open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: Account Security and You!
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 2 3 [4] 5 6

Author Topic

Baneken
Gallente
The New Knighthood
Apocalypse Now.
Posted - 2010.11.20 08:22:00 - [91]
 

Originally by: Ashemi Darkhold
Originally by: Chribba
I would still very much like to be able to lock my accounts to my static IP...

/c


1000x this


Actually forums already do this and require you to enter a name of one of the characters on the account if the IP-adress has changed from the last log-in.
As to that key chain thingy, I would buy it in a heart beat if I wouldn't have to pay 50$ for posting it to EU, same goes for rest of the stuff in EVE store. Evil or Very Mad

Mme Pinkerton
The pink win
Posted - 2010.11.20 08:28:00 - [92]
 

How to create decent passwords:

(a) choose a memorable sentence, say "When in the Course of human events"

(b) introduce some 1337speak in an unpredictable fashion - "Wh3n 1n the Cours3 0f human ev3nts"

(c) get rid of some spaces - "Wh3n+1n%the~Cours3+0f%human~ev3nts"

As this part can be hard to remember I always use the same sequence of characters to replace spaces - in this example "+%~".

I don't like having to type passwords with spaces, so I tend to replace them all - from a security POV it would probably be better to leave some spaces and not to overdo with special characters as a very long word with lots of special characters is a pretty obvious password; think of a keylogger who has to use some heuristic to sort through the vast amount of stuff you write every day looking for passwords.

However, I don't expect my computer or network to be compromised and just want my password to be reasonably safe against brute force attacks.

(d) write the password 20 times (on your keyboard), so your fingers will remember its flow even if your brain should become uncertain, make adaptions if it feels weird to type.

(I sometimes find it convenient to duplicate characters for easier typing; e.g. for some reason "Wh3n+1in%the..." feels more comfortable than "Wh3n+1n%the..."; of course this makes it more difficult to remember but also more secure as you deviate from your key sentence)

(e) yes, I really create all my important passwords this way (and they usually have 20+ characters which is overkill but I like to use complete sentence phrases).
No, I don't use any passwords based on the Declaration of Independence.

Frug
Omega Wing
Snatch Victory
Posted - 2010.11.20 08:39:00 - [93]
 

HEY THIS GUY HAS MAGIC WIDGETS

GET THEM. WE NEED MORE MAGIC WIDGETS.

Draahk Chimera
Interstellar eXodus
Posted - 2010.11.20 09:30:00 - [94]
 

Hey, I'm sorry but could someone explain what a sandbox is? I am always interested in increasing the security of my comp.

DaiTengu
Gallente
GoonWaffe
Goonswarm Federation
Posted - 2010.11.20 10:07:00 - [95]
 

Edited by: DaiTengu on 20/11/2010 10:07:49
Originally by: Draahk Chimera
Hey, I'm sorry but could someone explain what a sandbox is? I am always interested in increasing the security of my comp.



Sandboxie's site does a far better job of explaining it than I ever could.

Callipygian Provocateur
Posted - 2010.11.20 10:52:00 - [96]
 

Personally, I hate the character challenge, for hopefully obvious reasons (and I wasn't aware I would be required to respell my name correctly when I created it). I'm damn careful about where I use my account and I would like a method to opt out.

Two factor authentication is awesome. Why can't I register a phone number to my account to get a code sent via SMS? Keyfobs are nifty and all, but damn near all of your user base already has a cell phone (and I'd think an SMS solution would be much simpler & cheaper than most alternatives).

I'm hoping this is the case, but am not going to bother checking: Does CCP send email notifications/verifications upon a change of email address? Do I get eve-mail if this happens?

An optional alternative password for the forums would be nice. I am very glad, however, that my forum cookie doesn't work for account management. Kudos on that.

Mr LaForge
Posted - 2010.11.20 13:58:00 - [97]
 

Maybe introduce 2 part passwords. Log in with 1 and then be asked for the 2nd?

SphereMaster
Posted - 2010.11.20 16:16:00 - [98]
 

Originally by: Aiko Intaki
1. Have someone at CCP with an android/iOS smartphone subscribe to WoW.
2. Have said person enable the added 1-time passkey account security feature.
3. Start WoW, Start App.
4. Log into WoW character to see how the 1-time passkey feature works.
5. Apply your new experience to EvE.

DO: Make smartphone apps to generate 1-time passkeys (99% of users).
DO: Sell key generating fobs like Blizzard does for those with 'dumbphones'.

Extra Credit: Give away a free, otherwise unobtainable in-game vanity ship to any account which activates this added security feature for the first time. (WoW, for instance, gives away a mini-Cerberus pet.)

Make it so.


Where do I get my pet then I have never seen that when using my authenticator!?


