Pages: [1] 2 3 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 1 post(s) |
|
GM Grimmi
|
Posted - 2010.03.22 17:15:00 -
[1]
The change made last week is intended to prevent automatic logins by bots running enormous lists of username and password pairs. This has been the main cause of problems with account security for a while now, with hundreds of thousands such pairs being tried every day.
Key-loggers are of course a problem and to limit potential problems with this we reinstated the auto-complete of usernames last Friday. Users can set their browsers to complete passwords as well as this sort of option is available in most frequently used browsers.
This is the first step of many in account security upgrades and we are working hard on improvements. Unfortunately, such measures are likely to cause some annoyance but we try to minimize that as much as possible.
GM Grimmi
Lead Game Master
EVE CSS |
|
Aixa Syal
Minmatar al-Syal Brigade
|
Posted - 2010.03.22 17:28:00 -
[2]
Good work, nice to see something being done!,
But is there a way to flag the IP's of those brute force attacks on the eve site itself and see if they log in to any eve accounts or own any or are they using proxy's mostly.
And Would a modified client be able to do same thing, do you auto suspend accounts after so many failed attempts to log in?
|
Blane Xero
Amarr The Firestorm Cartel
|
Posted - 2010.03.22 17:37:00 -
[3]
Originally by: GM Grimmi The change made last week is intended to prevent automatic logins by bots running enormous lists of username and password pairs. This has been the main cause of problems with account security for a while now, with hundreds of thousands such pairs being tried every day.
Key-loggers are of course a problem and to limit potential problems with this we reinstated the auto-complete of usernames last Friday. Users can set their browsers to complete passwords as well as this sort of option is available in most frequently used browsers.
This is the first step of many in account security upgrades and we are working hard on improvements. Unfortunately, such measures are likely to cause some annoyance but we try to minimize that as much as possible.
Can you, pretty, pretty please, return the "Remember Me" button, even if you have to be logged in and have to answer some random security question first to trigger it instead of selecting it at the login section? Please? Typing out my password over and over every time the forums kick me off isn't fun. _____________________________________ Haruhiist since December 2008
Originally by: CCP Fallout :facepalm:
|
Professor Tarantula
Hedion University
|
Posted - 2010.03.22 17:48:00 -
[4]
Originally by: Blane Xero Can you, pretty, pretty please, return the "Remember Me" button, even if you have to be logged in and have to answer some random security question first to trigger it instead of selecting it at the login section? Please? Typing out my password over and over every time the forums kick me off isn't fun.
You using IE or something? Firefox asks if you'd like it to remember any password you use.
My deepest sympathies. Prof. Tarantula, Esq. |
Jimer Lins
Gallente Noir. Noir. Mercenary Group
|
Posted - 2010.03.22 17:55:00 -
[5]
Please re-add the "remember me" checkbox, so you no longer have to re-login every time you don't refresh the forums within a few minutes.
No, I don't want to use a feature that remembers the password. A cookie that indicates I can post on the forums is fine, and prompting me for a password to do something else is acceptable.
Having a cookie preserving your login status for the forums while not allowing me to do anything more critical would be fine, and is far more secure than preserving login and password in a form.
I applaud your desire to be more secure. I strongly question how you're going about it.
Signature removed not EVE related - Adida Killboard-Declarations of War Podcast |
Gnulpie
Minmatar Miner Tech
|
Posted - 2010.03.22 17:58:00 -
[6]
Great!!
This is really an improvement.
Keep the good work on. |
Amerilia
|
Posted - 2010.03.22 17:58:00 -
[7]
Originally by: Professor Tarantula
Originally by: Blane Xero Can you, pretty, pretty please, return the "Remember Me" button, even if you have to be logged in and have to answer some random security question first to trigger it instead of selecting it at the login section? Please? Typing out my password over and over every time the forums kick me off isn't fun.
You using IE or something? Firefox asks if you'd like it to remember any password you use.
are you blind or something? there is not only firefox on this world, there is also Opera, Chrome, Konquerer and probably many more that can do this.
Problem is, moondoggie cant.
|
Paknac Queltel
Standards and Practices
|
Posted - 2010.03.22 18:14:00 -
[8]
Originally by: Professor Tarantula
Originally by: Blane Xero Can you, pretty, pretty please, return the "Remember Me" button, even if you have to be logged in and have to answer some random security question first to trigger it instead of selecting it at the login section? Please? Typing out my password over and over every time the forums kick me off isn't fun.
