Pages: 1 2 [3] 4 5 6 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 27 post(s) |
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2010.11.19 21:10:00 -
[61]
Originally by: Furb Killer
It is quite simple, you have to choose which method is the smallest security risk. And if people have access to your house already they can do anything anyway, like installing keyloggers. It is just impossible to expect everyone to have for every different site different logins, with different passes that are all 'good' passwords.
If your house were the only place you used your passwords then I'd agree. It's a difficult issue to be clear. Oftentimes the recommendation (such as use a different password everywhere) is somewhat unrealistic, which is probably what they're speaking to. I do think though that we can aim for the moon and hope at least some of us breach the atmosphere which is typically the intent. Were I to say "Eve players use a unique password to Eve and write it on your monitor" then the second some dude's dorm-mate steals his account I've given bad advice. How you remember your password is a problem as unique to you as how many passwords you need to remember. In an Eve bubble, have a unique password is the best advice I can give.
I'd rather just solve the problem better. No one solution really works for everyone, as is evident by the number of people who have a really hard time remembering the names of their characters. I'm not saying there's anything wrong with them, we're all different dudes, I have to keep a running list of things to do or I forget. I'm just saying that no solution will ever work for everyone, so we need to try to reach the largest subset of people. That's what we were aiming for with the username auth, and what we'll be focusing on with future solutions. The customer experience is ALWAYS a part of the consideration. |
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2010.11.19 21:11:00 -
[62]
Originally by: Zirator @ CCP Screegs
I was wondering if the character transfer mechanism can be changed?
I think it's pretty ******ed that I have to give up one of the 2 secret parts on my login credential to recieve a character.
Can't it be changed to either the name of a character on the recieving account or a random code that's unique for each account and that can be seen on the account management section of the recieving party.
I'm currently interested in buying a character for one of my accounts but this is keeping me from not doing it. And creating a 4th account just to recieve characters on and then transferring them to one of my main accounts isn't an option either.
Wondering if you could give us some feedback on this.
I am aware of this issue and will look into it. I can't promise a timeframe or even a change at this point however. |
|
Milo Caman
Gallente Anshar Incorporated
|
Posted - 2010.11.19 21:13:00 -
[63]
Anything in place to stop password guessing/Brute Force and such?
Last I checked, EVE didn't block logins for any amount of time if you got your password wrong 30 times. ---
|
The Snowman
Gallente The Ascension
|
Posted - 2010.11.19 21:15:00 -
[64]
I can offer some good advice for people wondering how on earth to remember so many passwords ;-
OK, so you realise that writing down your log-in and password ANYWHERE is a risk, as soon as it leaves the security of your brain its is at risk. no matter what measures you use. You can try selecting a 3/4 passwords that you use for most things.. but as the blog points out, any kind of pattern means that if one password is compromised, many other accounts are compromised.
One thing about this method however is remembering your username. Theoretically if someone knows your user name it shouldnt matter, so long as they dont know your password. thats not to say you should use a simple username though. always use numbers + characters.
So, this method involves using a 'magic' word which only you know, or, if you want to go a step further multiple magic words.
Rather than explain it, i'll illustrate it.
Let's say your 3 magic words are something like. FatEGG22, 1PinkArse2, Nerfdrakesss
you have magic word 1, magic word 2 and magic word 3. you dont write these words down anywhere but you do know them.
What you do however is make your REAL password something like. me1beans. Write this password down ANYWHERE personally I enter them into a list on my blackberry.
Anyone looking at this password will think, aha.. I have the password, but it doesnt work, why?.. because the REAL password is meFatEGG22beans
Do you see what I did there?.. the number 1 in the written down password actually indicates 'insert magic word 1'
Now you can write down every single password on any peice of paper or anywhere, knowing that its entirly safe because noone knows your magic words, right?
Trust me, once you employ this method for all your passwords, for anything! not just online accounts.
Hope this helps you manage passwords in this modern digital age.
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2010.11.19 21:15:00 -
[65]
Originally by: Milo Caman Anything in place to stop password guessing/Brute Force and such?
Last I checked, EVE didn't block logins for any amount of time if you got your password wrong 30 times.
There are protections for this. There will be more. I can't get into specifics here except to say that what you're saying is known and protections are still in place. |
|
Caldari Citizen4714
|
Posted - 2010.11.19 21:51:00 -
[66]
Edited by: Caldari Citizen4714 on 19/11/2010 21:53:37
Originally by: CCP Sreegs
Originally by: BenjaminBarker Does this mean we're never getting keyfob tokens for account security?
No this does not mean that.
Wow, one of the clearest answers I've ever seen from CCP.
