Pages: 1 2 3 [4] 5 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 4 post(s) |
Drew Solaert
University of Caille Gallente Federation
41
|
Posted - 2012.01.12 14:15:00 -
[91] - Quote
Or instead of a Gadget have 6 security question and answer pairings and have a random one out of the six asked when you log on.
Or do like some banks do and have a another password but you only enter in 3 randomly generated letters of the password on a drop down menu each time you logged in.
There you go, beefed up security without having to buy a ****** plastic thingy. |
Mr Kidd
Center for Advanced Studies Gallente Federation
351
|
Posted - 2012.01.12 14:23:00 -
[92] - Quote
RubyPorto wrote:Ursula LeGuinn wrote:Abdiel Kavash wrote:Username/password is enough as long as the users are not idiots. Incorrect. It is impossible to have too much account security. That's not debatable, sorry. I'm not saying this is a NECESSARY FEATURE AND IT MUST BE IMPLEMENTED IMMEDIATELY, but it would be purely beneficial. Edit: Authenticator codes are typically optional by the way, I doubt CCP would force cranky contrarians or forum warriors to use them. Ok, so you're willing to Call CCP on a telephone and give them a detailed personal history every time you want to log in? Security is about a Cost/Benefit analysis. My bank uses a username/password system on a secured server. That's certainly good enough when combined with basic common sense/virus protection. Beyond Username/Password, the costs start outweighing the benefits when you're talking about Banking. WoW implemented the key fobs because Hacking is absurdly prevalent, to the point where the benefit began to outweigh the cost. EvE doesn't, to my knowledge, have that problem.
You're bank doesn't do this because it believes it to be sufficient. Your bank does this because they don't give a rats arse about you.
http://en.wikipedia.org/wiki/Online_banking#Security
Trust me on this. Your bank's cost/benefit analysis consists of this, "that costs us money so, we're not going to do it". They are more than happy if the theft costs you money and not them to continue on with inadequate authentication. Any losses experienced by banks are covered by insurance. In the US it's called the FDIC.
CCP Sreegs wrote:Ok, let's see what we can do here...
...
I apologize for some vagueness but I have to play a bit of a dance here with what can be communicated right this second without leaving you all completely in the dark.
Sreegs, you guys are going to do it when you do it. You, I, a dozen others in this thread realize everything you're saying. But, we understand how CCP works, or doesn't and so noone here is holding their breath. But, good luck something better implemented. We want breast augmentations and sluttier clothing in the NeX! |
|
CCP Sreegs
C C P C C P Alliance
223
|
Posted - 2012.01.12 14:54:00 -
[93] - Quote
Neo Agricola wrote:CCP Sreegs wrote:Ok, let's see what we can do here...
1) Username/Password combinations as sole authenticating factors are basically yesterday's news. We need to catch up with the times on that.
2) I'm pushing to have us catch up with the times on that.
3) I will race to the forums with a dev blog and multiple joyous posts when I get to a point where I'm confident an additional factor is being delivered in some way.
The real problem here is that there are some dependencies which must be met first that are getting finalized right now. Once they're finalized we'll communicate them and I'll make certain you understand that they're a pre-requisite for additional authentication factors.
This is a topic that has rightfully come up continuously and while it may sound a bit droll I'm fairly confident on seeing some progress on it in some way fairly soon.
I apologize for some vagueness but I have to play a bit of a dance here with what can be communicated right this second without leaving you all completely in the dark. Thx for the info. Just for your information: There are people out there, which have 3,4,5 or even 23 Accounts. And some of them are using different computers on a regular base. Please keep that in mind when you create a new "security" feature. E.g. I dont want to run around with 4 dongles for each of my accounts every day. (ok, which dongle was for which Account)... or have to connect a "dongle" to each computer I regular use for playing eve...
Yes, that is also a consideration. :) I'm pretty sure nobody thinks it would be a productive use of time for you to have to have 24 different dongles and that's been a part of the consideration in the design process. |
|
Darwin Duck
Evil Monkey Asylum
4
|
Posted - 2012.01.12 15:02:00 -
[94] - Quote
SW:tor is a drag on security. Username, password, security questions, autenticator generator, and when that little cheapo plastic generator breaks or is lost you're probably without game access for 2-3 weeks until you get a replacement. (it often ask me security questions just for logging in, I could understand it if it was only asked when doing account changes).