You using IE or something? Firefox asks if you'd like it to remember any password you use.
Because, you know, browser cache is a secure place to keep your passwords, that malware won't read at all.
Also, every time you log out, even automatically, all the unread flags clear.
|
Blane Xero
Amarr The Firestorm Cartel
|
Posted - 2010.03.22 18:14:00 -
[9]
Edited by: Blane Xero on 22/03/2010 18:15:18
Originally by: Professor Tarantula
Originally by: Blane Xero Can you, pretty, pretty please, return the "Remember Me" button, even if you have to be logged in and have to answer some random security question first to trigger it instead of selecting it at the login section? Please? Typing out my password over and over every time the forums kick me off isn't fun.
You using IE or something? Firefox asks if you'd like it to remember any password you use.
I'm using Firefox, however I log into multiple accounts regularly on the website and forums, and firefox does not (or did not) differentiate from the forums and account management so having it remember my password somewhere meant it would remember ONE password and I would have to manually remove it if i didn't want to accidentally try the wrong password when logging into a different account etc etc, long story short i disabled it on www.eveonline.com and such, also what the poster above me said. I kill my cookies every time i kill my browser- Much more secure than saving a password within my browser 24/7
The remember me feature worked. Simple as that. _____________________________________ Haruhiist since December 2008
Originally by: CCP Fallout :facepalm:
|
Mashie Saldana
Red Federation
|
Posted - 2010.03.22 18:36:00 -
[10]
Originally by: GM Grimmi The change made last week is intended to prevent automatic logins by bots running enormous lists of username and password pairs. This has been the main cause of problems with account security for a while now, with hundreds of thousands such pairs being tried every day.
Well if the forum is the primary place to verify account information used by the EVE client, now would be a great time to separate them so we have different passwords for each.
|
|
Serpents smile
|
Posted - 2010.03.22 18:39:00 -
[11]
Edited by: Serpents smile on 22/03/2010 18:43:28
Originally by: GM Grimmi and to limit potential problems with this we reinstated the auto-complete of usernames last Friday.
Thank heavens you came to your senses, concerning this.
You need to weight the profit you make from having hackers run wild on your fora against the legit user access just trying to communicate.
hope you do better in the future.
GL!
Edit; ps GM Grimmi, your signature link is dead dead.
|
Professor Tarantula
Hedion University
|
Posted - 2010.03.22 18:41:00 -
[12]
Originally by: Blane Xero I'm using Firefox, however I log into multiple accounts regularly on the website and forums, and firefox does not (or did not) differentiate from the forums and account management so having it remember my password somewhere meant it would remember ONE password and I would have to manually remove it if i didn't want to accidentally try the wrong password when logging into a different account etc etc, long story short i disabled it on www.eveonline.com and such
Ahh, i see. Would be tricky to run multiple accounts without the 'remember me' for each password.
Originally by: Blane Xero Also what the poster above me said. I kill my cookies every time i kill my browser- Much more secure than saving a password within my browser 24/7
Well PW aren't stored in cookies, at least entirely. You can wipe your cookies and still have it fill in the password when you type in the user name for the first time after. In order to erase all the saved PW you have to find 'saved passwords' under 'security' in the options for firefox.
My deepest sympathies. Prof. Tarantula, Esq. |
Blane Xero
Amarr The Firestorm Cartel
|
Posted - 2010.03.22 18:56:00 -
[13]
Originally by: Professor Tarantula
Originally by: Blane Xero Also what the poster above me said. I kill my cookies every time i kill my browser- Much more secure than saving a password within my browser 24/7
Well PW aren't stored in cookies, at least entirely. You can wipe your cookies and still have it fill in the password when you type in the user name for the first time after. In order to erase all the saved PW you have to find 'saved passwords' under 'security' in the options for firefox.
I know that, but having the login token (AKA Remember Me) in cookies which was cleared after every closure of firefox is more secure than storing a password in firefox that, as mentioned above, could easily be gotten through malicious software _____________________________________ Haruhiist since December 2008
Originally by: CCP Fallout :facepalm:
|
|
Chribba
Otherworld Enterprises Otherworld Empire
|
Posted - 2010.03.22 19:07:00 -
[14]
Originally by: GM Grimmi The change made last week is intended to prevent automatic logins by bots running enormous lists of username and password pairs. This has been the main cause of problems with account security for a while now, with hundreds of thousands such pairs being tried every day.