Seriously, I am not being sarcastic. Thanks, we love it when you do that.
My thoughts:
Generally good recommendations, but...
Changing your password frequently is foolish. Look at the list of things ways to get your account stolen. It doesn't actually prevent a single one! If you give your login details to someone, they effectively have your items already, or can, in literally seconds. What good is changing it 29.99984 (that gives them 30 days less the five minutes it'll take to clean you out) days later gonna do? Even better, it often leads to writing the password down, which is worse. And everybody with the slightest experience with IT security already knows, everybody just increments a number in their password somewhere (usually on the end) if you make them change it often, so it's pretty annoying and not at all effective, since, if they have an old one, they'll just increment your number (which is always obvious) and keep trying till the get the current one.
Just look at debit cards, how often do you have to change your ATM pin? That's right, never, because it's stupid.
If you really wanted to help, you'd let us save passwords (via one-way hash) in the client again so that we don't risk exposing them to trojans/keyloggers every time we log in instead of just once, or give us optional FOBs.
Recommending changing it frequently is a frantic, desperate, and annoying attempt to force clueless users to not be foolhardy with their computers/logins, and it doesn't work cause the problem is the user is generally unaffected and remains a clueless, foolhardy user.
The people who agree with all these recommendations are already doing them and don't need to be told.
Ugh, security theater < security. - Support DISBANDING the Alliance CCP Renamed at the Alliance's Request |
xXxCCxXx
Ray of Matar Assembly
|
Posted - 2010.11.19 22:32:00 -
[67]
remove sent buddy invites in the eve account management... that will reduce the number of emails to hack
|
Hratli Smirks
GoonWaffe Goonswarm Federation
|
Posted - 2010.11.19 22:34:00 -
[68]
Would "onehundredfiftydollarsworthofharmonicas" be a good password?
(CCP Ahuj9)
|
Ulair Memmet
ORIGIN SYSTEMS Ethereal Dawn
|
Posted - 2010.11.19 23:11:00 -
[69]
Sandboxie is pretty awesome. Thanks for that tip --------------------------------------------------
|
adriaans
Amarr Ankaa.
|
Posted - 2010.11.19 23:22:00 -
[70]
Ability to change login name would have nice for those of us who are extra paranoid
--signature-- F.CS boost: Here Vid: Link |
|
Daneel Trevize
Black Viper Nomads
|
Posted - 2010.11.20 00:14:00 -
[71]
Edited by: Daneel Trevize on 20/11/2010 00:14:50 I'd hope the login thing has exponential backoff/delay (I CBA/dont want to risk testing). Plus there's the challenge about logging in from an unknown location and having to name a char on that account.
As a fan of the FOSS way of things, I'd argue there shouldn't be a need to be secretive about the safeguards, security through obscurity doesn't work. If we can see the mechanisms we can see any mistakes and help improve, because currently any attacker could create a throwaway temp account to probe your mechanisms so they can study them anyway. |
Zex Maxwell
Caldari
|
Posted - 2010.11.20 00:29:00 -
[72]
Edited by: Zex Maxwell on 20/11/2010 00:35:09 CCP sreegs, I like to note that if you do, do the external key thingy, keep in mind that some of us have more then one account. I really don't want to buy 3 separate keys for my 3 accounts that I own.
To other players. Lastpass is also something you guys can look into. It keeps your password in an encrypted database on the web. so all you need to know is your Master STRONG password.
Uh I forgot. there are also Facebook ads that say "CLICK HERE TO KNOW THE SERCETS OF EVE!" any way to tell facebook to pull them damn adds that the ISK sellers make?
|
|
CCP Sreegs
C C P C C P Alliance
|
Posted - 2010.11.20 00:47:00 -
[73]
Originally by: Zex Maxwell Edited by: Zex Maxwell on 20/11/2010 00:35:09 CCP sreegs, I like to note that if you do, do the external key thingy, keep in mind that some of us have more then one account. I really don't want to buy 3 separate keys for my 3 accounts that I own.
To other players. Lastpass is also something you guys can look into. It keeps your password in an encrypted database on the web. so all you need to know is your Master STRONG password.
Uh I forgot. there are also Facebook ads that say "CLICK HERE TO KNOW THE SERCETS OF EVE!" any way to tell facebook to pull them damn adds that the ISK sellers make?
If we were to engage in what you are proposing with two factor auth then multiple accounts would certainly be a concern. I'm not going to endorse any particular app that doesn't exist on your own machine because... well they have access to your stuff now. I'd prefer to store my stuff locally personally. I can't speak to how we might deal with any particular company's ads. That's a Legal thing. |
|
Dav Varan
|
Posted - 2010.11.20 00:50:00 -
[74]
Originally by: Thyme Wasted
Originally by: Dav Varan Edited by: Dav Varan on 19/11/2010 17:36:50
PERMA BAN PEOPLE WHO SUPPORT RMT.