On a more serious topic... Having a mobile eve authenticator would simply be win. Plus once u get a spy into someones alliance and get RL phone numbers, you can text spam their titan pilots phone so it crashes and they cant authenticate!

Marchocias
Posted - 2010.11.20 17:01:00 - [99]
 

Originally by: Dav Varan
Edited by: Dav Varan on 19/11/2010 17:36:50

PERMA BAN PEOPLE WHO SUPPORT RMT.



People who buy isk from RMT'rs are the root cause of account theft.

No customers to sell isk too for $ = No point in stealing account info.

Scare people away from RMT by promising them if they are caught ALL there accounts will be deleted and they will be permanently banned from EVE.




If I spent $50 on RMT isk for YOUR account, and got you permabanned, I would consider that a damned good deal.

Louis deGuerre
Gallente
Malevolence.
Posted - 2010.11.20 18:11:00 - [100]
 

I almost, almost fell for a phishing attack today. Shocked
And I'm someone who laughs at people who get suckered like that. Embarassed
Got me scared enough to rescan my machine with three different apps even tough its' fortified like a bunker.
These guys are getting better and better. ugh

Good post, hope it saves someone a lot of trouble ugh

Furb Killer
Gallente
Posted - 2010.11.20 20:08:00 - [101]
 

Originally by: Marchocias
Originally by: Dav Varan
Edited by: Dav Varan on 19/11/2010 17:36:50

PERMA BAN PEOPLE WHO SUPPORT RMT.



People who buy isk from RMT'rs are the root cause of account theft.

No customers to sell isk too for $ = No point in stealing account info.

Scare people away from RMT by promising them if they are caught ALL there accounts will be deleted and they will be permanently banned from EVE.




If I spent $50 on RMT isk for YOUR account, and got you permabanned, I would consider that a damned good deal.

Then that person deserves to be permabanned for being stupid. If i get a few billion isk out of nowhere from hjKFHJK20913 i would petition if it is legit.

wr3cks
Reliables Inc
BricK sQuAD.
Posted - 2010.11.20 21:49:00 - [102]
 

Originally by: Aiko Intaki
1. Have someone at CCP with an android/iOS smartphone subscribe to WoW.
2. Have said person enable the added 1-time passkey account security feature.
3. Start WoW, Start App.
4. Log into WoW character to see how the 1-time passkey feature works.
5. Apply your new experience to EvE.

DO: Make smartphone apps to generate 1-time passkeys (99% of users).
DO: Sell key generating fobs like Blizzard does for those with 'dumbphones'.

Extra Credit: Give away a free, otherwise unobtainable in-game vanity ship to any account which activates this added security feature for the first time. (WoW, for instance, gives away a mini-Cerberus pet.)

Make it so.


+1 for this. I mean, jesus, Blizz has done it for years now.

EdwardNardella
Capital Construction Research
Posted - 2010.11.20 22:41:00 - [103]
 

Thanks for the post; I have some thoughts and ideas, could you please read and respond to them?

"Check account settings and make sure your email is correct"
Honestly, no way am I going to do this. I will tell you why. To do this requires me to log in to secure.eveonline.com and that is a pain, I only do that a few times a month per account. Could you put my email address on the character selection screen so I can notice any change?

As far as tokens are concerned. I believe that they may do some harm. They will enable people to share accounts more securely (I give credentials and token to the guy I am sharing with; now he can only use them to log in once) also they do not prevent damage from some phishing and keylogging attacks as these attacks would be modified to work instantly when a token is used. Those with tokens will feel "invincible" and as a result will be more careless. Also, I am poor and do not have a cell phone.

Ultimately I believe tokens will be added and used but this must be done carefully. I know that some banks have tokens that are simply printed on a piece of cardboard the ones I have heard of work like scratching a lottery ticket but other implementations are possible.

Finally I want to echo some things others have said:
I want to be able to change my username at least once in awhile
I want a different username (and maybe even password for forum access
A password generator on the password changing page would be nice as I am sure some would use it (I OTOH generate my own)

EdwardNardella
Capital Construction Research
Posted - 2010.11.20 22:46:00 - [104]
 

Originally by: Aiko Intaki
DO: Make smartphone apps to generate 1-time passkeys (99% of users).
DO: Sell key generating fobs like Blizzard does for those with 'dumbphones'.

Do you seriously believe these solutions would work for all users? If people cared that much about account security then those solutions would not even be needed. Tokens are not the answer to every security problem. Yes ultimately they will help but not flawlessly and not for everyone. If they were perfect then they would be used for everything.

Deviana Sevidon
Gallente
Panta-Rhei
Butterfly Effect Alliance
Posted - 2010.11.21 00:00:00 - [105]
 

I have read the blog in hope for announcement to give us the option to protect our account with a security token - and was dissappointed.