Automatic logins? Are we talking brute-force attempts (as that would still be possible - but at a greater effort) or by the automatic attempts do you mean the "automatic login"-cookie (which I don't see how it could be used as a way of gaining access to anything but posting on the forum...)
I'm very pleased to see that there is things starting to happen regards account security (as I've been pushing for changes for a long time now) I don't really see the benefit of the current change except the extra verification step is one "step" in a right direction. Maybe small, but never the less a step.
Personally the removal of the cookie is imo making the account more vulnerable to keyloggers than before - as still the cookie was just a cookie for the forums - not reversable to a user/password - compared to now when I actually have to type the info.
I'm still hoping that we will see more changes and additional features in the future (I'd still love to see an IP-restriction feature be implemented as suggested by me and discussed between CSM and CCP).
Keep up the great work and thank you for focusing on the issue with account security.
/c
Secure 3rd party service |
|
Professor Tarantula
Hedion University
|
Posted - 2010.03.22 19:44:00 -
[15]
Originally by: Chribba (I'd still love to see an IP-restriction feature be implemented as suggested by me and discussed between CSM and CCP).
That idea has been around as long as online games themselves, and i've spent my own bit of time trying to different companies to consider it. Some people having static IPs doesn't mean people who don't shouldn't be able to select the option.
It makes so much sense that i'm actually starting to find it suspicious companies continue to ignore it. Everything we do online centers around our IP except MMOs. Such a simple and obvious solution to a large percentage of problems, yet they'd rather try to dream up much more complicated and inconvenient solutions.
My deepest sympathies. Prof. Tarantula, Esq. |
Jimer Lins
Gallente Noir. Noir. Mercenary Group
|
Posted - 2010.03.22 19:45:00 -
[16]
Among the better ways to defeat brute-force attacks:
After X invalid login attempts (optionally within Y window), account is disabled for N hours and cannot be accessed.
Griefing and getting people's accounts disabled can be addressed by autoblocking IP source of invalid login attempts from ANY access to ANY account. Also, allow people to change their login name if it becomes exposed, preventing further griefing.
I'm sure this and many other things are being discussed, but it's disheartening to see that the actual measures being implemented are arguably WORSE for security, and the net effect is mostly to reduce forum usage because people can't be arsed to go through the login every time they browse over to the forums.
I'll bet the forum use logs show a marked decrease in post volume, but a smaller decrease in reads, particularly by users not logged in.
Signature removed not EVE related - Adida Killboard-Declarations of War Podcast |
Nova Fox
Gallente Novafox Shipyards
|
Posted - 2010.03.22 20:05:00 -
[17]
Originally by: Jimer Lins Among the better ways to defeat brute-force attacks:
After X invalid login attempts (optionally within Y window), account is disabled for N hours and cannot be accessed.
Griefing and getting people's accounts disabled can be addressed by autoblocking IP source of invalid login attempts from ANY access to ANY account. Also, allow people to change their login name if it becomes exposed, preventing further griefing.
I'm sure this and many other things are being discussed, but it's disheartening to see that the actual measures being implemented are arguably WORSE for security, and the net effect is mostly to reduce forum usage because people can't be arsed to go through the login every time they browse over to the forums.
I'll bet the forum use logs show a marked decrease in post volume, but a smaller decrease in reads, particularly by users not logged in.
Your not thinking goonswarm enough.
Need to think how goonswarm would abuse it, you always have to. Pre-order your Sisters of ≡v≡ Exploration ship today, Updated 24FEB10
|
Amerilia
|
Posted - 2010.03.22 20:09:00 -
[18]
Originally by: Blane Xero Edited by: Blane Xero on 22/03/2010 18:15:18
Originally by: Professor Tarantula
Originally by: Blane Xero Can you, pretty, pretty please, return the "Remember Me" button, even if you have to be logged in and have to answer some random security question first to trigger it instead of selecting it at the login section? Please? Typing out my password over and over every time the forums kick me off isn't fun.
You using IE or something? Firefox asks if you'd like it to remember any password you use.