If people use their brains on the web, username and password is enough. A large scale DB hacking like SOE had is hard to protect yourself against anyway. |
Mar Drakar
LDK Test Alliance Please Ignore
33
|
Posted - 2012.01.12 15:13:00 -
[95] - Quote
Darwin Duck wrote:SW:tor is a drag on security. Username, password, security questions, autenticator generator, and when that little cheapo plastic generator breaks or is lost you're probably without game access for 2-3 weeks until you get a replacement. (it often ask me security questions just for logging in, I could understand it if it was only asked when doing account changes).
If people use their brains on the web, username and password is enough. A large scale DB hacking like SOE had is hard to protect yourself against anyway.
If you keep your paswords heavy salted and hashed, they do not rot like fish, and even after hack you are still only a username out in the wild. This is general rule of thumb, and having in mind.... sophisticated playerbase that eve has it's probably a must for current authentication system.
|
Othran
Brutor Tribe Minmatar Republic
133
|
Posted - 2012.01.12 15:26:00 -
[96] - Quote
Darwin Duck wrote:SW:tor is a drag on security. Username, password, security questions, autenticator generator, and when that little cheapo plastic generator breaks or is lost you're probably without game access for 2-3 weeks until you get a replacement. (it often ask me security questions just for logging in, I could understand it if it was only asked when doing account changes).
If people use their brains on the web, username and password is enough. A large scale DB hacking like SOE had is hard to protect yourself against anyway.
You'll probably find that the security questions are triggered by an IP address change at your end.
Its a very common (if not all that useful) method of reducing risk. Companies like it because its cheap, company insurers like it because by and large they are clueless.
Its largely worthless and will remain so until we all have personal IPv6 address allocations - which I believe will eventually happen as then we can all be easily (and cheaply) tracked and profiled by govt/companies. Edit for those of you wondering about IPv6, then the policy in Europe (RIPE) is to give each ISP subscriber 65,536 IPv6 addresses so its unlikely you'd run out soon |
Neo Agricola
BLACK-MARK
185
|
Posted - 2012.01.12 15:34:00 -
[97] - Quote
CCP Sreegs wrote: Yes, that is also a consideration. :) I'm pretty sure nobody thinks it would be a productive use of time for you to have to have 24 different dongles and that's been a part of the consideration in the design process.
Yeah. I need that time to fuel posses since shipping Fuel from A to B and shipping Fuel Blocks to Posses is so much fun...
DISSONANCE is recruiting Members: https://forums.eveonline.com/default.aspx?g=posts&m=70361#post70361 Black-Mark Alliance Recruitment: https://forums.eveonline.com/default.aspx?g=posts&t=6710 |
Zag'mar Jurkar
Brutor Tribe Minmatar Republic
5
|
Posted - 2012.01.12 15:35:00 -
[98] - Quote
I'd like to use my job's SecurID to log on EVE. Would it be safe ? |
Neo Agricola
BLACK-MARK
185
|
Posted - 2012.01.12 15:42:00 -
[99] - Quote
Zag'mar Jurkar wrote:I'd like to use my job's SecurID to log on EVE. Would it be safe ? LOL
not sure if you are serious.... DISSONANCE is recruiting Members: https://forums.eveonline.com/default.aspx?g=posts&m=70361#post70361 Black-Mark Alliance Recruitment: https://forums.eveonline.com/default.aspx?g=posts&t=6710 |
Fearless M0F0
Incursion PWNAGE Asc
8
|
Posted - 2012.01.12 15:54:00 -
[100] - Quote
This. It would be great if password requirements for numbers and capital letters where waived if you password exceeds some length. It's pretty annoying coming up with 15+ character passwords and then having to add a digit
Anyways, no matter how long and safe your password is, there is always the risk of keyloggers... for windows users that is
|
|
Maxpie
Metaphysical Utopian Society Explorations
41
|
Posted - 2012.01.12 15:57:00 -
[101] - Quote
CCP Sreegs wrote:Ok, let's see what we can do here...
1) Username/Password combinations as sole authenticating factors are basically yesterday's news. We need to catch up with the times on that.
