs, show it and give us a few simple security measures.
A second password. Ability to restrict an IP range that can access an account. Show us if someone is trying to access our accounts and failing. (Might be nice to be able to give a GM a heads up if someone has been spamming your account to try to gain access to it.) And other that have been mentioned.
Start out small and simple then worry about large and complex.
I mean there is a lot of simple little things that could be added.
|
Amad Kadu
|
Posted - 2010.03.10 14:45:00 -
[46]
First to say: Nice Blog.
But there are a lot other options to increase acc-security.
From IP Blocking an option would be nice. Every customer can say in his account settings if this is active or not. Disallow connection from IP's that are not in the same area of the world for 24h. When I log in at Berlin and 2h later someone from New York wants to log in this won't be possible. In most Cases the Hack will be from a different country then the customer.
And also add token-authorization. We use this within our company for years for all VPN connections and had 0 security issues since then (several thousand users from all over the world). Man-in-the-Middle Hacks would still be possible but this needs some very encouraged attacks and several other preparations to be successful. Token and SMS Token are still the safest ways that are still practicable with less efforts.
I hate this compares but the Blizzard Authenticator is the best thing that they could add. And to give out a software for Smart phones and Cell Phones was their main-coup. Everybody can secure his account (with an android Phone/IPhone and compatible even for free) and no more bad feelings when you have to use a public iCafe for a login during your holidays to "just check something".
So please, add also some technical barriers like IP Blocking or some of the other nice ideas. Best add a token System - either hardware or software via Cellphone/Smartphone.
|
1Of9
Gallente Evolution IT Alliance
|
Posted - 2010.03.10 15:00:00 -
[47]
@CCP: nice blog. howeever, there's couple security problems u need to address:
1) when transferring chars, we must give our USERNAME to someone we dont know. that is bad bad bad. Why dont you replace that with the API userid ? im sure internally in your system you can convert the userid into user name and this will keep that vital info out of strangers.
2)i tried to change my pwrds today, and altho in the acc management page i can change the pwrd and the site say pwrd changed with sucess, i cant login using the new pwrd nor the old pwrd. only pwrd i can now use is the one generated using the recover pwrd feature. altho i already petition, im stuck on using this 300 char long pwrd. plz fix it asap!!!
|
Clueless Alt
|
Posted - 2010.03.10 16:37:00 -
[48]
Edited by: Clueless Alt on 10/03/2010 16:40:47 Different password for the website/forum and the account management/game would be cool too.
|
Yakumo Smith
Gallente No End To Infinity Fleetingly Finite
|
Posted - 2010.03.10 16:47:00 -
[49]
16 digit passwords are easy.
Snippets from your favourite song, TV adverts, books and posts.
As an example using the text above, first letter from each :-
16dpaeSfyfsTabap
Go with a system where you always convert a spacific letter to a symbol or number and you can get :-
16dp@eSfyfsT@b@p
If you are worried about even forgetting your pass phrase, use objects around your house that aren't likely to change as a way to remind you.
2s0ssbsn2m@m is from 2 sets of speakers side by side next to my Acer monitor.
Slightly weaker (from people in your home) use the front cover of your favourite book or CD and leave it near your PC.
But like everyone says, a 256 digit password is useless if you let a key logger onto your computer.
I suppose this must be my sig. I'll do something cool with it eventually. |
Dav Varan
|
Posted - 2010.03.10 17:04:00 -
[50]
Just curious on the steps you use to avoid brute force attacks.
If an IP address repeatedley sends incorrect username / password would it not be simpler to just ignore that IP for an hour or 2 even if it occasionally supplies correct log in details by chance ?
Yes and if someone has a bot on there machine and they cant then log in to eve at all its good because there machine is compromised anyway and at least then they'll know they have an issue they requires fixing.
|
|
TeaDaze
|
Posted - 2010.03.10 19:29:00 -
[51]
Originally by: Dav Varan Just curious on the steps you use to avoid brute force attacks.
If an IP address repeatedley sends incorrect username / password would it not be simpler to just ignore that IP for an hour or 2 even if it occasionally supplies correct log in details by chance?
You assume that the majority of attempts are from a few machines. Sadly this is another place where botnets (caused by people not protecting their own machines) get used, thus the login requests are from many hundreds if not thousands of machines.
We did discuss many things to improve the account security at the CSM summit, pretty much everything in this thread so far has already been discussed, but I don't know what will get added or when.
|
ThorTheGreat
Caldari GoonWaffe SOLODRAKBANSOLODRAKBANSO
|
Posted - 2010.03.10 19:53:00 -
[52]
Originally by: RedClaws I've always been a bit confused about those authentication keys.
Why do I need a physical thing to generate this extra password? Why can't it be a site you go to?
The physical thing is important in adding an additional factor to authentication. An authentication factor is a piece of information or process used to identify a person or login. There are three currently available types of factors. Something you know (a password), something you have (a token) or something you are (a fingerprint or retinal scan). By adding an additional factor to the authentication you greatly increase the security of the login as a great deal more effort is required in order access the account.
|
Niccolado Starwalker
Gallente Shadow Templars
|
Posted - 2010.03.10 22:44:00 -
[53]
I wonder.. could anyone at the CSM be so kind to bring the login token solution/question up to CCP during a briefing? It seems many want this solution. ofcource, if its expensive and not possible I will understand that, but it would be nice to get an answer at least!