I'm using Firefox, however I log into multiple accounts regularly on the website and forums, and firefox does not (or did not) differentiate from the forums and account management so having it remember my password somewhere meant it would remember ONE password and I would have to manually remove it if i didn't want to accidentally try the wrong password when logging into a different account etc etc, long story short i disabled it on www.eveonline.com and such, also what the poster above me said. I kill my cookies every time i kill my browser- Much more secure than saving a password within my browser 24/7
The remember me feature worked. Simple as that.
Maybe give Opera a try? it can save multiple accounts and gives you the option to select the username on auto fill in
|
Alchemist Zemont
Gallente Hysteria Nexus
|
Posted - 2010.03.22 20:20:00 -
[19]
I heard the security change was to stop trolls from trollan, since we havent seen a 'bad' bot thread ie wii sex toy in months I am assuming CCP is anti-troll now
This means war! ______________________________________ Due to a high amount of tears and childish behaviour I wont say anything negative, wouldnt want to make anymore people cry :'( |
Blane Xero
Amarr The Firestorm Cartel
|
Posted - 2010.03.22 20:21:00 -
[20]
Originally by: Amerilia
Originally by: Blane Xero Edited by: Blane Xero on 22/03/2010 18:15:18
Originally by: Professor Tarantula
Originally by: Blane Xero Can you, pretty, pretty please, return the "Remember Me" button, even if you have to be logged in and have to answer some random security question first to trigger it instead of selecting it at the login section? Please? Typing out my password over and over every time the forums kick me off isn't fun.
You using IE or something? Firefox asks if you'd like it to remember any password you use.
I'm using Firefox, however I log into multiple accounts regularly on the website and forums, and firefox does not (or did not) differentiate from the forums and account management so having it remember my password somewhere meant it would remember ONE password and I would have to manually remove it if i didn't want to accidentally try the wrong password when logging into a different account etc etc, long story short i disabled it on www.eveonline.com and such, also what the poster above me said. I kill my cookies every time i kill my browser- Much more secure than saving a password within my browser 24/7
The remember me feature worked. Simple as that.
Maybe give Opera a try? it can save multiple accounts and gives you the option to select the username on auto fill in
Firefox already does that with Autoformfill. I just prefer firefox IMO. Linkificiation, Adblock Plus, Download Statusbar, APNG Editor (A rare gem) and Finally Check4Change. Oh and my lovely little skin (Lavafox Blue) as well as having three separate search bars.
I just prefer firefox, lets not derail this thread Mkay? _____________________________________ Haruhiist since December 2008
Originally by: CCP Fallout :facepalm:
|
|
Amerilia
|
Posted - 2010.03.22 20:27:00 -
[21]
Originally by: Blane Xero
Originally by: Amerilia
Originally by: Blane Xero Edited by: Blane Xero on 22/03/2010 18:15:18
Originally by: Professor Tarantula
You using IE or something? Firefox asks if you'd like it to remember any password you use.
I'm using Firefox, however I log into multiple accounts regularly on the website and forums, and firefox does not (or did not) differentiate from the forums and account management so having it remember my password somewhere meant it would remember ONE password and I would have to manually remove it if i didn't want to accidentally try the wrong password when logging into a different account etc etc, long story short i disabled it on www.eveonline.com and such, also what the poster above me said. I kill my cookies every time i kill my browser- Much more secure than saving a password within my browser 24/7
The remember me feature worked. Simple as that.
Maybe give Opera a try? it can save multiple accounts and gives you the option to select the username on auto fill in
Firefox already does that with Autoformfill. I just prefer firefox IMO. Linkificiation, Adblock Plus, Download Statusbar, APNG Editor (A rare gem) and Finally Check4Change. Oh and my lovely little skin (Lavafox Blue) as well as having three separate search bars.
I just prefer firefox, lets not derail this thread Mkay?
You would be suprised how much of that is in opera too, but yeah lets stop here
|
small chimp
|
Posted - 2010.03.22 20:55:00 -
[22]
Well thanks GM TYRANT (no offense intented hehe). Knowing this will make these new security measures a little less painful but still.
The devs have been talking/promising new semi-working security measures for ages but well... Well you really should do something if you can't ban those brutes that are reaping (-e)innocent forum users. :(
Hundreds of thousands of them!? Thats even worse than mass murder (in game).
|
Lucifer's Ghost
Minmatar Native Freshfood
|
Posted - 2010.03.23 00:51:00 -
[23]
Edited by: Lucifer''s Ghost on 23/03/2010 00:51:52 A step in the right direction. I will bring up the subject of RSA key fobs as nobody has brought it up yet that I have seen (might have missed it, if so, sorry).