2) I'm pushing to have us catch up with the times on that.
3) I will race to the forums with a dev blog and multiple joyous posts when I get to a point where I'm confident an additional factor is being delivered in some way.
The real problem here is that there are some dependencies which must be met first that are getting finalized right now. Once they're finalized we'll communicate them and I'll make certain you understand that they're a pre-requisite for additional authentication factors.
This is a topic that has rightfully come up continuously and while it may sound a bit droll I'm fairly confident on seeing some progress on it in some way fairly soon.
I apologize for some vagueness but I have to play a bit of a dance here with what can be communicated right this second without leaving you all completely in the dark.
Please consider keeping it optional. For some of us less paranoid types (yes, I know, Eve teaches us the value of paranoia, but still), username/password are sufficient in a video game. As much as I love Eve, it's a game, not online banking. I know much of security these days revolves around the perception that something is being done to protect us, but not all of us need that type of reassurance. I know getting an account compromised can happen, but personally, I've never had any account compromised in anything I do online - and anything I can do online, I pretty much always do online. Not banking, not email, not games, not anything. The extra hassle just doesn't appeal to me, particularly in the case of a game. |
Crasniya
Legio Geminatus Gentlemen's Agreement
76
|
Posted - 2012.01.12 16:05:00 -
[102] - Quote
I would only use an authenticator if it was available as an Android app, like WoW and TOR have. |
Neo Agricola
BLACK-MARK
185
|
Posted - 2012.01.12 16:12:00 -
[103] - Quote
Yeah since nobody is using wordlists for hacking, that kind of PW is totaly save... o wait...
DISSONANCE is recruiting Members: https://forums.eveonline.com/default.aspx?g=posts&m=70361#post70361 Black-Mark Alliance Recruitment: https://forums.eveonline.com/default.aspx?g=posts&t=6710 |
Ma'kal
The Imperial Commonwealth E.Y
4
|
Posted - 2012.01.12 16:28:00 -
[104] - Quote
Crasniya wrote:I would only use an authenticator if it was available as an Android app, like WoW and TOR have.
Although the industry has been saying that smart phone virus are coming soon for years. I really think we are just around the corner. I think we are really entering that age quick. There was a demo at the last Def con about how to root an Android in about 2-3 minutes. I really don't think it will be too long until an attack like that is weaponized.
I really think soon more will have to be done for smart phone safety especially because a lot of people are using them for sensitive information ie banking, stock trading, ordering, and etc. |
Othran
Brutor Tribe Minmatar Republic
134
|
Posted - 2012.01.12 16:32:00 -
[105] - Quote
Neo Agricola wrote:Yeah since nobody is using wordlists for hacking, that kind of PW is totaly save... o wait...
Its statistically safer for protecting individual accounts from external intrusion assuming some sanity with authentication.
Depending on the hash algorithm used to store user details it could be argued its not safer if someone has the userbase files.
None of this is rocket science. |
Othran
Brutor Tribe Minmatar Republic
134
|
Posted - 2012.01.12 16:39:00 -
[106] - Quote
Ma'kal wrote:Crasniya wrote:I would only use an authenticator if it was available as an Android app, like WoW and TOR have. Although the industry has been saying that smart phone virus are coming soon for years. I really think we are just around the corner. I think we are really entering that age quick. There was a demo at the last Def con about how to root an Android in about 2-3 minutes. I really don't think it will be too long until an attack like that is weaponized. I really think soon more will have to be done for smart phone safety especially because a lot of people are using them for sensitive information ie banking, stock trading, ordering, and etc.
Phones are money unless they are the "pay as you go" variety. They are linked to your bank account via direct debit (or whatever the worldwide version of a variable debit is) and you can probably load a few euros/dollars onto a monthly account without the victim noticing.
Now I love Android but is is an accident waiting to happen - and it will. If for no other reason that phone manufacturers don't bother doing updates after a year or two.
