How much money do you need to spend on security before you feel secure?

Username/password is enough as long as the users are not idiots.

CCP handed out tokens at Fanfest 2011.

As far as I am aware they are still as much use as a chocolate teapot.

Make of that what you will

This token attempt at security would be entirely optional, right?

TL; DR. It would be too annoying to use this security feature and I would log in less often to the point of probably just quitting.

This token attempt at security would be entirely optional, right?

TL; DR. It would be too annoying to use this security feature and I would log in less often to the point of probably just quitting.

Incorrect. It is impossible to have too much account security. That's not debatable, sorry.

DAS IST NOT DEBATABUL UND DU VILL BOW DOWN TO ME.

Say... why don't you pay for all my authenticators? Because you seem to think it's fine and nobody should be allowed to not spend money on security they don't need, you should pay for it.

Can you read?

First of all, it would be an optional system, as are the ones currently in place in the industry. Secondly, it wouldn't cost you a dime if you already own a compatible handheld device of some sort.

Also, the reason I was rude to you is that I've grown very tired of knee-jerk, negative, defense reactions to these sorts of threads over the years. It's a personal failing.

Yes I can read. I replied to your issue regarding the non debatability of the issue.

During the last fanfest an EVE digipass authenticator was handed out by CCP.

During the last fanfest an EVE digipass authenticator was handed out by CCP. They promised to have more info in the coming weeks/month but it seems to have been forgotten during the EVE Gate failure and the NEX raging that followed.

An Authenticor is an additional layer of security and I would be quite happy if I could get one to protect my accounts.

Actually Deviana, you raise quite a good point there with your very last word, most people have more than one Eve Online account and so this presents CCP with somewhat of an unusual circumstance, how do you protect multiple accounts with one authenticator, or would you be able to protect more than one account from an app version of the software, because you cannot install multiple instances of an app on a mobile device (to my knowledge - I am not a developer). This may be the reason why they have not said anything further on the subject since Fanfest...

Actually Deviana, you raise quite a good point there with your very last word, most people have more than one Eve Online account and so this presents CCP with somewhat of an unusual circumstance, how do you protect multiple accounts with one authenticator, or would you be able to protect more than one account from an app version of the software, because you cannot install multiple instances of an app on a mobile device (to my knowledge - I am not a developer). This may be the reason why they have not said anything further on the subject since Fanfest...

They'd have to allow players to tie multiple accounts to a single authenticator, yeah.

[quote=Ursula LeGuinn]I personally would agree, one authenticator, multiple accounts - but how?

A lot of people I know don't have smartphones of any description and no way of making online purchases, therefore, having these authenticators being optional would be most optimal, unless they offered a text based version (CCP texts your phone with the code)
e: People pay with plex sometimes because they have no other options

I use GNU/Linux, so an USB 3rd-party device would very likely be unsupported for my OS.

show me where the bad man touched you.

How do you link the authenticator to your account?

seems to me that this would have to be done over a separate communications channel with credentials that a hacker wouldn't have access to even if he had compromised your PC at the time you want to set up the link.

(paper) mail or fax with a copy of your passport?

otherwise it's mostly security theater.

Username/password is enough as long as the users are not idiots.

I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine.

Yeah. Well, the pioneers of the technology (WoW and TOR) offer them as optional features.

And that seems quite naive to me. There are lot of possible options to attack a system, 'questionable' websites and software are the least of the worries, since there are a lot of security holes in widely used and legit softwares. Never sharing account access with anyone else is an excellent advise, but that will also not guarantee the security of the account.

Edit:

There is also an additional benefit. With less cases of accounts being hacked, the CCP customer support staff has more time to deal with other petitions on their ticket queues.

We werent talking about a USB device, this is purely a key fob type affair that generates random numbers that is linked to your account

Username/password is enough as long as the users are not idiots.

I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine.

Deviana, You seem quite knowledgeable about computer security, can I ask are you just an enthusiast in the subject or do you participate in the field in some professional capacity?

I assure you, I don't work for CCP.

But I have some experience with the digipass tokens and I would like to have one to protect my accounts.