Originally by: Dianabolic Your tears are absolutely divine, like a fine fine wine, rolling down your cheeks until they flow down the river of LOL. |
Ti Chi
Minmatar Pimp My Ship
|
Posted - 2010.03.11 01:00:00 -
[54]
There are many quick easy solutions out there already to increase account security, look to the banking world
1) Remember the password locally: - Every email account I use remembers my password on my machine, so I do not have to type it in, this effectively stops key loggers. I never understood, why I need to re-enter my password to play on my machine, if I'm worried someone else in my household is going to mess with my game accounts I can password lock my PC locally, at the screen saver and windows log in, this does a key logger no good. Place a tick box so you can decided to have a machine remember your password, just like hotmail, gmail, ymail.
2) Use a virtual keyboard: - My anti virus software come with one, I've seen it in another MMO, no keys to log here
3) Second password: - a number sequence, where you have to enter a random selection, used by banks, ie 123456 enter the 1st, 3rd, and 4th digits, using selection boxes.
4) Random number generators: - my bank gave me one free with my account and I pay alot less than 15 USD for my bank account.
5) Email authorization: - Any password changes, email changes, character transferrers, have to be authorised by email, do not show the email address in the account details, allow the option to have a separate email address for authorization, encase the billing invoice is intercepted.
If my machine becomes infected and compromised, there is little that can be done, as I have failed to protect myself, ie a having an up to date anti-virus software, proper file wall protection etc. Maybe make Eve impossible to run with out having such protection on the system, windows knows that they are there and running, so you must be able to detect them.
To stop those people who love to have the freedom not to use protection, make a check box flash up every time they run eve, stating there is no anti virus protection, and or firewall you sure you want to run Eve, and place your account at risk.
Just my thoughts on it.
Ti
|
TeaDaze
|
Posted - 2010.03.11 01:49:00 -
[55]
Originally by: Niccolado Starwalker
I wonder.. could anyone at the CSM be so kind to bring the login token solution/question up to CCP during a briefing? It seems many want this solution. ofcource, if its expensive and not possible I will understand that, but it would be nice to get an answer at least!
You mean like *this* was pitched at the summit and the minutes to which are *here* (PDF - look at page 2)
|
Braad Losan
|
Posted - 2010.03.11 04:16:00 -
[56]
Edited by: Braad Losan on 11/03/2010 04:17:32 I vote for authenticators! I got my account hacked in WoW. The system caught the usual activity right away and did auto lock the account. I called got it unlocked, change the password to something really hard and ordered an authenticator. Some of these EvE accounts are worth literally thousands and thousands of US dollars. There is real property to protect here. An RSA authenticator like Blizzard has would help alot. It's not full proof. But it's a step in the right direction. My wife's account was attempted a hack attack, it failed due to the authenticator and they never got in. They were sending random numbers to the authenticator part, but some how they found out her password. I used every imaginable program to scan on both of our machine. Everything i tried came with with a big nothing. So either blizzard has some fundamental security issues or the hackers have found a way to get your login info through another means.
I would buy a CCP authenticator in a heart beat. It should be the norm especially with a game with this much time invested by so many players and such a large around of money and resources tied to some of these account are just unreal. Are the two most common elements in the universe Hydrogen and Stupidity? - Harlan Ellison |
Niccolado Starwalker
Gallente Shadow Templars
|
Posted - 2010.03.11 09:04:00 -
[57]
Originally by: TeaDaze
Originally by: Niccolado Starwalker
I wonder.. could anyone at the CSM be so kind to bring the login token solution/question up to CCP during a briefing? It seems many want this solution. ofcource, if its expensive and not possible I will understand that, but it would be nice to get an answer at least!
You mean like *this* was pitched at the summit and the minutes to which are *here* (PDF - look at page 2)
Oh. Yes. something like that allright
I hope CCP thinks about it seriously though. It was mentioned, but it was mentioned in a list with "hundreds" of other alternatives, which - i think - aint just as good as authenticators.
Originally by: Dianabolic Your tears are absolutely divine, like a fine fine wine, rolling down your cheeks until they flow down the river of LOL. |
Ban Doga
|
Posted - 2010.03.11 09:16:00 -
[58]
Originally by: Niccolado Starwalker
Originally by: TeaDaze
Originally by: Niccolado Starwalker
I wonder.. could anyone at the CSM be so kind to bring the login token solution/question up to CCP during a briefing? It seems many want this solution. ofcource, if its expensive and not possible I will understand that, but it would be nice to get an answer at least!
You mean like *this* was pitched at the summit and the minutes to which are *here* (PDF - look at page 2)
Oh. Yes. something like that allright
I hope CCP thinks about it seriously though. It was mentioned, but it was mentioned in a list with "hundreds" of other alternatives, which - i think - aint just as good as authenticators.
I hope CCP starts doing it. I'm pretty sure they are thinking about it already, but that alone won't change a thing...
|
Jimmae
|
Posted - 2010.03.11 10:02:00 -
[59]
Originally by: Ti Chi 2) Use a virtual keyboard: - My anti virus software come with one, I've seen it in another MMO, no keys to log here
This only protects you from physical keyloggers (devices that are installed between your keyboard and the computer to intercept keystrokes).
It does not protect you from software intercepting input to the OS driver layer!
Then there is malware that, using the computing power of bot nets, performs optical character recognition on screenshots taken from your system.
|
Sathynos
Caldari Pink Bunnies C0VEN
|
Posted - 2010.03.11 11:03:00 -
[60]
How about you allow me to switch my account security to RSA token? I'll pay you for issuing me me one, just make it work on your side.
My bank uses it, my company vpn uses it, why can't you? It's 2010 not '98, please wake up.
-- "Say yes to pron on Concord billboards" campaing. Eve mercenaries portal: http://www.eve-mercs.com |
|
|
|
|
Pages: 1 [2] 3 :: one page |
First page | Previous page | Next page | Last page |