|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
dexington
Lysergic.acid.diethylamide
53
|
Posted - 2012.07.17 08:08:00 -
[1] - Quote
Chokichi Ozuwara wrote:Captcha does nothing to secure your account. Bots are designed to capture captchas and fire them off to third party solving services (manual and automated) which beat them easily.
Adding this would be stupid. It would be like 2008 all over again.
It protects you account against brute force attacks, or at least makes the process of brute force attacks slow and expensive if there is no way to decode the answer without human interaction. |
dexington
Lysergic.acid.diethylamide
53
|
Posted - 2012.07.17 09:33:00 -
[2] - Quote
Terrorfrodo wrote:To protect against brute force attacks, they could just throttle login attempts: When you enter a wrong password twice, you can't attempt another login until three minutes have passed. Brute-forcing an account would take a looong time then.
That works well against brute force attacks that target a single account, but is very ineffective against other automated attacks that simultaneously attacks multiple accounts.
|
dexington
Lysergic.acid.diethylamide
53
|
Posted - 2012.07.17 13:42:00 -
[3] - Quote
Random Celestial wrote:dexington wrote:Chokichi Ozuwara wrote:Captcha does nothing to secure your account. Bots are designed to capture captchas and fire them off to third party solving services (manual and automated) which beat them easily.
Adding this would be stupid. It would be like 2008 all over again. It protects you account against brute force attacks, or at least makes the process of brute force attacks slow and expensive if there is no way to decode the answer without human interaction. You can buy 1000 captcha solves for $1.37 USD. <- Runs craigslist bots for car dealers, CL dropped captchas now though.
Having to spend 1.37$ to check the 1000 commonly used passwords, with a paper trail to the company doing the captcha solving, is really not a sweet deal.
You are right, captcha is not going to stop all attacks, but at some point attackers are going to look for easier targets. You can probably find a lot of corp website or 3. party forums with a decent amount of active users, if they have a login mechanic, there is a good chance you can find some combination of username/email/password that would enable you to access some/several eve accounts.
In the end it's probably going to be easier to find a security vulnerability in a 3. party web site, then trying to brute force accounts on a ccp owned site, with or without captcha, but each layer of security makes the target less attractive. |
dexington
Lysergic.acid.diethylamide
53
|
Posted - 2012.07.18 06:25:00 -
[4] - Quote
Vitamin B12 wrote:Brute Force need to be adressed on the server side (CCP) not on the client. If a file is on my computer I can modify it. That is really bad and weak protection. Never give the user control over something.
I'm not sure i get your point, the image is generated server side, and send to the client. You can modify the image as you like, but the server is still going to require the correct answer associated with the image, to grant you access to the system.
|
dexington
Lysergic.acid.diethylamide
54
|
Posted - 2012.07.18 08:35:00 -
[5] - Quote
Haffsol wrote:is https too easy to implement or what?
It's two different thing, https is applying a application layer cryptographic protocol to the http protocol, http + ssl. This is used to avoid eavesdropping and tampering of the data send between two computers.
Captcha is primary a means to try and force human interaction in a given process, most often the login process. |
dexington
Lysergic.acid.diethylamide
55
|
Posted - 2012.07.18 13:18:00 -
[6] - Quote
Lilliana Stelles wrote:Just so long as I don't have to carry around a plastic authenticator to play the game.
If/when two-factor authentication is added, i think it's going to be optional to use it, at least that is now it was implemented in other popular mmo's. |
dexington
102
|
Posted - 2012.07.31 09:47:00 -
[7] - Quote
Haffsol wrote:Quote:Quote:is https too easy to implement or what? It's two different thing, https is applying a application layer cryptographic protocol to the http protocol, http + ssl. This is used to avoid eavesdropping and tampering of the data send between two computers. so if you consider your pc secure from a physical point of view, and you don't store your passwords in a file called EVE-PASSWORDS-OF-ALL-MY-ACCOUNTS.DOC on your desktop than https should be just the way to go.
SSL/HTTPS does not protect you against automated attacks that are trying to guess you password, which is what CAPTCHA tries to do.
Besides i think user authentication is already done over a secure connection. GÇ£The best way to keep something bad from happening is to see it ahead of time, and you can't see it if you refuse to face the possibility.GÇ¥-á |
|
|
|