EVE Search - CCP's Password Requirements may reduce security

Check My IP Information

All Channels

EVE General Discussion

CCP's Password Requirements may reduce security

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Pages: 1 [2] 3 4 5 :: one page

Author	Thread Statistics \| Show CCP posts - 2 post(s)
Niccolado Starwalker Gallente Shadow Templars	Posted - 2011.02.06 20:02:00 - [31] Originally by: masternerdguy This has probably been brought up before, but in the old password system people could choose any password they wanted. Now you need a capital letter and numeric character. Since most people are probably going to capitalize the first letter and add a 1 or something to the end, doesn't this lower account security? Also, doesn't it make an old password from before the changes more secure from the brute forcing? I guess that means your password would be Masternerdguy1 ? Originally by: Dianabolic Your tears are absolutely divine, like a fine fine wine, rolling down your cheeks until they flow down the river of LOL.
T'Laar Bok	Posted - 2011.02.06 20:07:00 - [32] Originally by: Jenny Spitfire I am sure you can buy a reception booster from your mobile provider. They're illegal in AU and if they weren't I wouldn't pay around $800-$1000 just to get a password from CCP. Originally by: Jenny Spitfire Alternatively, CCP can send validation code through email first to authenticate. I really think you're sitting back in your chair just giggling yourself silly thinking up the most stupid ideas you can and watching people respond.
Jenny Spitfire Caldari	Posted - 2011.02.06 20:09:00 - [33] Originally by: masternerdguy Originally by: Jenny Spitfire Edited by: Jenny Spitfire on 06/02/2011 19:42:24 Originally by: Mikalya Unfortunately none of these would be effected by the password requirement change. But fortunately, the mobile authentication would work on those scenarios, wouldn't it? My mobile bill would stack to the sky if I had to call iceland for a password. But if you read what I mentioned earlier, CCP sends you a text when you click on a Authenticate Me button on the web login page. CCP sends you a SMS with a new validation code that is valid for an hour. In that hour, you can login as many times without revalidation. After that, you will need a new validation code. You then use the SMS plus your username and password to login into the client. --------- The making of the new Jenny Spitfire
Jenny Spitfire Caldari	Posted - 2011.02.06 20:11:00 - [34] Originally by: T'Laar Bok Originally by: Jenny Spitfire Alternatively, CCP can send validation code through email first to authenticate. I really think you're sitting back in your chair just giggling yourself silly thinking up the most stupid ideas you can and watching people respond. Tell me what is so stupid about getting the code through email if SMS is not an option? You are about to play the game, you have access to email. Get code through email and login as usual. What is so stupid about it? --------- The making of the new Jenny Spitfire
T'Laar Bok	Posted - 2011.02.06 20:22:00 - [35] Originally by: Jenny Spitfire Tell me what is so stupid about getting the code through email if SMS is not an option? Lets just dump the SMS idea, its stupid. Originally by: Jenny Spitfire You are about to play the game, you have access to email. Get code through email and login as usual. What is so stupid about it? The more steps authentication requires the more potential avenues of attack there are. Its simple.
Jenny Spitfire Caldari	Posted - 2011.02.06 20:26:00 - [36] Originally by: T'Laar Bok The more steps authentication requires the more potential avenues of attack there are. Its simple. So I guess you think banks' authentication system for online banking is also stupid because they have multi-level systems. I think the risk of people get into your account with username and password is higher than multi-level systems. Then again, a simple username and password is also sufficient if the password requirements are good. I was only suggesting as the topic but it does not mean I disagree with you, as you can tell. --------- The making of the new Jenny Spitfire
