open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: Account Security and You!
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 [2] 3 4 5 6

Author Topic

CCP Sreegs

Posted - 2010.11.19 18:40:00 - [31]
 

Originally by: Niccolado Starwalker
Edited by: Niccolado Starwalker on 19/11/2010 17:56:08
Originally by: CCP Zymurgist
CCP Sreegs is here to help you protect your account. Read all about account security and what you can do to protect yourself here.




Good post.

But please answer me this question I have been asking for ages with so many others from these forums:

Why dont you offer login tokens?????

It give an extra additional layer, by giving the player a unique login code each time. That way account sharing turns difficult and if a keylogger cathes the login it wont help!

Most players who stay with EVE do so fanatically. Like me, I am 5 years behind me in EVE on 3. of december, and would without hesitation invest in a login token!

The question have gone unanswered from what I can see. Now dear CCP Sreegs! Please tell us if this might be or might not be possible! Tell us you are thinking of it! Or at least give us your toughts about the matter! It have been so quiet about this! But with this devpost and all, please! Share your toughts about this!!!

:BEGS:





I can tell you that as a Security Guy I completely understand the value of a second factor of authentication and I can tell you that it would be silly of me not to have it on my list of things which could improve security. I cannot however at this point say that it will definitely be implemented or give any timeframes for when such implementation could theoretically occur. You can trust however that as soon as we have new features to talk about from a security perspective I will run immediately to the forums to tell everyone.

CCP Sreegs

Posted - 2010.11.19 18:43:00 - [32]
 

Originally by: Makurid


Just wondering how this helps the security if I can just log into EVE Gate and get a list of my characters without having to answer the challenge.




I will sheepishly mention that I don't believe EVE Gate existed at the time and then thank you for pointing this out. I'll also add a smiley face to lighten the mood. Laughing

Jessie42
Minmatar
GoonWaffe
Goonswarm Federation
Posted - 2010.11.19 18:47:00 - [33]
 

You're still a really bad poster DJ.

CCP Sreegs

Posted - 2010.11.19 18:48:00 - [34]
 

Originally by: Jengi Gotsen
Is EvE looking into external tools (authenticating keyfobs) to keep players more secure? Are there any excessive technical hurdles that would need to be overcome to make their use a reality? WoW currently has two separate tools for authenticating and verifying identities when logging in, the authenticator keyfobs / mobile authenticators available on smart phones, as the new system whereby a phone call is made when your account is logged in from an unusual place to verify you are the one logging in.

Do you feel that EvE is falling behind the industry in that way? I understand it's hard to place WoW and EvE in the same light in terms of game play, but in security measures aren't all games equal? I would say that a single-shard system where in-game currency can be converted into actual game time, security is paramount.

You mention the name challenge feature. That's great, except for the part where I don't recall seeing that on the login screen. I'm a little more nervous about someone stealing my isk than ****posting in C&P or checking out my easily changeable API key. Are there any plans to make the name challenge show up on the login screen?



There are plans to holistically examine and improve our entire security system from end to end, which is absolutely ongoing and in many ways transparent to you. I will say that regardless of what the industry is doing we should be doing our best to keep your account safe and that's precisely where I'd like us to be and the direction we're headed in.

Arakkis Melanogaster
GoonWaffe
Goonswarm Federation
Posted - 2010.11.19 18:48:00 - [35]
 

Originally by: Ariz Black
i tried to change my password and it wouldn't let me because it said i don't have capital letters in it. ironically i was trying to make it more secure by adding numbers to an already random collection of letters. stuff like this is taking it 'too far' because you shouldn't *force* people to explicitly have to hit extra keystrokes to log in when it's something they likely do 2000+ times a year (think about eve website, ingame, evegate, etc)


I agree with this guy, it is wrong to force people to do things. 'Asking' us to 'have' more than one 'password' is 'taking' it 'too far'. It's quite a bit of :effort: to remember multiple passwords for all the sites I log into, so I just use one for simplicity. Can't you just design a way for the computer to know it's me that is logging in? Voice recognition like Star Trek would be cool.

Also, how do you feel about cats?

the situation
Posted - 2010.11.19 18:49:00 - [36]
 

if you put in those keyfob things is it gonna affect botting?

pmchem
Minmatar
GoonWaffe
Goonswarm Federation
Posted - 2010.11.19 18:52:00 - [37]
 

Hey DJ, if you recommend both:

Quote:

8. Change your password - ALL THE TIME BE CHANGING YOUR PASSWORD.
and
10. NEVER EVER EVER USE THE SAME USERNAME OR PASSWORD ON ANOTHER SITE ON THE INTERNET ANYWHERE EVER - :mad:



As a security guy, how do you recommend people keep track of their 9000 passwords? Pen and paper or something like http://www.schneier.com/passsafe.html ?

