| Pages: 1 2 [3] :: one page |
| Author |
Thread Statistics | Show CCP posts - 1 post(s) |
Carniflex
StarHunt
Systematic-Chaos
   |
Posted - 2010.03.11 11:42:00 -
[61]
Tokens are nice, however there is easier solution. Allow one to use national identity card to login to eve. I know that at least most EU countries already have one.
As added benefit, if one gets lost or stolen the authentication certificates on it get suspended by just reporting it as lost or stolen to proper agency.
|
Jimmae
|
Posted - 2010.03.11 17:00:00 -
[62]
Edited by: Jimmae on 11/03/2010 17:00:44
 Originally by: Carniflex
Allow one to use national identity card to login to eve. I know that at least most EU countries already have one.
Most being? (Not Germany nor France I am quite sure.) Electronic ones that is.
|
CrickCrack
|
Posted - 2010.03.12 08:19:00 -
[63]
Edited by: CrickCrack on 12/03/2010 08:22:53
Checkout this site, it has some really nice to use USB security authentication devices.
http://www.aladdin.com/etoken/security-applications.aspx
CCP please add support for USB security authentication devices like these and give us the users the option to use them or not.
|
Yon89
Triumvirate.
|
Posted - 2010.03.13 10:21:00 -
[64]
intergrate the use of http://www.yubico.com/products/yubikey/ so that we can use 3rd factor auth.
=============
SIG SIG SIG |
Cyril
Hounds Of War
|
Posted - 2010.03.13 11:43:00 -
[65]
Keep in mind different solutions are for different problems. Brute force vs social engineering are totally different threat models.
Originally by: Ti Chi
There are many quick easy solutions out there already to increase account security, look to the banking world
1) Remember the password locally: - Every email account I use remembers my password on my machine, so I do not have to type it in, this effectively stops key loggers. I never understood, why I need to re-enter my password to play on my machine, if I'm worried someone else in my household is going to mess with my game accounts I can password lock my PC locally, at the screen saver and windows log in, this does a key logger no good. Place a tick box so you can decided to have a machine remember your password, just like hotmail, gmail, ymail.
2) Use a virtual keyboard: - My anti virus software come with one, I've seen it in another MMO, no keys to log here
3) Second password: - a number sequence, where you have to enter a random selection, used by banks, ie 123456 enter the 1st, 3rd, and 4th digits, using selection boxes.
4) Random number generators: - my bank gave me one free with my account and I pay alot less than 15 USD for my bank account.
5) Email authorization: - Any password changes, email changes, character transferrers, have to be authorised by email, do not show the email address in the account details, allow the option to have a separate email address for authorization, encase the billing invoice is intercepted.
If my machine becomes infected and compromised, there is little that can be done, as I have failed to protect myself, ie a having an up to date anti-virus software, proper file wall protection etc. Maybe make Eve impossible to run with out having such protection on the system, windows knows that they are there and running, so you must be able to detect them.
To stop those people who love to have the freedom not to use protection, make a check box flash up every time they run eve, stating there is no anti virus protection, and or firewall you sure you want to run Eve, and place your account at risk.
Just my thoughts on it.
Ti
1. Not a bad idea but I think you'd find most instances of social engineering attacks are directed at the web login not the client login so it would me minimally useful.
2. Useless. If you have a physical keystroke logger you have a physical access issue and are screwed. Most software keystroke loggers now also do screen grabs. Some of the smarter ones will even diff the images to reduce the data transmitted.
3. Again any additional input is of marginal value at best unless it is generated externally to the client or server. Ex the paypal football.
4. This is actually a very solid solution.
5. I think this is a good idea for character transfers but then the attacker would just rob you blind.
Originally by: Yon89
intergrate the use of http://www.yubico.com/products/yubikey/ so that we can use 3rd factor auth.
CCP could also order branded yubikeys in bulk and run the authentication on their server. That way they are the only ones with the AES Key and we're have a nifty looking key.