...
I work in computer security, and the only secure computer anywhere is one that is turned off in a box in a locked room with no windows, security should not be optional

... and you somehow think that your phone is more secure than a computer? People will never go to some third party site while travelling that they also browse with their computer?

... and you somehow think that your phone is more secure than a computer? People will never go to some third party site while travelling that they also browse with their computer?

Question is .. is security important.. [/quote

Damn silly question....

[quote=Jaroslav Unwanted]

WHO WANTS TO LIVE FOREVER ?

Damn silly question....



Not such a silly question, the answer is of course me, but I digress.... Authenticators people pro or not?

While your ideas are sound, they're sound for 1994. Placed in today's world, allow me to rephrase this for you.

Username/password is enough as long as you disconnect your computer from the internet.

Idiocy is not a requisite anymore. The lone act of having your system connected to a world wide network with modern computing capabilities is enough to render username/password inadequate. One can't insure that browsing even reputable webtsites is safe since those websites generally have advertising which is dependent upon several providers for that content some of which are further dependent on networks of contributors. The end result is that one's system can be compromised at any time. The sum effect is a lottery fashioned chance of being compromised that no amount of foresight, planning and implementation on client's side alone can overcome other than to pull the plug. If you believe this to be incorrect then you will be sorely disappointed.

While your ideas are sound, they're sound for 1994. Placed in today's world, allow me to rephrase this for you.

Username/password is enough as long as you disconnect your computer from the internet.

Idiocy is not a requisite anymore. The lone act of having your system connected to a world wide network with modern computing capabilities is enough to render username/password inadequate. One can't insure that browsing even reputable webtsites is safe since those websites generally have advertising which is dependent upon several providers for that content some of which are further dependent on networks of contributors. The end result is that one's system can be compromised at any time. The sum effect is a lottery fashioned chance of being compromised that no amount of foresight, planning and implementation on client's side alone can overcome other than to pull the plug. If you believe this to be incorrect then you will be sorely disappointed.

chocolate teapot.

I'm pretty sure I read that TOR players hate that system


and for the record, you have a very good chance of dieing a horrible death in a car crash every day
do you cover your car in protective equipment?

Yes, I think user id/password is sufficient. I've been playing for around 6 years, have never had a problem. I guess I'd have no problem with an optional authenticator since some people are not so careful/lucky, but for me I'd prefer not to have an extra step in the process of logging on. The problem is an authenticator would start out as optional but eventually become mandatory.

Also, I'm generally against anything in Eve that protects people from their own stupidity.

Username/password is enough as long as the users are not idiots.

I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine.

Apparently, there is no such thing as too much security.
So let's take Ursula's PC and all associated hardware and lock it in a safe at the bottom of a Volcano.
Then nuke the volcano so nobody can get at it, then fire the whole planet into the centre of the sun where literally nobody can get at it.
Would that be a secure enough place?
After all, there's not thing as too much security, and it's not debatable.

I guess there isn't such a thing as "too much stupidity" either.

That is a bad example, most cars do indeed have a lot of protective equipment to prevent injuries or death of driver and passengers in case of a car crash.




Even if you did everything right to prevent your computer, you might become victim of a zero-day-exploit that has no fix yet. Computer security has a lot to do with making things harder for the bad guys, while keeping in mind that there is never absolute security.

My main account is also more then 6 years old, was never hacked and other accounts of mine, with or without authenticator, were also never compromised, but that is beside the point. I have been skilled and lucky enough to prevent damage to my accounts so far. A security token, or call it an authenticator would be still much appreciated. If the option is given, I would happily purchase one from CCP.

Besides social darwinism is not only one of the most disgusting, it is also one of the most stupid ideas on the internet, but I guess people will only learn when reality strikes them hard.

True, I could be compromised through no fault of my own, or I could make a stupid mistake, but I'm okay with those risks. I guess we just differ on our level of security-paranoia when it comes to video games. My bank website doesn't even use and authenticator (though it has an extra level of security than Eve). I have no problem with giving people the option for an authenticator, I just don't want one foisted upon me, even if it were free.