Aiko Intaki
Lodizal Shield Tek
Lodizal Conglomerate
Posted - 2010.11.19 18:57:00 - [38]
 

1. Have someone at CCP with an android/iOS smartphone subscribe to WoW.
2. Have said person enable the added 1-time passkey account security feature.
3. Start WoW, Start App.
4. Log into WoW character to see how the 1-time passkey feature works.
5. Apply your new experience to EvE.

DO: Make smartphone apps to generate 1-time passkeys (99% of users).
DO: Sell key generating fobs like Blizzard does for those with 'dumbphones'.

Extra Credit: Give away a free, otherwise unobtainable in-game vanity ship to any account which activates this added security feature for the first time. (WoW, for instance, gives away a mini-Cerberus pet.)

Make it so.

Lord Matrix
Flying Banana Squad
Posted - 2010.11.19 18:57:00 - [39]
 

Please restore "save password" and "auto login" functionality. It can be done without saving the actual password to the HDD, all you need is to create a HMAC with something unique to the computer as password that cannot be faked (like HDD serial number). Just an example, there are other methods as well.

In either case, if an attacker can read files on your computer he can also install a keylogger.

Lost Hamster
Hamster Holding Corp
Posted - 2010.11.19 18:58:00 - [40]
 

Originally by: CCP Sreegs

I will sheepishly mention that I don't believe EVE Gate existed at the time and then thank you for pointing this out. I'll also add a smiley face to lighten the mood. Laughing


So, when will you implement the same security question to the evegate, and to the game itself?
That will probably reduce the amount of account hacking.
On the long run it will be good for everyone: less hacked players, less work for the GM's. Less frustration.

CCP Sreegs

Posted - 2010.11.19 19:00:00 - [41]
 

Originally by: the situation
if you put in those keyfob things is it gonna affect botting?


To be frank, not likely because any second factor scenario would probably be voluntary.

Lord Matrix
Flying Banana Squad
Posted - 2010.11.19 19:01:00 - [42]
 

Originally by: pmchem
Hey DJ, if you recommend both:

Quote:

8. Change your password - ALL THE TIME BE CHANGING YOUR PASSWORD.
and
10. NEVER EVER EVER USE THE SAME USERNAME OR PASSWORD ON ANOTHER SITE ON THE INTERNET ANYWHERE EVER - :mad:



As a security guy, how do you recommend people keep track of their 9000 passwords? Pen and paper or something like http://www.schneier.com/passsafe.html ?

http://keepass.info/

CCP Sreegs

Posted - 2010.11.19 19:02:00 - [43]
 

Originally by: pmchem
Hey DJ, if you recommend both:

Quote:

8. Change your password - ALL THE TIME BE CHANGING YOUR PASSWORD.
and
10. NEVER EVER EVER USE THE SAME USERNAME OR PASSWORD ON ANOTHER SITE ON THE INTERNET ANYWHERE EVER - :mad:



As a security guy, how do you recommend people keep track of their 9000 passwords? Pen and paper or something like http://www.schneier.com/passsafe.html ?


Yes passwordsafe is pretty awesome. Keeppass is integrated into the browser and also works really well. Right up until you forget your main password or lose the database. As long as you keep track of both the master password and the database you're in good shape.

CCP Sreegs

Posted - 2010.11.19 19:05:00 - [44]
 

Originally by: Lord Matrix
Please restore "save password" and "auto login" functionality. It can be done without saving the actual password to the HDD, all you need is to create a HMAC with something unique to the computer as password that cannot be faked (like HDD serial number). Just an example, there are other methods as well.

In either case, if an attacker can read files on your computer he can also install a keylogger.


There is very little about what is available to an application from a computer that cannot be faked. If an attacker can read files or install a keylogger he can also obtain the same information any application would be able to obtain.

Tamir Lenk
Caldari
GoonWaffe
Goonswarm Federation
Posted - 2010.11.19 19:10:00 - [45]
 

Originally by: shortspecialbus
Is it a good idea to set complex passwords based on our favorite consumables such as wasabi and/or soy sauce?


*snort*

Can 9000 passwords protect your account from worms, namely giant space worms, dressed like Napoleon?

Seriously, these things keep me up at night.

Rikki Sals
Caldari
Posted - 2010.11.19 19:38:00 - [46]
 

Thought I'd mention this here:
My firewall/antivirus (COMODO Internet Security) always flags the EVE repair.exe as potentially malicious code, both in my Tranquility and Singularity directories.

CCP Sreegs

Posted - 2010.11.19 19:47:00 - [47]
 

Originally by: Rikki Sals
Thought I'd mention this here:
My firewall/antivirus (COMODO Internet Security) always flags the EVE repair.exe as potentially malicious code, both in my Tranquility and Singularity directories.