Caution on all USB/external tokens: don't make the same silly mistake Blizzard did... from the security report I just saw yesterday the token was transmitted in the clear rather than through tls or anything else which made it wide open to man in the middle attacks.
Also there would need to be some way to deal with lost/damaged authentication devices which could get messy.
As to the idea about IP blocking / filtering. Anyone trying to get into your account will get around this in a second.
And none of this will stop people from giving away their passwords.
-----------------------------------------
insert witty sig here. |
Kailyn
|
Posted - 2010.03.13 17:31:00 -
[66]
Heck make EVE work with my Blizzard authenticator.
And can't use national ID cards in the States--we don't have one.
And frankly no game needs that kind of information from me.
|
TeaDaze
|
Posted - 2010.03.14 00:38:00 -
[67]
I dislike the idea of USB keys/dongles because that adds another level of complexity over an authenticator token that simply displays a number to type in.
* A USB device will need drivers installed and will require Eve to interface to it.
* An authentication token just requires another box to enter a number into.
I would love to see a universal authenticator service with one keyfob device that can be used on multiple games, but the back end infrastructure isn't in place yet and it would require multiple game developers to commit to it...
|
Charney deGeoff
Caldari
Mirkur Draug'Tyr
Ushra'Khan
|
Posted - 2010.03.14 15:37:00 -
[68]
Just going to join the choir here and put in my wishes for a RSA one-time password generator fob.
Please, please consider implementing it. |
Niccolado Starwalker
Gallente
Shadow Templars
|
Posted - 2010.03.15 07:29:00 -
[69]
Sigh. A dev blog comment page completely without dev input to our comments.
It would have been so nice to hear what the devs tought about a token code key generator and such.
Originally by: Dianabolic
Your tears are absolutely divine, like a fine fine wine, rolling down your cheeks until they flow down the river of LOL. |
Ikeja Lightforge
|
Posted - 2010.03.16 23:00:00 -
[70]
Let me add another voice to the rsa token choir, be it either a usb fob we buy or as a mobile application for your smartphone.
I use Blizzard's Battle.net mobile authenticator application instead of the usb fob and it works really well.
|
Jinli mei
Collegium Mechanicae
Dominus Bellorum
|
Posted - 2010.03.17 05:18:00 -
[71]
Blizzard has token authentication (a little keyring type thing) (which isn't USB), and token auth available on the Android and iPhone mobile OS's. This adds a great degree of flexibility when authorizing yourself, and I would love to see CCP implement this. Paypal also does a keyring type token auth.
Having notifications of someone trying to get into your account through any means would be nice; and it would also be neat if CCP's systems did some extra heuristics if they detect "suspicious activity" on a given account. Preventative measures are only so good, after-the-fact measures should also be increased :)
+1 to tokens that aren't usb
-1 to anything that has the word "usb" in it.
(nice to see a lot of security minded people in eve, <3 crypto)
|
Lady Isabell
Amarr
Priory Of The Lemon
Atlas Alliance
|
Posted - 2010.03.18 12:42:00 -
[72]
Some suggestions:
1) How about the ability to use a different account name to actually log into Eve?
1 a) Changing the log in name into Eve (not account management) would require an authentication in form of a predefined password, either user give or generated from suggestion 2.
2) Password that is show on / or generated from the credit/debit card transaction?* This would be used to verify "big changes", such as moving all your assets/isk or when moving your character to a different account.
* this assumes of course that credit/debit card is used to do the payments, useless if you pay using Plex/GTCs.
|
ULTImatio
|
Posted - 2010.03.18 14:42:00 -
[73]
I really like the new Login security measurement: Enter an Account Character name.
Thanks CCP for making it a bit better.
I like to request IP-address management:
An IP-address is build up from xxx.xxx.xxx.xxx digits.
The first 6 digits never change if you donĘt travel around.