People who buy isk from RMT'rs are the root cause of account theft.
No customers to sell isk too for $ = No point in stealing account info.
Scare people away from RMT by promising them if they are caught ALL there accounts will be deleted and they will be permanently banned from EVE.
Great idea, then we can use CCP as a personal hitsquad service: 1) purchase several billion isk from an RMT site using a trial / plex activated acct. 2) distribute it to anyone / corps you don't like. 3) laugh as your enemies and their assets are removed from Eve by CCP.
Why not just have PLEX for bans?
So simple to fix. Do cash transfers like contracts. Both sides have to aggre to the transfer.
|
BenjaminBarker
|
Posted - 2010.11.20 01:13:00 -
[75]
Originally by: Dav Varan
Originally by: Thyme Wasted
Originally by: Dav Varan Edited by: Dav Varan on 19/11/2010 17:36:50
PERMA BAN PEOPLE WHO SUPPORT RMT.
People who buy isk from RMT'rs are the root cause of account theft.
No customers to sell isk too for $ = No point in stealing account info.
Scare people away from RMT by promising them if they are caught ALL there accounts will be deleted and they will be permanently banned from EVE.
Great idea, then we can use CCP as a personal hitsquad service: 1) purchase several billion isk from an RMT site using a trial / plex activated acct. 2) distribute it to anyone / corps you don't like. 3) laugh as your enemies and their assets are removed from Eve by CCP.
Why not just have PLEX for bans?
So simple to fix. Do cash transfers like contracts. Both sides have to aggre to the transfer.
Right, cause when you send someone a stack of cash for nothing they're going to decline it?
|
Bomberlocks
Minmatar CTRL-Q
|
Posted - 2010.11.20 01:36:00 -
[76]
Good blog there Sreegs.
|
Ashemi Darkhold
hirr Morsus Mihi
|
Posted - 2010.11.20 01:53:00 -
[77]
Originally by: Chribba I would still very much like to be able to lock my accounts to my static IP...
/c
1000x this |
Tres Farmer
Gallente Federation Intelligence Service
|
Posted - 2010.11.20 02:22:00 -
[78]
Space Dragons? Not sure if OP is seriouz?! New Eden needs a Public Feature/Idea/Bug-Tracker |
Kolatha
|
Posted - 2010.11.20 02:58:00 -
[79]
One further piece of advice for those who use GMail.
Check the last account activity.
A quick guide here
Check it regularly, particularly if you use your gmail account for pretty much everything.
|
Comstr
Bat Country Goonswarm Federation
|
Posted - 2010.11.20 03:16:00 -
[80]
What does Sreegs mean?
On topic, I would use a a iphone key generator if it was available.
Considering the amount of customer service time hacking takes up, next time you sell a boxed copy of Eve, add in a free key generator in the box- it will probably get existing players to buy it too. of course, allow people to buy it separately from the website. And a lot of people will use smart phones anyway.
Will you be working against the botters and RMTers too?
|
|
De'Veldrin
Minmatar Green-Core The Obsidian Legion
|
Posted - 2010.11.20 03:16:00 -
[81]
Originally by: Aiko Intaki 1. Have someone at CCP with an android/iOS smartphone subscribe to WoW. 2. Have said person enable the added 1-time passkey account security feature. 3. Start WoW, Start App. 4. Log into WoW character to see how the 1-time passkey feature works. 5. Apply your new experience to EvE.
DO: Make smartphone apps to generate 1-time passkeys (99% of users). DO: Sell key generating fobs like Blizzard does for those with 'dumbphones'.
Extra Credit: Give away a free, otherwise unobtainable in-game vanity ship to any account which activates this added security feature for the first time. (WoW, for instance, gives away a mini-Cerberus pet.)
Make it so.
This
(This)^(n^2) where n is (Chribba's Wallet + GDP-Jita) in ISK. --Vel
|
Shade Millith
Caldari Macabre Votum Morsus Mihi
|
Posted - 2010.11.20 05:00:00 -
[82]
Recently, I was going to change my PW's, for both my accounts.
I then discovered that I would also be required to use a capital letter, in addition to a number.
So I didn't.
Putting restrictions on PW's doesn't help keep accounts secure, it just means that I'm more and more likely going to HAVE to write the PW down somewhere. Along with the 30 other PW's and accounts.
