Pages: 1 2 3 [4] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 2 post(s) |
Tippia
Reikoku IT Alliance
|
Posted - 2010.03.19 10:38:00 -
[91]
Originally by: Mashie Saldana
Originally by: Siigari Kitawa I use Firefox 3.6
Strange I use 3.6 here as well and have no issues.
Not strange at all, since it's a forum issue – not a browser issue. |
Mashie Saldana
Red Federation
|
Posted - 2010.03.19 10:39:00 -
[92]
Originally by: Marko Riva Doesn't mean anything, you can post every 10 minutes and post a lot while not having to avoid the 5 minute timer :)
Every time I open a new browser window with the EVE forum, if I then want to make a post I have to login again.
Well that 5-min avoidance is used quite a bit here as well. Still working fine. |
Epicbeardman
|
Posted - 2010.03.19 10:48:00 -
[93]
Edited by: Epicbeardman on 19/03/2010 10:49:05
Originally by: Aera Aiana What exactly prevents a phishing site from asking for a character name in addition to just my accountname and password?
Nothing.
What prevents you from thinking before you click links or executables?
This feature was put there so people would stop complaining about it. It does nothing to improve security. |
ceaon
Gallente
|
Posted - 2010.03.19 10:49:00 -
[94]
Originally by: Adida
Edited out a different company's name - Adida
anyone can send me a eve mail whit the name of said company i an ****ing curious now i do want that name nao |
Armoured C
Gallente Globaltech Industries The ENTITY.
|
Posted - 2010.03.19 11:35:00 -
[95]
aye new log in is stupid |
Vaerah Vahrokha
Minmatar Vahrokh Consulting
|
Posted - 2010.03.19 13:57:00 -
[96]
Quote:
Kind of defeats the purpose? What's to stop phishing sites from doing man-in-the-middle attack by fetching any additional security questions from the real EVE website, presenting them to you, and intercepting your answers?
Adding the same identifying feature ("something you know") won't help.
It helps... the thief.
Because people will probably type in their main's name, so the phisher will know where to start to log in from.
Quote:
Though I admire and worship your concerns about my account security, your current "fix" to the apparently ongoing account compromises is a horrendous solution to it.
Having to fill the required details in over and over and over again, is a pain in the rear.
Please give me an option to disable this terrible oddball "feature" to your boards.
Sincerely,
3 accounts.
To think that to fix most of this issue all they needed was to make the game remember the passwords (which should be actually doable with an hidden option iirc already). If the game did not constantly ask for the password, the phisher would have to have infected the computer before the first time EvE was played.
By constantly asking for username, password and in game characters, in few weeks not only the phishers will have adapted but they will be spammed with our user names, passwords and in game character names for dozens of time.
Finally, and this is the worst issue possible, by forcing repeated log in, the players WILL pick stupidly easy and weak passwords.
They will play exactly in the phishers hands.
- Auditing & consulting
When looking for investors, please read http://tinyurl.com/n5ys4h + http://tinyurl.com/lrg4oz
|
Kyle Cataclysm
Blue.
|
Posted - 2010.03.19 14:24:00 -
[97]
Finally the people named "IlIlIlIIlll" or "xX3l1t3k1II3rxyx11!!" get what they deserve.
|
Aera Aiana
|
Posted - 2010.03.19 14:55:00 -
[98]
Originally by: Julius Rigel No that's not it, during my time in EVE I've been to multiple locations, had various routers, various ISPs, moved house, you name it, and my IP address isn't changing from login to login. I guess it's just one of those quirky things.
I'm talking about the present, aka NOW. I know they used to log you out all the time. I'm saying this doesn't appear to be the case anymore.
|
Akita T
Caldari Caldari Navy Volunteer Task Force
|
Posted - 2010.03.19 15:08:00 -
[99]
Edited by: Akita T on 19/03/2010 15:10:01
Originally by: Aera Aiana I know they used to log you out all the time. I'm saying this doesn't appear to be the case anymore.
Not as often as in the "crazy periods" anymore, true. But if you stick around the forums long enough, you still notice it enough to be a bit annoying.
P.S. Especially if you have both signatures and images enabled when logged in, and keep on browsing and reading with the occasional reply... then all of a sudden, the forums just "go bald", all sigs gone (and the images in them being the most noticeable absences).
_
Beginner's ISK making guide | Manufacturer's helper | All about reacting _
|
Ix Forres
Caldari Vanguard Frontiers Intrepid Crossing
|
Posted - 2010.03.19 16:04:00 -
[100]
Something say, something do, something secret, something you - Charles Stross, Glasshouse
Hardware authentication tokens are the only actual security-enhancing step that could be added. Any form of physical token that produces a predictably (for CCP) random set of data for a user to input, basically. RSA tokens have been mentioned, Yubikeys are the other major one out there.