I like to assign those first 6 digits to my Account as verification.
|
Blane Xero
Amarr
The Firestorm Cartel
|
Posted - 2010.03.18 21:22:00 -
[74]
Can you please, for the love of all that is holy, return my setting to "Remember me" please. Having to relog back in and re-enter my details every time several times a day is annoying. I don't wish the extra security all the time. |
Creepin
|
Posted - 2010.03.19 16:50:00 -
[75]
Quote:
In order to help ensure the security of your accounts, we will be adding a measure which will, under certain circumstances, prompt users logging into the Web site with an additional login challenge.
Certain circumstances? CERTAIN CIRCUMSTANCES? You mean each time I want to log in? Not only your bloody forum was never able to remember what account I want to log in under, which was somewhat avoidable by several additional clicks each login, but now I also had to manually type that I'm me each time I want to fragging bump my fragging topic?
Pathetic  |
Zemata
|
Posted - 2010.03.24 18:51:00 -
[76]
Originally by: Kylee Serenity
Awhile ago blizzard offered a simple USB key that is tied to your user account and must be plugged in to the machine in question in order to log in. I'm not sure how well they worked, but if they did, I would certainly buy one for my account(s).
I would Definetly support and USE a function like this!! I have it with my netbank page, they give a little card, where you enter your 4 didgit pin code, and then you get a code from the login screen, that you enter on the card, and the card throws a challeng code back, for you to respond on the login with, if its correct ( right account ) it logs you in! This is of course STILL with the normal login password too!!
But the blizz idea id slightly less secure, but still, same principle!
|
Sina Oraen
|
Posted - 2010.03.25 12:13:00 -
[77]
Nice tips but nothing will work if you catch up a keylogger :)
So keep the AntiMaleware / Spyware / Virusware up to date ... and use the strongest Password possible.
|
mboverload
Caldari
Xovoni Directorate
|
Posted - 2010.03.31 07:28:00 -
[78]
Originally by: Sina Oraen
Nice tips but nothing will work if you catch up a keylogger :)
So keep the AntiMaleware / Spyware / Virusware up to date ... and use the strongest Password possible.
Your AntiMaleware is Sexist Software Of The Month.
--------------------- |
unwitting destruction
|
Posted - 2010.04.01 04:06:00 -
[79]
What I would love to see by way of account security, and I don't know why this isn't in place now, would be to use the user ID that comes with APIs for character transfers instead of account names...
|
Ranka Mei
Caldari
|
Posted - 2010.04.17 03:08:00 -
[80]
Quote:
(from the devlog)
"Use strong passwords
Passwords should be complex and difficult to guess. Using a mix of numbers and small/capital letters can reduce the dangers from brute-forcing and lucky guesswork on part of the hackers. Avoid using common dictionary words and keep in mind that longer passwords are less vulnerable than short ones. A minimum length of 16 characters with a mix of lower case, capitals and numbers is strongly recommended for heightened security."
Actually, all y'all just fell into a classic 'noob' trap. :) Seems simple enough, no? Just make a real long, real complicated password that will be impossible to brute-force, right? Wrong! If a password becomes too complex, people will start to write it down, because nobody can remember "RT^&*HERTgdUenqowedcydsI*>". And, of course, they won't write it down on paper, as they like to copy & paste it; so... it will just wind up in a text file somewhere on their computer, probably neatly prefixed with "EVE Password" even. Then their browser gets hacked and the hacker gets the written-down passwords nicely presented to him on a silver platter.
A good password is like a (long) known word, laced with a few numbers or so, with a few strategically placed capital letters. Something you can remember, at least.
More to the point, actually, is that bruteforce attacks should not be possible at all. Every, say, decent FTP server out there has figured it out by now: add a simple (random) delay between failed passwords attempts (between, say, 0.4 - 2.0 secs), and you have effectively stopped ALL bruteforce attacks dead in their tracks! I'm surprised CCP hasn't long since implemented such a scheme.
--
Gorgeous, delicious, deculture! |
| |
|
| Pages: 1 2 [3] :: one page |
| First page | Previous page | Next page | Last page |