T'Laar Bok	Posted - 2011.02.06 20:52:00 - [37] Originally by: Jenny Spitfire So I guess you think banks' authentication system for online banking is also stupid because they have multi-level systems. The only online banking I've done only requires a username/password although one bank offers for $20 a keyring thingy that generates a random token based on your account details that you can enter in addition to your username/password - but its optional to enter so it doesn't really do anything. Originally by: Jenny Spitfire I think the risk of people get into your account with username and password is higher than multi-level systems. I find 600 or so CCP password emails in a hacked account 'cause someone was too lazy to delete them. It wouldn't take long the reverse engineer to find out the generation formula. CCP would have to change the way the passwords were generated at least daily to avoid this. On the other hand - no password emails - no additional avenue of attack.
Ai Shun Caldari	Posted - 2011.02.06 21:42:00 - [38] Edited by: Ai Shun on 06/02/2011 21:43:39 Originally by: Jenny Spitfire How about this? CCP buys a mobile SMS provider. Player base register their mobile numbers to CCP server. Each time a player wants to login, CCP server issues a security code that is valid for one hour of authenticated login pass and sends to the mobile of the player. I was waiting for you to suggest they should call us to confirm if we are actually trying to login :) Originally by: Jenny Spitfire Alternatively, CCP can send validation code through email first to authenticate. Have you noticed how secure email is?
Furb Killer Gallente	Posted - 2011.02.06 21:59:00 - [39] Edited by: Furb Killer on 06/02/2011 22:00:31 Surpringly, mng got a point for once. It has indeed been brought up, everyone who hass a pass that is easy to find with dictionary attack (which is highly unlikely they will do, bruteforce is impossible, more about that later), will when you force people to use capital letters just mean the first letter is a capital. Regarding the bruteforcing, I think the first reply covered pretty much why that is impossible, although he didnt meant to proof that. With you 8 character pass at 500k attempts per second you go from 4 days to 3 years, impressive increase. At the same time a completely useless increase. Regardless of what CCP has done wrong, i dont expect CCP would be stupid enough to not notice that 4 days in a row passes are being tried on an account. And it would be hard not to notice, since the freaking login server would be down the instant you try it with 500k attempts per second. I think it would be more realistic to say the login server can handle 500 attempts per second, which would mean it takes 10 years to bruteforce the 8 char all lowercase pass. Eventually even CCP should notice that. Disclaimer: I didnt bother checking if people on that site did their math correctly. TL;DR, online passes of 8 chars + are impossible to bruteforce.
Jenny Spitfire Caldari	Posted - 2011.02.06 22:58:00 - [40] Originally by: T'Laar Bok Originally by: Jenny Spitfire So I guess you think banks' authentication system for online banking is also stupid because they have multi-level systems. The only online banking I've done only requires a username/password although one bank offers for $20 a keyring thingy that generates a random token based on your account details that you can enter in addition to your username/password - but its optional to enter so it doesn't really do anything. Then your bank has not done it right. The verisign token is for your bank to authenticate yourself so that when you need to perform critical or high risk activity like third party transaction then it prompts you for verification. Failure to do so will cause the system to reject your request. Tokens are also useful in making sure requests like address and personal details changes like phone number are indeed done at the request of the token holder. --------- The making of the new Jenny Spitfire