Signature-based solutions can provide false positives. I'll look into this. Thanks!

Furb Killer
Gallente
Posted - 2010.11.19 19:48:00 - [48]
 

Edited by: Furb Killer on 19/11/2010 19:49:05
Originally by: pmchem
Hey DJ, if you recommend both:

Quote:

8. Change your password - ALL THE TIME BE CHANGING YOUR PASSWORD.
and
10. NEVER EVER EVER USE THE SAME USERNAME OR PASSWORD ON ANOTHER SITE ON THE INTERNET ANYWHERE EVER - :mad:



As a security guy, how do you recommend people keep track of their 9000 passwords? Pen and paper or something like http://www.schneier.com/passsafe.html ?


'Security experts' are already seriously advising people to write down passwords on paper since it is getting impossible to keep track of them. Specialised programs work, but as said before only if you wont lose the master pass (which isnt too hard, just write it down somewhere if you want to be sure) but also wont lose the database, which is a bit more of a problem if your hdd crashes. Aditionally you cannot login anymore from other random locations.


Quote:
People who buy isk from RMT'rs are the root cause of account theft.

Tbh less grinding would mean less reason for people to buy ISK. But yeah perma banning isk buyers would also be nice.

Vidar Kentoran
Minmatar
Eighty Joule Brewery
Posted - 2010.11.19 19:58:00 - [49]
 

Originally by: CCP Sreegs

I can tell you that as a Security Guy I completely understand the value of a second factor of authentication and I can tell you that it would be silly of me not to have it on my list of things which could improve security. I cannot however at this point say that it will definitely be implemented or give any timeframes for when such implementation could theoretically occur. You can trust however that as soon as we have new features to talk about from a security perspective I will run immediately to the forums to tell everyone.


Similarly, I hope that if you ever offer such a thing it will be strictly optional in every sense of the word.

Some of us keep our computers secure because we have much more important things on them than stupid game accounts, and don't really have any interest in the additional annoyance of two-factor authentication for a bloody MMO when an EVE account loss via computer compromise is the least bad thing that could possibly happen due to a trojan.

DaiTengu
Gallente
GoonWaffe
Goonswarm Federation
Posted - 2010.11.19 19:58:00 - [50]
 

Edited by: DaiTengu on 19/11/2010 20:03:00

I put my passwords on a USB key which I then give to my cat. I love my cat, especially when I'm giving speeches to my internet spaceship friends over teamspeak and .. hold on a second...

**** OFF CAT!



that said, the revered CCP Sreegs (may his ahuj9 and ٩๏̯͡๏)۶ be upon us) is correct. A little common sense goes a long way with keeping your account secure.

I, too, would like to jump on the keyfob/whateverit'scalled bandwagon though.

CCP Sreegs

Posted - 2010.11.19 20:06:00 - [51]
 

Originally by: Furb Killer


'Security experts' are already seriously advising people to write down passwords on paper since it is getting impossible to keep track of them. Specialised programs work, but as said before only if you wont lose the master pass (which isnt too hard, just write it down somewhere if you want to be sure) but also wont lose the database, which is a bit more of a problem if your hdd crashes. Aditionally you cannot login anymore from other random locations.


I'd seriously question anyone who called themselves a security expert seriously advising anyone to write their passwords down on paper for anything other than a security philosophy blog which could just as likely be discussing the merits of applied quantum computing. That, in essence, changes the factor.

Chribba
Otherworld Enterprises
Otherworld Empire
Posted - 2010.11.19 20:09:00 - [52]
 

I would still very much like to be able to lock my accounts to my static IP...

/c

Bagehi
Association of Commonwealth Enterprises
Posted - 2010.11.19 20:14:00 - [53]
 

Originally by: EdFromHumanResources
:condi: to DJ. The "name challenge" method is a direct discouragement for returning players.

Scenario: You talk your friend into picking up Eve again after a few years away(This makes you a bad friend but that's besides the point)
Your friend tries to log in to reactive his account, he cannot because he does not remember his character name. Instead of petitioning and waiting a week to get this sorted he says "**** it" and goes to play something else.

Perhaps offering people the OPTION of this name challenge or perhaps an option to email the primary email a list of characters on the account should be in order.

This method also sucks for those of us with ****ty memories and too damn many accounts with similarly named characters on them when we are trying to reactive them.


I agree with this. Add to that some names in game are something like Bob15689674 which is kind of hard to remember a few hours later, let alone a couple months later.

DaiTengu
Gallente
GoonWaffe
Goonswarm Federation
Posted - 2010.11.19 20:19:00 - [54]
 

Edited by: DaiTengu on 19/11/2010 20:20:05
Originally by: Bagehi
Originally by: EdFromHumanResources
:condi: to DJ. The "name challenge" method is a direct discouragement for returning players.