I can't stand Apple but for devices which are networked and linked to your bank account then I can;t help feeling the "walled garden" approach with approved apps is better. |
Ma'kal
The Imperial Commonwealth E.Y
4
|
Posted - 2012.01.12 16:44:00 -
[107] - Quote
Othran wrote:Ma'kal wrote:Crasniya wrote:I would only use an authenticator if it was available as an Android app, like WoW and TOR have. Although the industry has been saying that smart phone virus are coming soon for years. I really think we are just around the corner. I think we are really entering that age quick. There was a demo at the last Def con about how to root an Android in about 2-3 minutes. I really don't think it will be too long until an attack like that is weaponized. I really think soon more will have to be done for smart phone safety especially because a lot of people are using them for sensitive information ie banking, stock trading, ordering, and etc. Phones are money unless they are the "pay as you go" variety. They are linked to your bank account via direct debit (or whatever the worldwide version of a variable debit is) and you can probably load a few euros/dollars onto a monthly account without the victim noticing. Now I love Android but it is an accident waiting to happen - and it will. If for no other reason that phone manufacturers don't bother doing updates after a year or two. I can't stand Apple but for mobile devices which are networked and linked to your bank account then I can't help feeling the "walled garden" approach with approved apps is better. For now at least.
I have to totally agree with you. That is the only reason I use a iPhone. I might not to get some of the cool stuff on my phone but it is a heck of a lot safer. Now Apple's OS is another story... |
Othran
Brutor Tribe Minmatar Republic
135
|
Posted - 2012.01.12 16:50:00 -
[108] - Quote
Ma'kal wrote:I have to totally agree with you. That is the only reason I use a iPhone. I might not to get some of the cool stuff on my phone but it is a heck of a lot safer. Now Apple's OS is another story...
Indeed and that's why Google bought Motorola.
A free(ish) and ubiquitous operating system for a phone is great for expanding the market for that OS but once the customers get bitten on the bum by no updates.....
Edit - we are so far off-topic I'm expecting a covert cyno and bombers from the mods soon |
Zag'mar Jurkar
Brutor Tribe Minmatar Republic
5
|
Posted - 2012.01.12 16:57:00 -
[109] - Quote
Neo Agricola wrote:Yeah since nobody is using wordlists for hacking, that kind of PW is totaly save... o wait...
You'd have to test ALL words, then all the words with 1 additional character (the space), then do the same, adding all the words again, till you get the 3rd word correctly. This would be painfully long. |
Talya Obreshinko
Science and Trade Institute Caldari State
0
|
Posted - 2012.01.12 17:03:00 -
[110] - Quote
My trade platform has an interesting added layer of security which doesn't take much coding but works effectively.
Basically, they have the user/pass combination. Then they have a pin you need to use to input. It works this way:
a number pad 1-9+0 is displayed. Within each cell for each number is a subset of randomly generated numbers (i.e. the button for "1" has numbers 2 9 displayed). Each number cell has randomly generated numbers. Say my pin is 1234. I know my pin and so does the login. I use my pin to decode the keypad and input the correct sequence. So the sequence of this login might be something like 48802924. Best part of this system is the number of decode numbers in each cell can be random from displaying 1 to 6 so your decoded pin will always be different lengths.
This is a quick and easy way to add easy security to the log in as nobody but the user needs to know the pin, there is no reason at all to give the pin to any one else ever. The login randomly assigns the decoded numbers to the display pad each time it is shown. Now you have a constantly/randomly rotating security feature that a key logger would be unable to crack as the decode numbers are random and it would need to reverse engineer the algo to get the pin.
To further the security, you display the numbers like captcha so the computer can't easily determine. Adds less than 2 seconds to the log in, no need to manufacture decoders and the coding can be very simple to implement. |
|
Diomedes Calypso
Aetolian Armada
62
|
Posted - 2012.01.12 17:12:00 -
[111] - Quote
I just want to add that the optional WoW integrator is very easy to use .... it takes me less than a minute to walk to find my phone (well, sometimes it takes me longer to find my phone) and about 10 seconds to hit the app and type in a 9 digit (or is it 10) random number.
- It's font is pretty big too and,
-because it is all numbers (key feature) I find it very hard to fat key it...I am a master of typo's but pretty fast with a number pad that requires only using my right hand and with only moving my fingers and no shifting of my palm positions.
- It remembers my computer's NiC card numbe I'd guess so I rarely need to re-enter it if I've only been logging in from a single computer.... maybe once every few days.. although I tend to keep my computer on 24/7 so that might be a factor in how frequently i need to spend the 10 seconds extra during the log in process.