As for 'social darwinism', Eve is a game and that is a part of it. I like that part of it even though I don't scam, can-flip, suicide gank, etc. It makes this game different from the SWTOR and WOW's of the world.

I see a lot of idiocy in this thread pawning itself off as secure practices because "it's never happened to me". The mere fact that anyone here believes that user/passwd is sufficient is proof enough of such idiocy.

How much money do you need to spend on security before you feel secure?

ENOUGH, XKCD explained this alreadyhttp://xkcd.com/936/ . now STOP arguing.

Yup, there have been a few instances in the last couple years of google ads exploiting browser vulnerabilities and compromising systems.

IF CCP was to release RSA tokens for Eve, alot of players would adopt it.

The way SWTOR do it is when you tie the authenticator to your account then you input the code that is on the fob / app at the time of setting it up and then I presume there is some back end magic and trickery that knows what the next numbers will be from that starting point

There is no magic involved and no communication between authenticator and server. The authenticator has a serial number that is added to the account .

If you press the button on your authenticator/mobile phone app, the software generates the authenticator key from the serial number and the time set in the mobile phone. Since the auth. serial number is registered on the account the login servers also knows which authenticator code is currently the correct one.

Edit:

Here is some additional information about how the process of the two factor authentication works: http://en.wikipedia.org/wiki/Two-factor_authentication

Give it a rest, this is actually a sensible and highly effective security measure.

World of Warcraft calls them "Authenticators." You can download a little app onto your Steve Jobs Hipster Phone, synchronize it with your account somehow (not sure exactly how that works), and from then on you have to enter the code when you log in. No one can log into your account(s) unless they physically have that little device sitting right there in front of them.

Also comes in the form of a cheap fob if you don't have a Hipster Phone or Robot-Themed Totally Not a Hipster Phone.

I think it's a great system and would be a fantastic feature for EVE.

The authenticator serial number is typed in only once, when the authenticator is added to the account and never again, so if you added the authenticator to the account, then your system might be infected with a keylogger, or you are logging in from a public PC to check your EVE mail etc.. your system is still safe.

Someone might get the account name and PW, which is bad enough, but the authenticator will prevent him from logging into the account to get the tokens serial number. Deterministic or not, without the serial number of the authenticator and the key to generate a code he is still locked out and attempts to brute force access can be prevented by other means.

As I wrote earlier, nothing will give me complete security, but it will give me a lot more security since I am still a lot more secure then all the people thinking a long alphanumeric password is enough.

Since the bad persons usually go for the low hanging fruit I can be confident in the knowledge that the persons thinking a long alphanumeric password is enough are the first ones being targeted and those will also be the much easier prey.

I for one would still love to see me being able to lock my accounts to IP's. I suggested this in like 2007 and am still waiting

I for one would still love to see me being able to lock my accounts to IP's. I suggested this in like 2007 and am still waiting

Incorrect. It is impossible to have too much account security. That's not debatable, sorry.

I'm not saying this is a NECESSARY FEATURE AND IT MUST BE IMPLEMENTED IMMEDIATELY, but it would be purely beneficial.

Edit: Authenticator codes are typically optional by the way, I doubt CCP would force cranky contrarians or forum warriors to use them.

EvE doesn't, to my knowledge, have that problem.

The main problem with that is the static IP addresses are assigned to you, not allocated to you*. As such they can (and do) change when the LIR requires or when the RIR gets sufficiently pissed-off with a rogue LIR.

I'm in just such a process now and this machine will soon effectively have two IP addresses (switchover period) with the new address routed to the old address. My LIR (ISP in this case) cannot give me a precise switchover time, all I have is an 8 hour overnight "window".

I'm certain this wouldn't end well if CCP locked the accounts to IP addresses;

*I'm assuming you're not a LIR

Ok, let's see what we can do here...

1) Username/Password combinations as sole authenticating factors are basically yesterday's news. We need to catch up with the times on that.

2) I'm pushing to have us catch up with the times on that.

3) I will race to the forums with a dev blog and multiple joyous posts when I get to a point where I'm confident an additional factor is being delivered in some way.