Tom Gerard	Posted - 2011.02.06 23:00:00 - [41] I use the same password for everything, and I have since I was like 8 and had to login to a computer for the first time. My password is so simple its foolproof only a 8 year old would be able to crack it. ............................................ Blinding them with brilliance or baffling them with bull****.
Ai Shun Caldari	Posted - 2011.02.06 23:01:00 - [42] Originally by: Jenny Spitfire Tokens are also useful in making sure requests like address and personal details changes like phone number are indeed done at the request of the token holder. It may be worth watching some of Steve Riley's speeches on security. Particularly some of his pieces on how what can seem like an increase in security simply increases the attack footprint and the number of different entities that must be trusted with your information. His presentations on information security and so forth are fairly incredible if you've never been to them. And he is a very engaging speaker as well.
Jenny Spitfire Caldari	Posted - 2011.02.06 23:07:00 - [43] Quote: Have you noticed how secure email is? Yes. It is very insecure. I remembered the IT boys did tell me that for the purpose of throw away validation that will expire in some minutes, it does not matter. Same as GSM text messages that they are insecure. Some people still do receive their serial numbers through email. The bottom line is to make it harder for others to get into your account. In this method, they need to get into your mail then your key and finally your password plus username. It is not that easy. --------- The making of the new Jenny Spitfire
Jenny Spitfire Caldari	Posted - 2011.02.06 23:09:00 - [44] Originally by: Ai Shun Originally by: Jenny Spitfire Tokens are also useful in making sure requests like address and personal details changes like phone number are indeed done at the request of the token holder. It may be worth watching some of Steve Riley's speeches on security. Particularly some of his pieces on how what can seem like an increase in security simply increases the attack footprint and the number of different entities that must be trusted with your information. His presentations on information security and so forth are fairly incredible if you've never been to them. And he is a very engaging speaker as well. Link please? --------- The making of the new Jenny Spitfire
Ai Shun Caldari	Posted - 2011.02.06 23:13:00 - [45] Originally by: Jenny Spitfire Link please? Here. I don't keep a list handy, I attended them in person.
Jenny Spitfire Caldari	Posted - 2011.02.06 23:19:00 - [46] Originally by: Ai Shun Originally by: Jenny Spitfire Link please? Here. I don't keep a list handy, I attended them in person. Oh. That is very helpful. --------- The making of the new Jenny Spitfire
TimMc Brutal Deliverance Extreme Prejudice.	Posted - 2011.02.06 23:20:00 - [47] Please stop posting.
Scorpyn Caldari Warp Ghosts Omega Spectres of the Deep	Posted - 2011.02.06 23:46:00 - [48] Originally by: masternerdguy This has probably been brought up before, but in the old password system people could choose any password they wanted. Now you need a capital letter and numeric character. Since most people are probably going to capitalize the first letter and add a 1 or something to the end, doesn't this lower account security? Also, doesn't it make an old password from before the changes more secure from the brute forcing? That depends on what the password was before the change and how you change it. In many cases, people use really bad passwords like "hello" or "banana". Changing those passwords to "Hello1" and "Banana1" won't really add any noticeable security, but on the other hand it won't really make them less secure either. Sometimes, people use somewhat random passwords, like "dabdodi" or "mabkbxp". Those passwords are better, but still only a few lower case a-z characters. In these cases, changing them to "Dabdodi1" or "Mabkbxp1" will increase security noticeably since it takes a lot longer to go through all passwords when you can't rely on a dictionary. However, if the policy is forced, there won't really be much difference in this case either. A bad password is still a bad password, whether you force them to seem good or not. However, as long as you don't simply capitalize the first character and add 1 to the end, forcing uppercase and numbers will increase the security in many cases. Unfortunately, it may also add a false sense of security. How to generate good passwords on a linux system.
Skylitsa	Posted - 2011.02.07 01:48:00 - [49] The practice I like to follow is to start my password with a 1 and capitalize the last letter 1skylitsA. Since most people do the reverse thing, I think my way is much more secure!:)
Ragnar256 Minmatar	Posted - 2011.02.07 02:02:00 - [50] My current password will take up to 39397489541 years to crack my account.