This kind of 'defence' does nothing to shield from a keylogger. And I doubt bruteforcing a PW would work at all, considering the amout of effort you're using to scream to protect our accounts, I'd imagine you'd have a limit of loggin's before an alarm goes off.
TL:DR I'm sick of your PW limitations, and I'm less secure because of them. They either don't help, or CCPs security is poorly thought out
------------------------
|
Sturmwolke
|
Posted - 2010.11.20 05:42:00 -
[83]
Have you considered the idea of hooking up the EVE client login to well known passswd management programs like KeePass (or anything similar)? In fact I wouldn't mind a client that features automated password management for multiple logins, locked down with a master password.
Almost half the bullets relate to how the customers manage their logins and passwords. You also know that it's virtually an impossible task (well not literally, but very difficult) to keep each one unique in face of all the other website logins out there. The above would naturally improve customer experience and lessen the impact if you were to implement a mandatory password change every 3 months (1-2 month is too severely disruptive).
Two factor authentication will (almost) eliminate the common weakenesses, but it's not without costs (both hardware and customer support) and you're still dilly-dallying about it. I'd just like to leave a note, at this point in time, the prevalent perception is that CCP is passively doing nothing except dispensing verbal advice .... which may/will be read, but eventually forgotten or ignored. You need to be more concrete.
|
Dominatus Crispus
Nation of Muppets
|
Posted - 2010.11.20 06:01:00 -
[84]
Originally by: adriaans Ability to change login name would have nice for those of us who are extra paranoid
^^ this |
El Mauru
Amarr Interwebs Cooter Explosion Important Internet Spaceship League
|
Posted - 2010.11.20 06:09:00 -
[85]
This is me posting to applaud this blog and mentioning that my account has once been "hacked" by guessing obvious passwords and that CCP reacted in a pretty descent way regardless of some time-related inconsistencies.
Hope you keep up your work on both sides of the fence. M.
|
ceaon
|
Posted - 2010.11.20 06:26:00 -
[86]
link related to blog and stuff http://www.youtube.com/watch?v=PWvHcoqru7I take a look from minute 24
Originally by: CCP Adida The male thread was locked because the discussion turned into transsexuals and man boobs.
|
timmus
|
Posted - 2010.11.20 06:30:00 -
[87]
i was hacked today. someone got into my account, sold my stuff, and put my character on the auctionblock. im still trying to get him off the auctionblock, and wondering if changing my passwords is enough.i play eve the same way for 7 years. i dont buy isk, i dont buy characters. i dont know how i got hacked but i did. felt like someone broke into my home. any chance im going to get any ships/items back? would be nice to hear back on my petitions sooner then later. ive picked eve over alot of old girlfriends. i hope some hacker cant come in and ruin everything...
|
Birds Away
|
Posted - 2010.11.20 07:25:00 -
[88]
Of course, following the guidelines in the blog grants no immunity from being arbitrarily permabanned by CCP.
free karttoon. |
SXYGeeK
Gallente do you -Mostly Harmless-
|
Posted - 2010.11.20 07:33:00 -
[89]
Thanks Sreegs!!! It's good to see someone dedicated to security.
The topic of multi-factor authentication has been discussed quit a bit. I have been pushing the topic in the Assembly hall, some discussion here... http://www.eveonline.com/ingameboard.asp?a=topic&threadID=1394382
I do believe that as far as protecting individual accounts goes, multi-factor auth may be the single best thing we could have added as an option to secure our accounts. hardware keys, smartphone apps, even email/sms based, a combination of these options to allow us to decide what works best to secure our accounts as an individual.
I look forward to reading more, keep it coming Sreegs!
-We So SeXy |
Lost Hamster
Hamster Holding Corp
|
Posted - 2010.11.20 08:01:00 -
[90]
Originally by: CCP Sreegs
Originally by: Zirator @ CCP Screegs
I was wondering if the character transfer mechanism can be changed?
I think it's pretty ******ed that I have to give up one of the 2 secret parts on my login credential to recieve a character.
Can't it be changed to either the name of a character on the recieving account or a random code that's unique for each account and that can be seen on the account management section of the recieving party.
I'm currently interested in buying a character for one of my accounts but this is keeping me from not doing it. And creating a 4th account just to recieve characters on and then transferring them to one of my main accounts isn't an option either.
Wondering if you could give us some feedback on this.
I am aware of this issue and will look into it. I can't promise a timeframe or even a change at this point however.
Why not to use the "User ID", which is in the API page? You don't need to implement any new thing. It's already heavily used by the users, so I think that would be an easy change. |
|
|
|
|
Pages: 1 2 [3] 4 5 6 :: one page |
First page | Previous page | Next page | Last page |