We have something say - our username. Not the end of the world if people know it. Something do? Well, that's only relevant for in-person authentication. Something secret? Your password. Your character is just another secret; it is defunct if your password is compromised, because your character name will be too in all likelihood. The exception is on cross-application account compromise (password for another app is leaked, same as your EVE account, etc). And something you- this is the hardware token, proving that you are the physical you.
Basically, the extra step is just security theatre. And the need to type your password explicitly more than often as many have suggested in this thread already just exposes additional attack vectors. -- Ix Forres EVE Application Developer EVE Metrics | accVIEW | I Tweet |
|
Emma Royd
Caldari Maddled Gommerils
|
Posted - 2010.03.19 17:16:00 -
[101]
I really can't see the problem in having to type in your character name as an extra security level that much of a problem.... you are going to type something in a forum afterall.
short of enforced timed password changes with compulsary number of characters with upper, lower case & numbers, security linked to the registered email only (like it should be for character transfers) I'm not sure what else ccp could do.
Speaking of passwords, paddy starts a new job and has to create a password to log in so he thinks for a bit and types for ages. His boss says "Wow that's a long password, how are you going to remember that?" paddy replies "Oh it's easy, it's 'mickeyminnieplutodonalddublindaisyhueydueylouie'" his boss looks confused and asks why he chose that password, paddy says "Well it asked for 8 characters and 1 capital"
Sorry
+_+
Artificial Intelligence is no match for Natural Stupidity |
Tippia
Reikoku IT Alliance
|
Posted - 2010.03.19 18:31:00 -
[102]
Originally by: Emma Royd I really can't see the problem in having to type in your character name as an extra security level that much of a problem.... you are going to type something in a forum afterall.
The problem is that is serves no purpose and adds no extra security. If you want to add extra levels of security, that's kind of a big problem. ——— “If you're not willing to fight for what you have in ≡v≡… you don't deserve it, and you will lose it.” — Karath Piki |
Mashie Saldana
Red Federation
|
Posted - 2010.03.19 18:40:00 -
[103]
Originally by: Tippia The problem is that is serves no purpose and adds no extra security. If you want to add extra levels of security, that's kind of a big problem.
Well how are the hackers going to know your character name here if they managed to steal the login details that happened to be the same on a random forum/different game/login credential list?
Contact me for custom [eb] signatures. |
Steijn
Minmatar Ascension Ind
|
Posted - 2010.03.19 18:45:00 -
[104]
Ive lost count of the number of times ive had to log-in and re-log-in over the past 2 days due to the removal of auto-login and the ability of this forum to continually 'unlog' you. However the interesting thing i find is that on ALL of these occasions ive had to log in, ive not had to go through one extra security check yet apart from username and pw..
So, id be very grateful if CCP could at least make an official announcement on how exactly this 'new security' is supposed to help because from my point of view, its yet something else that they have implemented without giving proper thought to it.
|
Tippia
Reikoku IT Alliance
|
Posted - 2010.03.19 18:47:00 -
[105]
Originally by: Mashie Saldana
Originally by: Tippia The problem is that is serves no purpose and adds no extra security. If you want to add extra levels of security, that's kind of a big problem.
Well how are the hackers going to know your character name here if they managed to steal the login details that happened to be the same on a random forum/different game/login credential list?
1. The same way they got your account name and password. 2. With a bit of luck, the API. ——— “If you're not willing to fight for what you have in ≡v≡… you don't deserve it, and you will lose it.” — Karath Piki |
Vaerah Vahrokha
Minmatar Vahrokh Consulting
|
Posted - 2010.03.19 18:53:00 -
[106]
Quote:
I really can't see the problem in having to type in your character name as an extra security level that much of a problem.... you are going to type something in a forum afterall.
It'll take about 1 week before a keylogger data mining program will add character name to the the keylogged username + password.
The next week, the exchanged username + password lists will get 1 added column: "in game character".
The hackers - usually VERY hard pressed to take and reprocess everything FAST because every second could be fatal (CCP will lock the account once reported) will have GREAT help with that in game character, because people WILL type the name of their main.
In the mean time, since NOW people will start using stupidly shorter passwords "to save time"
Believe me, I have worked for large customer bases (tens of thousands) these kinds of collective idiocy are completely real and happen for sure.