T'Laar Bok	Posted - 2011.02.07 02:14:00 - [51] Originally by: Jenny Spitfire Then your bank has not done it right. I know. Their explanation was that using the token proves I and only I could have logged in. So I said what if I give the token to my wife and she logs in or someone steals it and they have my login details. The keyring sits by my computer after all. Am I responsible for the transactions done because the token proves it was me when it could have been someone else? Can I do any transaction I want and not be responsible because I didn't put in the optional token. I was put on hold while she checked with her supervisor and the call eventually dropped after 45min. They're idiots.
Zeba Minmatar Honourable East India Trading Company	Posted - 2011.02.07 02:32:00 - [52] Ok. What I want to know is how does the op know that every single player in the game is going to capitalize the first letter and use a number as the last character in the password. Why can't they capitalize the fourth letter and use a number for the second character? Or any other combination for that matter? Originally by: Blane Xero Zeba a fanboi, Haha, Christ, Pull the other one will you. Originally by: Ryhss There is no paranoia in Eve, everyone is out to get you....
Captain Mung	Posted - 2011.02.07 05:48:00 - [53] To answer the OPs questions: 1) No. 2)No. /thread
Chainsaw Plankton IDLE GUNS IDLE EMPIRE	Posted - 2011.02.07 05:57:00 - [54] Originally by: Zeba Ok. What I want to know is how does the op know that every single player in the game is going to capitalize the first letter and use a number as the last character in the password. Why can't they capitalize the fourth letter and use a number for the second character? Or any other combination for that matter? because people are lazy, and most are rather predictable. besides Password1 is easier than pasSwo1rd and @ the "eight year old made password" is it willy? or maybe boobies, or hehepeepee?
Theqwert125 Qwertian Enterprises	Posted - 2011.02.07 06:04:00 - [55] Edited by: Theqwert125 on 07/02/2011 06:05:20 For once, could a security guy actually think instead of requiring certain things in a password? Why not require a password of certain cracking difficulty. For example, my school doesn't accept a password like "9i7tcfyhukhcdtrefgy89uf" but DOES accept "1234Pass." because it has a capital, number and punctuation. The first is orders of magnitude harder to crack, but noooo, the security guy is apparently incapable of doing simple permutations.
Mara Rinn	Posted - 2011.02.07 06:20:00 - [56] Requiring a capital letter and at least one number or punctuation will only reduce security if the "special" characters are required to be at certain positions of the password. You may think that it's easy to predict that the capital letter will be in the first position, and the digit will be in the last position. Then you have to remember that the user just stuck the number on the end of an existing password, so you still have to guess 8 characters. -- [Aussie players: join ANZAC channel]
Talaan Stardrifter THE PAROXYSM	Posted - 2011.02.07 06:40:00 - [57] Originally by: masternerdguy This has probably been brought up before, but in the old password system people could choose any password they wanted. Now you need a capital letter and numeric character. Since most people are probably going to capitalize the first letter and add a 1 or something to the end, doesn't this lower account security? Also, doesn't it make an old password from before the changes more secure from the brute forcing? 8 characters, all lowercase: 26^8 = Approx 208 Billion variations 8 Characters, Requiring an Initial Capital, and a trailing numeric 26 * 26^6 * 10 = Approx 80 Billion variations THIS REQUIRES THAT THE LOCATIONS BE FIXED However, the locations of the capital and numeric aren't fixed. 8 Characters, Requiring a Capital somewhere, and a number somewhere (26 + 26 + 10)^8 = Approx 218,340 Billion variations It is your own responsibility to ensure your password is secure. Oh, and you can stop trolling now. All of your threads I've seen today have been grossly ill-informed, or intentionally misrepresented.
Lay Lonie Mishi	Posted - 2011.02.07 06:57:00 - [58] Originally by: masternerdguy Originally by: BeanBagKing Originally by: masternerdguy yes if I put a capital A in the middle of my password sure. But most people won't do this. It doesn't matter where you put it. It's a simple mathematical expression involving the number of tries a computer can make in an hour, and the number of possible combination. The computer doesn't know if you put an A at the beginning, at the end, in the middle, if you put 2 of them, or a bunch of different letters, etc. The amount of possible combination for an 8 character lowercase password is 8^26 vs 8^52 for upper and lower, 8^62 if you continue adding numbers, and I forget how many symbols there are, but you get the idea. Figure out how many extra 0's that tacks onto the end for possible combination. It increases exponentially. Again, the computer doesn't know where you put these extra numbers/letters, so it doesn't matter where or how many. yes but as a human being I know that people are more likely to cap first letter and put a # at the end. Christ you're stupid. If he/she puts a capitol A and the begging, middle or end it's still more secure and would take longer to crack than otherwise. Again, it doesn't matter where, just that it's there.
Aamrr	Posted - 2011.02.07 07:10:00 - [59] which constitute such a ludicrously low percentage of possible mixed case passwords that it doesn't really save them any significant time at all.
Halcyon Ingenium Caldari Bene Gesserit ChapterHouse Sanctuary Pact	Posted - 2011.02.07 07:21:00 - [60] Anyone who thinks EVE forum monitors are too strict need only read one of masternerdguy's threads, see that he isn't permanently or even temporarily banned, and just understand that they are wrong. Seriously, I would argue that they are too lax with letting you continue to **** post to the degree that you do. By the way, real men biomass when they emoragequit.



Pages: 1 [2] 3 4 5 :: one page
First page \| Previous page \| Next page \| Last page

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.