My accounts has assets from 5 years playing eve online. If someone would rob my account I think I would leave EVE heartbroken.

Shaemell Buttleson
Posted - 2010.11.21 00:37:00 - [106]
 

Originally by: Chribba
I would still very much like to be able to lock my accounts to my static IP...

/c


This!!!

Surely if you implemented this the first point you made "1.You give it to them (account sharing) - This is the non-phishing version of you just handing someone your credentials. It DOES happen, so it goes on the list. I make the list so I get to decide what's on it." would stop happening.



Cpt Underpants
Goonswarm Federation
Posted - 2010.11.21 04:36:00 - [107]
 

In my experience, carrots work better than sticks when it comes to motivating people to do things.

Offer a small bonus once every 6 months for changing your password. My suggestion would be 100k skillpoints.

Offer a unified log-in client which once logged in, you can launch any of your accounts without further authentication. Other features of the log-in client could include:
-Days left on account & renewal method
-Warnings next to any of the accounts which were logged in from a different computer/ip (low concern warning if on same network or if other identifier is identical, mid if different identifier/ip, high if ip tracked to a significantly different locale)
-Links through to evegate for each character

Of the people I know IRL who play eve, 80% of them have 2 or more accounts. I'm sure CCP's stats would show the high proportion of multiple-account-holders.

Sethose Olderon
Gryphon Chancellery
Gryphon League
Posted - 2010.11.21 08:09:00 - [108]
 

I vote for Mobile (Cell Phones, iPods, etc.) Authenticators. For example see Blizzard's Mobile Authenticator which supports Blackberry, anything running Apple's iOS, Android, and I think Windows Phone 7.

This little handy security tool has kept my Battle.net account from being hacked at least twice.

ArchenTheGreat
Caldari
Pulsar Nebulah
Army of Lovers.
Posted - 2010.11.21 09:14:00 - [109]
 

Originally by: CCP Sreegs

Yes passwordsafe is pretty awesome. Keeppass is integrated into the browser and also works really well. Right up until you forget your main password or lose the database. As long as you keep track of both the master password and the database you're in good shape.


Password Hasher (https://addons.mozilla.org/en-US/firefox/addon/3282/) - it's a Firefox extension which hashes site name with your master password to produce site-unique password. It's very easy to use. You don't have any database to keep, all you have to do it to remember your master password. It can be used to generate password to anything as long as you find e scheme to assign "site name" to those things.

Hormus
Posted - 2010.11.21 13:50:00 - [110]
 

I had been sent a couple of e-mails, supposedly from CCP, stating that PaybyCash is being phased out of EVE. Since that doesn't seem to have happened, could I know if the mail was really from CCP, or my e-mail address has been compromised?

Caoim Fearghul
Caldari
The First Church of the Azure Carrot
Posted - 2010.11.21 13:58:00 - [111]
 

Edited by: Caoim Fearghul on 21/11/2010 14:04:38
Originally by: CCP Sreegs
Originally by: Furb Killer


'Security experts' are already seriously advising people to write down passwords on paper since it is getting impossible to keep track of them. Specialised programs work, but as said before only if you wont lose the master pass (which isnt too hard, just write it down somewhere if you want to be sure) but also wont lose the database, which is a bit more of a problem if your hdd crashes. Aditionally you cannot login anymore from other random locations.


I'd seriously question anyone who called themselves a security expert seriously advising anyone to write their passwords down on paper for anything other than a security philosophy blog which could just as likely be discussing the merits of applied quantum computing. That, in essence, changes the factor.


Considering the angles of attack it makes perfect sense.

It requires physical real world access in order to obtain it, which means all the technological knowledge in the world, all the packet sniffing, mail spoofing and so on will not aid them in obtaining it.

It cross the digital divide and secures it from all remote access attempts.

There is no cryptology that might fail or the like.

Put the paper in a locked drawer or box for when you need to remember it, and voila, someone that can gain access to it is unlikely to be interested in, being able to realize much faster capital from say your television or computer itself. It's something I've looked at extensively when studying the evolution of espionage at university. It's for similar reasons that isolated networks are more secure than those connected to the web, there is a physical seperation that has to be overcome in order to access the information.

Edit: I'll also add that it comes with serious benefits, it is low technology and cost. Is easily implemented by any user and greatly increases the exposure cost of attempting to gain the information. After all, no system is 100% secure, it's just a matter of trying to make the cost/risk of gaining access unacceptably high for the rewards it offers. Requiring physical exposure to gain that access is a huge jump in the risk factor.

Tusseluring
Posted - 2010.11.21 14:22:00 - [112]
 

Updating the browser and running some antivirus software isn't quite enoguh imo.
It's just as important to update flash, shockwave, quicktime, java, adobe reader, all those programs that your browser might use as plugins to render webpage content.