Scenario: You talk your friend into picking up Eve again after a few years away(This makes you a bad friend but that's besides the point)
Your friend tries to log in to reactive his account, he cannot because he does not remember his character name. Instead of petitioning and waiting a week to get this sorted he says "**** it" and goes to play something else.

Perhaps offering people the OPTION of this name challenge or perhaps an option to email the primary email a list of characters on the account should be in order.

This method also sucks for those of us with ****ty memories and too damn many accounts with similarly named characters on them when we are trying to reactive them.


I agree with this. Add to that some names in game are something like Bob15689674 which is kind of hard to remember a few hours later, let alone a couple months later.



Force all new users to make a post on the forums as part of the eve tutorial. Then they can use eve-search ('sup Chribba?) to find their terrible post and figure out their character name. This also teaches them a valuable lesson that eve online is really about posting.

Furb Killer
Gallente
Posted - 2010.11.19 20:39:00 - [55]
 

Originally by: CCP Sreegs
Originally by: Furb Killer


'Security experts' are already seriously advising people to write down passwords on paper since it is getting impossible to keep track of them. Specialised programs work, but as said before only if you wont lose the master pass (which isnt too hard, just write it down somewhere if you want to be sure) but also wont lose the database, which is a bit more of a problem if your hdd crashes. Aditionally you cannot login anymore from other random locations.


I'd seriously question anyone who called themselves a security expert seriously advising anyone to write their passwords down on paper for anything other than a security philosophy blog which could just as likely be discussing the merits of applied quantum computing. That, in essence, changes the factor.

It is quite simple, you have to choose which method is the smallest security risk. And if people have access to your house already they can do anything anyway, like installing keyloggers. It is just impossible to expect everyone to have for every different site different logins, with different passes that are all 'good' passwords.

Yuki Kulotsuki
Posted - 2010.11.19 20:44:00 - [56]
 

Bad post, bad poster, bad CCP dev. Cool

+1 in favor of keyfobs even though my user account pw is "Password1!"

Keiko Kobayashi
Amarr
Celestial Janissaries
Curatores Veritatis Alliance
Posted - 2010.11.19 20:53:00 - [57]
 

Edited by: Keiko Kobayashi on 19/11/2010 21:05:01
Advice no. 10 should really be advice no. 1. That one is just such an incredibly easy way to steal passwords... 90% of people (arbitrary percentage alert, but probably Iím pretty much right) use the same password for everything, itís crazy dangerous.

Advice like use a separate password for everything or change the password all the time is not really that great advice, because 1. nobody does it because itís obviously cumbersome and has significant downsides, and 2. when people who do it (especially if theyíre forced to) they often cope with the fact that they wonít be able to remember a password by either making less secure passwords, or writing them down in unsecure places (e.g. a textfile on the desktop, or a mail so they can access it from everywhere).

Elsa Nietzsche
Posted - 2010.11.19 21:00:00 - [58]
 

good blog
glad to see CCP actively engaged on both the subject and conversation of the subject. I look forward to any and all advances in account security. I also urge CCP to do regular reviews to make sure anything implemented does not seriously impose on the player. While it's good to boast 'in the name of security', I will have to admit to using Eve Gate to find my character's name. But I guess CCP would say it's my own fault for choosing a name I can't (be bothered to) remember how to spell.

Zirator
Evoke.
Ev0ke
Posted - 2010.11.19 21:02:00 - [59]
 

@ CCP Screegs

I was wondering if the character transfer mechanism can be changed?

I think it's pretty ******ed that I have to give up one of the 2 secret parts on my login credential to recieve a character.

Can't it be changed to either the name of a character on the recieving account or a random code that's unique for each account and that can be seen on the account management section of the recieving party.

I'm currently interested in buying a character for one of my accounts but this is keeping me from not doing it. And creating a 4th account just to recieve characters on and then transferring them to one of my main accounts isn't an option either.

Wondering if you could give us some feedback on this.

Thyme Wasted
Posted - 2010.11.19 21:04:00 - [60]
 

Originally by: Dav Varan
Edited by: Dav Varan on 19/11/2010 17:36:50

PERMA BAN PEOPLE WHO SUPPORT RMT.



People who buy isk from RMT'rs are the root cause of account theft.

No customers to sell isk too for $ = No point in stealing account info.

Scare people away from RMT by promising them if they are caught ALL there accounts will be deleted and they will be permanently banned from EVE.



Great idea, then we can use CCP as a personal hitsquad service:
1) purchase several billion isk from an RMT site using a trial / plex activated acct.
2) distribute it to anyone / corps you don't like.
3) laugh as your enemies and their assets are removed from Eve by CCP.

Why not just have PLEX for bans?


Pages: 1 [2] 3 4 5 6

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only