(Yeah, I've given the walk in cartoon action movie another spin... it doesn't have a real economy, doesn't have real pvp (more like an episodic console game pvp), doesn't have intricate player politics with guilds vying actively against each other ....
.... but is is a fine beer and pretzels exploration of a cartoon book...which can be sorta fun like watching a TV show with a bit more input.) |
Ma'kal
The Imperial Commonwealth E.Y
4
|
Posted - 2012.01.12 18:52:00 -
[112] - Quote
Well to bring my comments back on topic. I would really like a hard token that was not my phone for a second factor of authentication. I am all for having my assets in Eve be more secure, and I would easily pay $30 to have a separate device to protect my accounts.
I would like to have one device for my accounts who wants to have one token per account. But considering the nature of Eve where most dedicated players have at least two accounts. It would be a bad design to make one token able to line to more than one account. |
MailDeadDrop
Rage and Terror Against ALL Authorities
24
|
Posted - 2012.01.12 20:03:00 -
[113] - Quote
Neo Agricola wrote:Yeah since nobody is using wordlists for hacking, that kind of PW is totaly save... o wait...
Zag'mar Jurkar wrote:You'd have to test ALL words, then all the words with 1 additional character (the space), then do the same, adding all the words again, till you get the 3rd word correctly. This would be painfully long. According to the Oxford Dictionary folks, there are about 171,476 words in current use in English. Ignoring the effect of a possible optional separator space, the key space volume is the combinations of 171,476 taken 4 at a time. That is 3.6E+19, or roughly 2^65 combinations. Substantially better than a single garbled password.
MDD |
|
CCP Sreegs
C C P C C P Alliance
223
|
Posted - 2012.01.12 20:39:00 -
[114] - Quote
Maxpie wrote:CCP Sreegs wrote:Ok, let's see what we can do here...
1) Username/Password combinations as sole authenticating factors are basically yesterday's news. We need to catch up with the times on that.
2) I'm pushing to have us catch up with the times on that.
3) I will race to the forums with a dev blog and multiple joyous posts when I get to a point where I'm confident an additional factor is being delivered in some way.
The real problem here is that there are some dependencies which must be met first that are getting finalized right now. Once they're finalized we'll communicate them and I'll make certain you understand that they're a pre-requisite for additional authentication factors.
This is a topic that has rightfully come up continuously and while it may sound a bit droll I'm fairly confident on seeing some progress on it in some way fairly soon.
I apologize for some vagueness but I have to play a bit of a dance here with what can be communicated right this second without leaving you all completely in the dark. Please consider keeping it optional. For some of us less paranoid types (yes, I know, Eve teaches us the value of paranoia, but still), username/password are sufficient in a video game. As much as I love Eve, it's a game, not online banking. I know much of security these days revolves around the perception that something is being done to protect us, but not all of us need that type of reassurance. I know getting an account compromised can happen, but personally, I've never had any account compromised in anything I do online - and anything I can do online, I pretty much always do online. Not banking, not email, not games, not anything. The extra hassle just doesn't appeal to me, particularly in the case of a game.
Two factor was always intended to be optional. I do think though that we all have our own ideas in our own heads of what an implementation will look like and two factor can mean a lot of things, some of which are a more convenient for some than others.
|
|
|
CCP Sreegs
C C P C C P Alliance
223
|
Posted - 2012.01.12 20:43:00 -
[115] - Quote
As a small example to the above:
*DISCLAIMER* I AM NOT SAYING THIS IS SOMETHING WE'RE DOING MERELY HAVING A GAB
Current generation Intel CPUs have some two-factor capability built into them.
http://www.intel.com/content/www/us/en/architecture-and-technology/identity-protection/identity-protection-technology-general.html
|
|
Othran
Brutor Tribe Minmatar Republic
135
|
Posted - 2012.01.12 20:50:00 -
[116] - Quote
CCP Sreegs wrote:[ Two factor was always intended to be optional. I do think though that we all have our own ideas in our own heads of what an implementation will look like and two factor can mean a lot of things, some of which are a more convenient for some than others.
I think the fact its been viewed as optional has been hugely detrimental to a sensible and ubiquitous two-factor system.