The real problem here is that there are some dependencies which must be met first that are getting finalized right now. Once they're finalized we'll communicate them and I'll make certain you understand that they're a pre-requisite for additional authentication factors.

This is a topic that has rightfully come up continuously and while it may sound a bit droll I'm fairly confident on seeing some progress on it in some way fairly soon.

I apologize for some vagueness but I have to play a bit of a dance here with what can be communicated right this second without leaving you all completely in the dark.

Ok, so you're willing to Call CCP on a telephone and give them a detailed personal history every time you want to log in?

Security is about a Cost/Benefit analysis. My bank uses a username/password system on a secured server. That's certainly good enough when combined with basic common sense/virus protection.

Beyond Username/Password, the costs start outweighing the benefits when you're talking about Banking. WoW implemented the key fobs because Hacking is absurdly prevalent, to the point where the benefit began to outweigh the cost. EvE doesn't, to my knowledge, have that problem.

Ok, let's see what we can do here...

...

I apologize for some vagueness but I have to play a bit of a dance here with what can be communicated right this second without leaving you all completely in the dark.

Thx for the info.

Just for your information: There are people out there, which have 3,4,5 or even 23 Accounts. And some of them are using different computers on a regular base. Please keep that in mind when you create a new "security" feature.

E.g. I dont want to run around with 4 dongles for each of my accounts every day. (ok, which dongle was for which Account)...
or have to connect a "dongle" to each computer I regular use for playing eve...

SW:tor is a drag on security.
Username, password, security questions, autenticator generator, and when that little cheapo plastic generator breaks or is lost you're probably without game access for 2-3 weeks until you get a replacement.
(it often ask me security questions just for logging in, I could understand it if it was only asked when doing account changes).

If people use their brains on the web, username and password is enough. A large scale DB hacking like SOE had is hard to protect yourself against anyway.

SW:tor is a drag on security.
Username, password, security questions, autenticator generator, and when that little cheapo plastic generator breaks or is lost you're probably without game access for 2-3 weeks until you get a replacement.
(it often ask me security questions just for logging in, I could understand it if it was only asked when doing account changes).

If people use their brains on the web, username and password is enough. A large scale DB hacking like SOE had is hard to protect yourself against anyway.

Yes, that is also a consideration. :) I'm pretty sure nobody thinks it would be a productive use of time for you to have to have 24 different dongles and that's been a part of the consideration in the design process.

I'd like to use my job's SecurID to log on EVE. Would it be safe ?

ENOUGH, XKCD explained this alreadyhttp://xkcd.com/936/ . now STOP arguing.

Ok, let's see what we can do here...

1) Username/Password combinations as sole authenticating factors are basically yesterday's news. We need to catch up with the times on that.

2) I'm pushing to have us catch up with the times on that.

3) I will race to the forums with a dev blog and multiple joyous posts when I get to a point where I'm confident an additional factor is being delivered in some way.

The real problem here is that there are some dependencies which must be met first that are getting finalized right now. Once they're finalized we'll communicate them and I'll make certain you understand that they're a pre-requisite for additional authentication factors.

This is a topic that has rightfully come up continuously and while it may sound a bit droll I'm fairly confident on seeing some progress on it in some way fairly soon.

I apologize for some vagueness but I have to play a bit of a dance here with what can be communicated right this second without leaving you all completely in the dark.

This....

I would only use an authenticator if it was available as an Android app, like WoW and TOR have.

Yeah since nobody is using wordlists for hacking, that kind of PW is totaly save... o wait...

Although the industry has been saying that smart phone virus are coming soon for years. I really think we are just around the corner. I think we are really entering that age quick. There was a demo at the last Def con about how to root an Android in about 2-3 minutes. I really don't think it will be too long until an attack like that is weaponized.

I really think soon more will have to be done for smart phone safety especially because a lot of people are using them for sensitive information ie banking, stock trading, ordering, and etc.

Phones are money unless they are the "pay as you go" variety. They are linked to your bank account via direct debit (or whatever the worldwide version of a variable debit is) and you can probably load a few euros/dollars onto a monthly account without the victim noticing.