- Auditing & consulting
When looking for investors, please read http://tinyurl.com/n5ys4h + http://tinyurl.com/lrg4oz
|
Mashie Saldana
Red Federation
|
Posted - 2010.03.19 19:10:00 -
[107]
Just imagine the whinage if the forum required a RSA key login every 10 minutes...
Contact me for custom [eb] signatures. |
Steijn
Minmatar Ascension Ind
|
Posted - 2010.03.19 19:47:00 -
[108]
Originally by: Vaerah Vahrokha
Quote:
In the mean time, since NOW people will start using stupidly shorter passwords "to save time"
Believe me, I have worked for large customer bases (tens of thousands) these kinds of collective idiocy are completely real and happen for sure.
Personally, if this is still the same after the weekend and auto-login isnt reactivated, I wont use the forum any longer. Some will say thats no big deal, fair enough, but I wont be the only one that decides the forum is no longer viable and that can only be detrimental in the long-term to Eve.
Oh and no, im not against the added security, but removing auto-login does diddly-squat to preventing security issues, in fact, it even makes the security issues worse.
|
Aera Aiana
|
Posted - 2010.03.20 08:20:00 -
[109]
Originally by: Mashie Saldana Just imagine the whinage if the forum required a RSA key login every 10 minutes...
Why would they do that? Forum security is not paramount. Account security is. Best you can do with a stolen forum login (I assume the cookies don't contain the actual password but just a hash of it) is spam the forum. Account management should ask for the password again. Similar to how Amazon does it. You're logged in whenever you visit the site, but when you want to order something, you have to verify that login.
They shouldn't bother us every time we want to make a post. That is just the opposite of improving security, because people will eventually use the copy/paste buffer to keep their password or use a very short one. Sure, that's stupid to do, but this whole security upgrade is to prevent people from doing stupid things - and nothing else. That's however not what will happen.
In short, I think this new login will, after a temporary increase in security, have a negative effect on it. Starting as soon as people get tired of being logged out randomly all the time (and yeah, that still happens as I just found out....) and having to login again.
|
Cobalt Sixty
Caldari Perkone
|
Posted - 2010.03.20 18:37:00 -
[110]
Originally by: Cors Edited by: Cors on 18/03/2010 18:02:48 Could we not just create a separate login for the forums? Example
Account name: xxxxxxxxx PW: yyyyyyyyy
FORUM login name: aaaaaaa FORUM PW: bbbbbbbbb
Keep the forum account tied to your actual game account, but have separate logins, so when we're at work, friends house, family's house, on our laptop at the mall, on our cell phone or whatever, and we're logging into the forums, the L:/P: are NOT our actual account login/pw.
Seeing as we're getting spacebook/new eden/whatever the next name will be, "soon" we'll be logging into the forum a LOT more then we do now, and from portable devices like cell phones, netbooks, tablets and such much more. So a separate forum account would make more sense.
Yes, it's another L:/P: to remember, but I'd MUCH rather have my forum account be found out then my GAME account info found out.
Just posting my apology to Cors, as I missed your post and didn't realise I was pretty much just repeating the sensible concept you'd already posted.
|
|
small chimp
|
Posted - 2010.03.20 20:24:00 -
[111]
funnny! Now the keylogger knows my account/password because i have to keep typing it!
|
Jim McGregor
|
Posted - 2010.03.20 21:11:00 -
[112]
Adapt or die.
--
|
small chimp
|
Posted - 2010.03.20 21:15:00 -
[113]
Originally by: Jim McGregor
Adapt or die.
How do you dare to say that to me?
|
Ampere Ikolian
|
Posted - 2010.03.20 22:48:00 -
[114]
Personally I fail to see how the new log in challenge improves anything. Most accounts are compromised not by a lack of authenticating the user to the server, but by a lack of authenticating the server to the user. A phishing website does its deed by looking enough like the server that a user is fooled- for the case of most places where you need to log in, the 'look & feel' of the server in question is public and identical for all users. A person who trying to compromise accounts has all the information they need to look legitimate to the user. What is really needed is a two-way authentication, a demonstration by the server of knowledge of a shared secret or at least difficult to acquire information. For a more detailed description check out the wikipedia page on mutual authentication :
http://en.wikipedia.org/wiki/Mutual_authentication
|
Siigari Kitawa
Gallente The Aduro Protocol Talon Alliance
|
Posted - 2010.03.21 01:57:00 -
[115]
Originally by: Jim McGregor
Adapt or die.
Hi Jim o/
|
|
|
|
Pages: 1 2 3 [4] :: one page |
First page | Previous page | Next page | Last page |