It is of course interesting that the insurers drive what is considered necessary - my own bank hands out tokens in the Pacific Rim area but not in Europe for exactly that reason. |
Ravcharas
GREY COUNCIL Nulli Secunda
70
|
Posted - 2012.01.12 23:33:00 -
[117] - Quote
What happened to those keyfobs you handed out at fanfest? |
Cherry Nobyl
Shadow Strike Syndicate
54
|
Posted - 2012.01.13 01:32:00 -
[118] - Quote
Othran wrote:
It is of course interesting that the insurers drive what is considered necessary - my own bank hands out tokens in the Pacific Rim area but not in Europe for exactly that reason.
it's all about the liability. until such tools are considered mandatory and/or profit generating (they either lower the effective insurance rate, or compel customer switching to generate revenues) then lowest common denominator applies.
personally, i don't bank via computer/pay bills online on any system (exception being the use of one time use credit card numbers for light purchases) i have as the only relevant factor is time to a compromised state. whether you are aware of the compromise or not is irrelevant, as the damage is always after the fact. i would not be surprised to discover that a compromising entity would allow for indexing and specific file search for items of interest, then sell the indexed/compromised machines for harvest at a later date.
it's a bit like this risk assessment i had to explain to a property manager once : is there sensitive/expensive equipment in the area? yes. is the door exposed to an outside area? yes. does the door have a lock?. yes. is the door locked? yes. is the door made of untreated, yet lightly tempered glass?....
in this case there wasn't even an alarm on the door, yet even if there had been, the window of opportunity was substantial enough to remove approx 300k worth of equipment in under 2 minutes. why was it in this state? because it was insured. yet i had to explain that just because the equipment was insured, your lost time/product/man hours were not. the approximate loss of that was around 250k from loss to replacement to up and running.
|
Janus Nightmare
ECP Incorporated
1
|
Posted - 2012.01.13 01:41:00 -
[119] - Quote
Mangua Desnart wrote:Bayushi Tamago wrote:A lot of people I know don't have smartphones of any description and no way of making online purchases, therefore, having these authenticators being optional would be most optimal, unless they offered a text based version (CCP texts your phone with the code) e: People pay with plex sometimes because they have no other options Forgive me Bayushi, but how can you play Eve and not yet have a way of making an online purchase?
I do. My initial subscription I paid with a credit card, yes, but I haven't ever since that first month, on any of my accounts. I play with PLEX these days, but I could pay with Paypal which doesn't require a credit card, just a bank account. I don't know for certain, but it's possible that some of the PLEX authorized merchants may accept things like Paysafe cards which can be purchased at your local Gamestop. It's not the easiest way to do it, but for those like me who are paranoid about credit card security, there are options.
On topic, I like the idea of an optional authentication app. My Google password was hacked once, and I now use their two-step verification system which works with an app on my phone. The app generates a random number, I type it in, and I'm verified. They also have a backup system in the event my phone is lost/stolen or whatever (or my battery simply dies). It could definitely be implemented as an optional feature for Eve, perhaps even tie it into an OFFICIAL ANDROID EVE GATE ANDROID APP (hint hint CCP) or something |
Ai Shun
State War Academy Caldari State
126
|
Posted - 2012.01.13 01:42:00 -
[120] - Quote
Zag'mar Jurkar wrote:You'd have to test ALL words, then all the words with 1 additional character (the space), then do the same, adding all the words again, till you get the 3rd word correctly. This would be painfully long.
And how long would it take before the CCP authentication system locks your account? I have not tested it yet, but I'm wagering they'd detect a brute-force / wordlist based attack.
Quote:I do. My initial subscription I paid with a credit card, yes, but I haven't ever since that first month, on any of my accounts. I play with PLEX these days, but I could pay with Paypal which doesn't require a credit card, just a bank account. I don't know for certain, but it's possible that some of the PLEX authorized merchants may accept things like Paysafe cards which can be purchased at your local Gamestop. It's not the easiest way to do it, but for those like me who are paranoid about credit card security, there are options.
Here in NZ I can walk into a PostShop (Post Office) and buy a credit card with a pre-loaded $ value. It is one of the safest ways to make online purchases. I don't like exposing my Credit Card details either. |
|
|
|
|
Pages: 1 2 3 [4] 5 :: one page |
First page | Previous page | Next page | Last page |