|
|
| Author |
Thread Statistics | Show CCP posts - 2 post(s) |
Ai Shun
Caldari
   |
Posted - 2011.02.06 21:42:00 -
[1]
Edited by: Ai Shun on 06/02/2011 21:43:39
 Originally by: Jenny Spitfire
How about this? CCP buys a mobile SMS provider. Player base register their mobile numbers to CCP server. Each time a player wants to login, CCP server issues a security code that is valid for one hour of authenticated login pass and sends to the mobile of the player.
I was waiting for you to suggest they should call us to confirm if we are actually trying to login :)
Originally by: Jenny Spitfire
Alternatively, CCP can send validation code through email first to authenticate.
Have you noticed how secure email is?
|
Ai Shun
Caldari
|
Posted - 2011.02.06 23:01:00 -
[2]
Originally by: Jenny Spitfire
Tokens are also useful in making sure requests like address and personal details changes like phone number are indeed done at the request of the token holder.
It may be worth watching some of Steve Riley's speeches on security. Particularly some of his pieces on how what can seem like an increase in security simply increases the attack footprint and the number of different entities that must be trusted with your information.
His presentations on information security and so forth are fairly incredible if you've never been to them. And he is a very engaging speaker as well.
|
Ai Shun
Caldari
|
Posted - 2011.02.06 23:13:00 -
[3]
Originally by: Jenny Spitfire
Link please?
Here. I don't keep a list handy, I attended them in person.
|
Ai Shun
Caldari
|
Posted - 2011.02.08 05:35:00 -
[4]
There is a lot of intellectual ************ in this thread. Has anybody checked if CCP throttles password attempts? Or locks an account out after a certain number of retries? If that is the case - good luck on trying a brute force attack.
|
Ai Shun
Caldari
|
Posted - 2011.02.11 13:24:00 -
[5]
Originally by: Kara Sharalien
Are you sure you aren't blowing steam out your arse? Because thats not what my handy-dandy calculator designed to do this sort of thing says.
Think it through. If your password must be 2 characters long and there are 2 possible values how many combinations can you have?
[1][0]
[0][0]
[0][1]
[1][1]
2 ^ 2
Now, if your password must be 8 characters long and each character can be one of 62 possible characters, how many combinations can you have?
[1][2][3][4][5][6][7][8]
How many possible characters can go in slot 1?
How many possible characters can go in slot 2?
...
How many possible characters can go in slot 8?
Go do the math.
|
Ai Shun
Caldari
|
Posted - 2011.02.11 13:51:00 -
[6]
Originally by: Kara Sharalien
Your argument is fundamentally flawed because there are rules in place that say you must have a 1 and a 0.
thus, the options are only:
[1][0]
[0][1]
[1] and [0] represents a set of potential values any character can hold.
The [ABCDEFGHIJKLMNOPQRSTUVWXYZ] [abcdefghijklmnopqrstuvwxyz] [1234567890] represents three sets that any character in the password can hold.
YES, you are forced to have one character from two of the three sets.
Which offsets in the password must be of the [ABC...] set? And which offsets must be of the [1234...] set? Any offset? Yeah. Thus, each offset must be tested for the entire set.
You cannot pick and choose.
Otherwise, if you can, please tell me which offsets in my password are from the set of capitals. And which offsets are from the numbers.
|
Ai Shun
Caldari
|
Posted - 2011.02.11 14:17:00 -
[7]
Originally by: Tippia
āI thinkā 
I think you think better than I did. Been running it over in my head and was perusing this NIST guideline on Information Security relating to entropy, etc. Bit older now.
|
|
|
| |
|