I personally would be happy to pay a bit more for the added layer of security an RSA key would entail.
It would be nice to know if CCP is considering the idea, or has simply rejected it out of hand. -------------------------------------------------- Real Men Pod Tank |
Merin Ryskin
Peregrine Industries
|
Posted - 2010.03.23 01:48:00 -
[24]
Now how about just fixing it to that the forums will actually keep you logged in and remember your settings? -----------
|
Doctor Ungabungas
Caldari GoonWaffe SOLODRAKBANSOLODRAKBANSO
|
Posted - 2010.03.23 08:51:00 -
[25]
I'm sure it's been mentioned before, but a hardware token (or iphone app that uses the same concepts) would be really really good.
|
Smagd
Encina Technologies Namtz' aar K'in
|
Posted - 2010.03.23 09:14:00 -
[26]
Nice to see work is being done on this!
Originally by: Doctor Ungabungas I'm sure it's been mentioned before, but a hardware token (or iphone app that uses the same concepts) would be really really good.
Those tokens protect only those who are already aware of the issue.
Additionally, once your machine is infected even tokens are useless: It's almost as easy to log token number as it is to log key presses.
And a shipping cost of $20 for a $5 item makes the EVE Store way too overpriced for this to work.
And lastly, the CSM has discussed all this with CCP over a year ago.
|
Qoi
New Eden Warriors
|
Posted - 2010.03.23 10:19:00 -
[27]
Originally by: Smagd
Additionally, once your machine is infected even tokens are useless: It's almost as easy to log token number as it is to log key presses.
Yes and it's totally useless to log the tokens. They are one time only passwords - you will have to intercept the browser/client and inject your own malicious requests, which is probably a little bit more complicated than just sending the user/password combination to your webserver on a tropical island, for later use.
Security does not have to be unbreakable, but it has to be more expensive to break it than you can get back from selling ISK on ebay - a SecurID token will probably help.
|
Ariane VoxDei
|
Posted - 2010.03.23 12:06:00 -
[28]
Edited by: Ariane VoxDei on 23/03/2010 12:07:23 edit: corrected double-negative.
Grimmi, speaking of forum/account security, when are you guys going to drop the: "Logged in as %accountname, %charname" bit?
When you are logged in, that is on every forum page. Char name is one thing, since you are posting with it. Accountname is quite another.
I can see the use for people who are so understaffed on the first floor that they can not manage to remember who they logged in as, but it is a bad practice to send that out. Just like the dorks who don't mask out their loginnames when they post screenshots of their linux shells - forgetting that it is a handy bit of information for name+pw libraries, like you mentioned.
It is assuming that anyone that should not be seeing it, is not looking for it. Shouldersurfing, maybe a sleazy tech running your school/workplace/netcafe/hotspot/ISP's in-line cacheproxy.
At least the login itself is a HTTPS act. The rest of the forum is not, whether logged in or not.
|
Ran Khanon
Amarr Vengeance Innovations
|
Posted - 2010.03.23 12:38:00 -
[29]
Character check is ok but still just patching a problem where surgery is needed.
Separate forum account names and passwords please. I hope you guys are planning that.
Help us to make parrots game related today! |
Agent Unknown
Caldari
|
Posted - 2010.03.23 14:32:00 -
[30]
Originally by: Paknac Queltel
Originally by: Professor Tarantula
Originally by: Blane Xero Can you, pretty, pretty please, return the "Remember Me" button, even if you have to be logged in and have to answer some random security question first to trigger it instead of selecting it at the login section? Please? Typing out my password over and over every time the forums kick me off isn't fun.
You using IE or something? Firefox asks if you'd like it to remember any password you use.
Because, you know, browser cache is a secure place to keep your passwords, that malware won't read at all.
Also, every time you log out, even automatically, all the unread flags clear.
Most browsers store username/passwords for autocomplete encrypted with a master password (IE doesn't though). When you log in, your session key determines your login by comparing it with information on the web server; if something doesn't match, the cookie is considered invalid (IP address, etc). By the way, this is my signature.
TeamSpeak For EVE - API-controlled TeamSpeak 3 Access!
|
|
|
|
|
Pages: [1] 2 3 :: one page |
First page | Previous page | Next page | Last page |