| Pages: 1 2 [3] :: one page |
|
|
| Author |
Thread Statistics | Show CCP posts - 1 post(s) |
Neutrino Sunset
Bene Gesserit ChapterHouse
   |
Posted - 2010.05.11 11:26:00 -
[61]
Why should I have to fill in 2 separate forms to log in to the forum? Why after filling in the two separate forms to log in, after composing my post do I then have to log in all over again?
Out of interest where did you spend the effort to 'minimize the annoyance to users' mentioned in the OP? Because I see zero evidence of it whatsoever.
 Originally by: "Captain Pompous"
I don't pay my subscription for you to treat me like a mental invalid and assume that I'm an inept fool who can't be trusted with anything. Seriously, find some proper solutions rather than shouldering all of these onerous burdens (the warning link, the auto logout, the need to re-enter password details again and ****ing again) on us.
Originally by: "Ran Khanon"
Separate forum account names and passwords please. I hope you guys are planning that.
Originally by: "Vaerah Vahrokha"
I also miss how all of this is smarter to do than just decoupling forum credentials off the game credentials. Edit: and imposing them being different.
I fail to comprehend how even after your own users repeatedly telling you the solution to this issue you still remain oblivious of how to remedy this ridiculous situation. This forum is easily the worst I have ever encountered in pretty much every respect.
|
Winet
SPORADIC MOVEMENT
Cult of War
|
Posted - 2010.05.26 22:15:00 -
[62]
i bank with a bank - is this enough
CEO
ANATOLIAN DILIGENTIA |
Vertical
Amarr
|
Posted - 2010.05.27 02:07:00 -
[63]
Edited by: Vertical on 27/05/2010 02:14:20
--------------------------------------------------------------------------------
I am sorry I can not see any improvements about the new security measures. Any program which brute forces its way until that point, that it is asked what char the account has, is already lost. Why? Well because one only have to use the login/pw which was hacked (just before the website asks you for char name of account) to login into EvE and look what chars one has. Then put in the name in website and 'voila' u are in just as before.
Think again?
EDIT: There are so many Anti-Keylog applications out there, keylogger should have a hard time logging anything. I am surprised that CCP not automaticly banns IP addresses when they failed to login more then -lets say- 5 or 10 times.
Can you explain?
|
Reiisha
Evolution
IT Alliance
|
Posted - 2010.06.03 01:13:00 -
[64]
Originally by: Vertical
I am sorry I can not see any improvements about the new security measures. Any program which brute forces its way until that point, that it is asked what char the account has, is already lost. Why? Well because one only have to use the login/pw which was hacked (just before the website asks you for char name of account) to login into EvE and look what chars one has. Then put in the name in website and 'voila' u are in just as before.
Brute forcing is when you know the username and are trying to find the right password. It keeps putting in the same username and tries new passwords untill it finds the right one. This has nothing to do with keyloggers - This is simply people who find out that your account name might be same as your character name, and use that information to "brute force" the account like i described. Keyloggers are a completely different problem.
"If you do things right, people won't be sure you've done anything at all"
|
DeODokktor
Caldari
Dark Templars
The Fonz Presidium
|
Posted - 2010.06.23 00:15:00 -
[65]
Originally by: Dabljuh
Edited by: Dabljuh on 03/05/2010 15:59:14
Originally by: Kolatha
For those who keep going on an on about "all you have to do is block ip/mac addresses" please refer to the following two documents.
IP Spoofing
MAC Spoofing
Basically it is no effort at all to have each brute force attempt use a new randomly generated address. From my understanding and experience this is how some brute force attacks already operate. I know that DOS attacks use this as well.
I'm sorry, but that's not how IP spoofing works. Or rather: You can't combine brute forcing and IP spoofing. IP spoofing works for dumb SYNflood/bandwidth DOS attacks, but password cracking attacks require a valid IP. There's no excuse other than gross negligence for failing to prevent brute force attacks aggressively.
Besides, mac spoofing is to my knowledge irrelevant on the internet. (that is to say, outside a LAN/WAN) Owners of dynamic internet connections can sometimes use mac spoofing to receive new IP adresses from their ISP, if said ISP is (mis)configured that way.
Originally by: Kolatha
See my comments above about IP/MAC address spoofing and the recent issue I had to deal with. One disgruntled attacker with a small botnet can pretty much lock out the entire eve community if you implement this level of automated IP blocking.
Needless to say, there is no point in blocking the attacking IPs in a simple flood attack, as they are going to be spoofed anyways. However this is very different from a password attack, where IP-level blocking is both effective and desirable. I guess either your security setup is even more screwed up than CCPs, or you do not understand the fundamental differences in requirements on the IP layer between a flood/DOS and a password cracking attack.
/*Signed*/...