Now I love Android but it is an accident waiting to happen - and it will. If for no other reason that phone manufacturers don't bother doing updates after a year or two.

I can't stand Apple but for mobile devices which are networked and linked to your bank account then I can't help feeling the "walled garden" approach with approved apps is better. For now at least.

I have to totally agree with you. That is the only reason I use a iPhone. I might not to get some of the cool stuff on my phone but it is a heck of a lot safer. Now Apple's OS is another story...

Yeah since nobody is using wordlists for hacking, that kind of PW is totaly save... o wait...

ENOUGH, XKCD explained this already http://xkcd.com/936 . now STOP arguing.

Yeah since nobody is using wordlists for hacking, that kind of PW is totaly save... o wait...

You'd have to test ALL words, then all the words with 1 additional character (the space), then do the same, adding all the words again, till you get the 3rd word correctly. This would be painfully long.

Please consider keeping it optional. For some of us less paranoid types (yes, I know, Eve teaches us the value of paranoia, but still), username/password are sufficient in a video game. As much as I love Eve, it's a game, not online banking. I know much of security these days revolves around the perception that something is being done to protect us, but not all of us need that type of reassurance. I know getting an account compromised can happen, but personally, I've never had any account compromised in anything I do online - and anything I can do online, I pretty much always do online. Not banking, not email, not games, not anything. The extra hassle just doesn't appeal to me, particularly in the case of a game.

[
Two factor was always intended to be optional. I do think though that we all have our own ideas in our own heads of what an implementation will look like and two factor can mean a lot of things, some of which are a more convenient for some than others.

It is of course interesting that the insurers drive what is considered necessary - my own bank hands out tokens in the Pacific Rim area but not in Europe for exactly that reason.

Forgive me Bayushi, but how can you play Eve and not yet have a way of making an online purchase?

You'd have to test ALL words, then all the words with 1 additional character (the space), then do the same, adding all the words again, till you get the 3rd word correctly. This would be painfully long.

I do. My initial subscription I paid with a credit card, yes, but I haven't ever since that first month, on any of my accounts. I play with PLEX these days, but I could pay with Paypal which doesn't require a credit card, just a bank account. I don't know for certain, but it's possible that some of the PLEX authorized merchants may accept things like Paysafe cards which can be purchased at your local Gamestop. It's not the easiest way to do it, but for those like me who are paranoid about credit card security, there are options.

In all honesty.. It's a damn game, I'd be happy if they removed the field for password to be frank.

If someone's stupid enough to try to steal money from my bank account, I pick up the phone and say I didn't make XX transactions. They'll do a 72hour investigation and then refund the cash..

If someone manages to guess my eve-o login name (Nevermind my password) Props to them, They can keep the isk they get I won't even petition it.

It seems your corp name suits you then.... jeez!

According to the Oxford Dictionary folks, there are about 171,476 words in current use in English. Ignoring the effect of a possible optional separator space, the key space volume is the combinations of 171,476 taken 4 at a time. That is 3.6E+19, or roughly 2^65 combinations. Substantially better than a single garbled password.

MDD

According to the Oxford Dictionary folks, there are about 171,476 words in current use in English. Ignoring the effect of a possible optional separator space, the key space volume is the combinations of 171,476 taken 4 at a time. That is 3.6E+19, or roughly 2^65 combinations. Substantially better than a single garbled password.

MDD

If it was up to me I would do the following:-

1. Separate the account services login from the game and forums logins.
2. Make multi-factor an option on the account services
3. Have the game check the CPU ID of the machine and allow you (from account services) to restrict which PC's you can login to the client from.

For most of us this would be multi-factor but in a way that would not intrude 99% of the time.

just an idea.

-CJ

I use a Mac, therefore I run my Eve client through a Virtual machine. Step 3 would be yet another feature denied to Mac users.
Like:
Eve-Voice
Not Crashing every 5 min
Graphics Options (Right now they're crash buttons)
Not Freezing every 10 min
Double Digit Framerates

How much money do you need to spend on security before you feel secure?