Check out secunia.com and test their vulnerability scanner, it isn't an antivirus program, it doesn't search for malware, it scans your normal programs and plugins to check if there are security-related updates to them, and then tell you what and how to update, and how dangerous any vulnerabilities in your software are.

Ackbarre
Minmatar
GoonWaffe
Goonswarm Federation
Posted - 2010.11.21 15:01:00 - [113]
 

With every keyfob purchased the buyer should be given a lovely T-Shirt like this one.

T-Shirt

TheLostPenguin
Posted - 2010.11.21 15:22:00 - [114]
 

I wonder if there's some sweapstake going on in the CCP office as to who can lose the most customers, now it's not only stupid changes to gameplay/client but you want to make it harder and harder just to get to even playing the game as well? Keyfobs and other such similiar additional measures are little more than a placebo, if they're not required to access the commercial bank accounts (held with a large international bank) where I work then I really have to question the usefullness of them, lets face it if anything needs securing it's business banking vastly more than videogame assets. By all means offer this as an OPTION to those that would feel better for using it, just don't ram it down our throats like every other dumb idea you (CCP) come up with ingame.

Also can we please have an option to disable the stupid popup asking for a char name to log into the forums EVERY SINGLE TIME I login to the forums? After all it's not like logging into the forums is the first thing I'd be doing if I'd just gotten hold of someones login details with a view to draining their stuffs, it's just an annoying nuisance that does nothing for security as I can login to the game just fine without triggering it regardless of how I'm connecting.

By all means add as many bells and whistles to security layers as you like, just let those of us that aren't complete ******s carry on using a perfectly acceptable level of security in a username/password combo and let the paranoid/stupid ones have loads of extra stuff that wont help against most attacks/will be bypassed when they give away their details anyway.

Imhothar Xarodit
Minmatar
Wolverine Solutions
Posted - 2010.11.21 16:45:00 - [115]
 

I don't know if this has changed in the meantime, but last time I changed my password or email address, I did not get a mail (to the old mail account of course) to confirm this change.

So as long as the attackers are unable to read my mails, I can at least get a warning that someone is doing something bad and react to it.

This would of course only work if the attacker actually tried to change email/password in order to lock me out.

Something like a "panic button" to immediately shut down the account and kick the current player could be interesting, as long as its only available to me via mail.

0oO0oOoOo0o
Posted - 2010.11.21 16:49:00 - [116]
 

I sometimes ask myself what I'd do if I'd get hacked and the hacker steals all my accounts (game accounts, banking accounts and such).
The priority will probably be on finding the hacker in rl. Maybe with the help of police by filing an offence report. Once I got the hacker's rl name and address ... well .. may god have mercy on him and his family.


Removed comments that aren't appropriate for the forums. - Adida

Iokasti palaiologou
Posted - 2010.11.21 18:43:00 - [117]
 

First of all let me congratulate you on the analysis, and welcome to our little-big universe CCP Sreegs.

I am kind of wonderign though. Today with not so much money we can have a web cam or even a fingerprint scaner or a microphone. I feel that biometrics should-could be used as means for our own security. i realise that this is a big issue for some, but at least CCP as poven to be trustworthy.

I would like to see some implementation of one sort or the other of such means in order to enchance our security.

Also i would like to ask AGAIN for wallet divisions that COULD have password protection as well.

That alone should ruin the day out of every second hacker....


Luc Picard
Imperial Dreams
Curatores Veritatis Alliance
Posted - 2010.11.21 22:23:00 - [118]
 

seriously it cant be that difficult to get a key generator solution for eve? should be put very high on your prio list imo, the game been running for so many years and still you dont offer this service Rolling Eyes

NOGC BLAST
Posted - 2010.11.21 22:31:00 - [119]
 

CCP Sreegs, you mentioned something called Sandboxie... where do we get it, as there could be many fakes out there, and i would like to avoid that.
I'm sure others feel the same.

BeanBagKing
Terra Incognita
Intrepid Crossing
Posted - 2010.11.21 23:00:00 - [120]
 

Great blog, a few things though. Changing passwords is great, and even better is not reusing passwords anywhere else, but as others have pointed out it's unrealistic, I've lost count of the number of websites I've registered on. I guess you've already replied to this and said there's no perfect solution to the matter, I don't like the thought of a corrupted hard drive and every one of my passwords are gone, I don't want to write them down either. Personally though I'd like to hear IT stop saying this and recommending over 9000 different passwords all with numbers and symbols and see them do something about the problem. Yea, easier said than done, and I'm not blaming you, I think the security industry in general needs to start moving on from passwords, they are no longer realistic for anything other than the most basic security. Maybe iris scanners should start being a standard piece of computer hardware Razz

Also, what others have said about changing account name. Same about forum ID/password.


Pages: 1 2 3 [4] 5 6

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only