The thing is, that too many people think that spoofing is so easy that you should ignore IP filtering, the truth is, if they put IP filtering into place it would just mean more work, and that's why it's not happening...
It's much easier to just close accounts after they get hacked, and wait for the account holder to verify sign up details that they used years ago before they switched to ETCs.....
Puns aside, They should put in IP filters..
For those people who say IP Spoofing is still possible, the simple answe ris, no it's not...
Not for this!...
You can test this, simple mechanics....
Buy yourself a new QFHD 50" TV, use your credit card, but here's the fun part, SPOOF the Delivery Address, that's right, use some guys addy who lives in another state, just pick it at random!!!....
When your TV doesnt get delivered to your house, you can try and decide why IP Spoofing for password cracking doesnt work well ;).
-----------
Never Forget the joy of finding a main to link to a scammer alt. N-y-p-h-u-r ! ! |
Deceduto
ANZAC ALLIANCE
IT Alliance
|
Posted - 2010.06.23 02:05:00 -
[66]
I really don't care for it since I moved out of the USA. It asks me all the time for verification and over half the time if fails to log me in even if I give it the correct info it has asked. Hope they can work out the bugs soon.
|
VicturusTeSaluto
Metafarmers
MeatSausage EXPRESS
|
Posted - 2010.06.23 21:45:00 -
[67]
Glad that CCP admits that the main problem is some sort of brute force attack. Another reason why they should start by banning the entire chinese ip range.
Aside from that, there really needs to be better security in place. Such as if someone wants to change the password- or log in from an unusual location- CCP sends a text message to my phone, and then I would need to enter the authentication number received on my phone to change the password or log in or whatever.
|
Jerunk
|
Posted - 2010.06.23 22:08:00 -
[68]
If any of you play Lord of the Rings online, you may well know Codemasters blocked the entire chinese IP range, now despite alot of controversy i for one can say it worked.
The server i played on had a horde of 1 week old chars spamming links to gold selling sites in the main city's (Bree) (Thorins Gate) for those who know and a horde of gold farmers, chars that never logged off, and flooded the in game Auction house with overpriced goods.
Anyhow after this happend all of these things stopped. Instantly. Now from a personal viewpoint i thought it worked perfectly, and tbh i didn't really agree with it at first, but the responce from the community was really positive.
I wonder if macro miners would dissapear entirely if eve did the same??
|
Tonto Auri
Vhero' Multipurpose Corp
|
Posted - 2010.06.24 23:00:00 -
[69]
Your password must:
Be between 6 and 64 characters long
Contain at least one uppercase letter
Contain at least one lowecase letter
Contain at least one number
So, I take it the special characters in password aren't treated as secure enough?
--
Thanks CCP for cu |
Seven Seas
Beach Boys
|
Posted - 2010.06.25 06:15:00 -
[70]
thx CCP ....now i have no means of reactivating some of my 45 accounts because i don't remember char name when i'm being challenged :)
|
|
|
Spurty
Caldari
D00M.
RED.OverLord
|
Posted - 2010.06.27 21:13:00 -
[71]
Originally by: Seven Seas
thx CCP ....now i have no means of reactivating some of my 45 accounts because i don't remember char name when i'm being challenged :)
You alone were funding ccp s tea lady.
NAPS: forcing you to play 'their' game |
Vertical
Amarr
Relentless Enterprises
|
Posted - 2010.07.01 06:58:00 -
[72]
Originally by: Reiisha
Originally by: Vertical
I am sorry I can not see any improvements about the new security measures. Any program which brute forces its way until that point, that it is asked what char the account has, is already lost. Why? Well because one only have to use the login/pw which was hacked (just before the website asks you for char name of account) to login into EvE and look what chars one has. Then put in the name in website and 'voila' u are in just as before.
Brute forcing is when you know the username and are trying to find the right password. It keeps putting in the same username and tries new passwords until it finds the right one. This has nothing to do with key loggers - This is simply people who find out that your account name might be same as your character name, and use that information to "brute force" the account like i described. Key loggers are a completely different problem.
Your right, my fault. But if someone already has login and pw, what sense does it make to ask for character name if the same person can log into Eve with the client and get all info he/she/it needs? It looks more a hurdle for us legit users, don't you think?
|
Smagd
Encina Technologies
Namtz' aar K'in
|
Posted - 2010.07.04 16:42:00 -
[73]
Edited by: Smagd on 04/07/2010 16:42:55
At current count, there are at least six different ways to log in to an official EVE site using account details, which is in itself a security issue you have promised to address in the past.
Only one of them is protected by a single additional question, the answer of which can be easily found out using at least two of the other methods (EVE Gate and the Game Client) or a keylogger.
All you did was add Security Theater for Marketing to sell.
I hope it didn't take too much man power.
|
|
|
| |
|
| Pages: 1 2 [3] :: one page |
| First page | Previous page | Next page | Last page |