open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: Account Security and You!
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 2 3 4 [5] 6

Author Topic

Typhado3
Minmatar
Posted - 2010.11.22 00:02:00 - [121]
 

Originally by: Chribba
I would still very much like to be able to lock my accounts to my static IP...

/c


This

Jimu Orgas
Bene Gesserit ChapterHouse
Sanctuary Pact
Posted - 2010.11.22 00:19:00 - [122]
 

Edited by: Jimu Orgas on 22/11/2010 00:19:05
Originally by: Twigand Berries
i left my account open on a public computer in new jersey

what do i do?


Not to worry, my goonish friend! I live in NJ, and would be happy to take care of this for you. Please send me the location of this public computer and it will be handled. Very, very thoroughly....


Jimu Orgas
Bene Gesserit ChapterHouse
Sanctuary Pact
Posted - 2010.11.22 00:24:00 - [123]
 

Originally by: CCP Sreegs

I can tell you that as a Security Guy I completely understand the value of a second factor of authentication and I can tell you that it would be silly of me not to have it on my list of things which could improve security. I cannot however at this point say that it will definitely be implemented or give any timeframes for when such implementation could theoretically occur. You can trust however that as soon as we have new features to talk about from a security perspective I will run immediately to the forums to tell everyone.


Here's some good "business" ammunition for you: CCP can make some money off of this. Set the price for a hardware authentication token == one PLEX. That moves CCP closer to the idea that PLEX can be used for a variety of things - subscriptions, remaps, name/appearance changes, etc. This fuels the PLEX market and increases revenue for CCP. At the same time, you reduce your internal customer support costs due to a lower level of account penetrations. "The customers seem to want X" or "The security guys think Y is a good idea" will not get your prioritized resources. "We have a way to make more money while making customers happy and increasing security", however, will get you the resources you need. And we get a better game.

Ryunosuke Kusanagi
Posted - 2010.11.22 04:14:00 - [124]
 

okay... but if I have to submit to Gropings or "enhanced patdowns" to access my acct info.... you will have to buy me dinner first :)

Detshni
Caldari
Posted - 2010.11.22 07:08:00 - [125]
 

so when is CCP getting us an authenticator? I have one for WoW and haven't been hacked since.

Callidus Dux
Caldari
Posted - 2010.11.22 13:04:00 - [126]
 

Point: 10. NEVER EVER EVER USE THE SAME USERNAME OR PASSWORD ON ANOTHER SITE ON THE INTERNET ANYWHERE EVER - :mad:

I want different account names and an other password for EVEGate than I use in EVE itself. I am not so dumb and log in from a computer which is not my own or under my control.

Quotation from EVEGate: EVE Gate increases your ability to participate in and further enjoy EVE Online from virtually anywhere.

Thats nonsense If i must use my real EVE-Account data. Or did I miss something? This is also one point, wherefore I do not use EVEGate. I have installed EVE on my computer. I can do everything in EVE. Therefore I do not need EVEGate. Log on from an unknown system seems to be a bad idea when I am forced to log with my real account data.

Please correct me if I am wrong. :-/

Abdiel Kavash
Caldari
Paladin Order
Fidelas Constans
Posted - 2010.11.22 14:00:00 - [127]
 

Originally by: Callidus Dux
Point: 10. NEVER EVER EVER USE THE SAME USERNAME OR PASSWORD ON ANOTHER SITE ON THE INTERNET ANYWHERE EVER - :mad:

I want different account names and an other password for EVEGate than I use in EVE itself. I am not so dumb and log in from a computer which is not my own or under my control.

Quotation from EVEGate: EVE Gate increases your ability to participate in and further enjoy EVE Online from virtually anywhere.

Thats nonsense If i must use my real EVE-Account data. Or did I miss something? This is also one point, wherefore I do not use EVEGate. I have installed EVE on my computer. I can do everything in EVE. Therefore I do not need EVEGate. Log on from an unknown system seems to be a bad idea when I am forced to log with my real account data.

Please correct me if I am wrong. :-/


This please. Why bother with authentication magic tokens of hacking resist +10, when you are forcing people to use their game credentials every time they want to access the forums or the Gate?

Gabriel Ironfist
Posted - 2010.11.22 14:02:00 - [128]
 

Will you allow us to change our Usernames as well like the passwords? that would add another layer of security...

CCP Sreegs

Posted - 2010.11.22 15:39:00 - [129]
 

Originally by: Comstr


Will you be working against the botters and RMTers too?





Ok, I'm gonna take some time to go through and address some more of the questions here now starting with this one.

I don't have a direct role dealing with normal in-game activity. There can be a bit of crossover but we have a team of very cool dudes who handle the in-game stuff. An area of crossover may be, for instance, that we don't consider RMT and hacking to be that far removed, as I stated in my blog.

CCP Sreegs

Posted - 2010.11.22 15:56:00 - [130]
 

Originally by: Shade Millith
Recently, I was going to change my PW's, for both my accounts.

I then discovered that I would also be required to use a capital letter, in addition to a number.

So I didn't.

Putting restrictions on PW's doesn't help keep accounts secure, it just means that I'm more and more likely going to HAVE to write the PW down somewhere. Along with the 30 other PW's and accounts.

This kind of 'defence' does nothing to shield from a keylogger. And I doubt bruteforcing a PW would work at all, considering the amout of effort you're using to scream to protect our accounts, I'd imagine you'd have a limit of loggin's before an alarm goes off.

TL:DR I'm sick of your PW limitations, and I'm less secure because of them. They either don't help, or CCPs security is poorly thought out




I'm just going to use this as a general catch-all for "I hate changing passwords, they suck and it doesn't fix anything". I did explain in the blog why, not just I, but virtually everyone you have an account with somewhere asks you to change your passwords with some regularity. As you use and reuse passwords across forums and various other accounts, each account becomes only as secure as the least secure system you used it on. I can tell you that Eve alliance and corporation forums are hacked quite regularly. I can tell you that when they are hacked the password tables are pulled down, and then cracked offline. This is one example of why we ask you to change your password regularly.

The reason for increased character constraints in passwords is typically to increase the amount of effort required to crack the password. An increased number or type of characters involved in password creation means an exponential increase in the amount of time required to break that password. This is the common wisdom and ignores cryptographic attacks.

I do agree that as an industry security folks need to come up with different ways to handle this. I also agree that there comes a time when users simply won't or can't meet the requirements easily. Unfortunately, to quote Donald Rumsfeld "you go to war with the army you have---not the army you might want or wish to have at a later time." Today the password is the gateway to your account and this is the best way to secure it so it's the best advice I can give. In the future that will change somehow in some way, just not today.

For extra credit there was a study done by the Usable Privacy and Security Laboratory at Carnegie Mellon about password usage that delved into this exact topic. You may find it interesting. Carnegie Mellon Password Study

CCP Sreegs

Posted - 2010.11.22 16:09:00 - [131]
 

Originally by: Caoim Fearghul


Considering the angles of attack it makes perfect sense.

It requires physical real world access in order to obtain it, which means all the technological knowledge in the world, all the packet sniffing, mail spoofing and so on will not aid them in obtaining it.

It cross the digital divide and secures it from all remote access attempts.

There is no cryptology that might fail or the like.

Put the paper in a locked drawer or box for when you need to remember it, and voila, someone that can gain access to it is unlikely to be interested in, being able to realize much faster capital from say your television or computer itself. It's something I've looked at extensively when studying the evolution of espionage at university. It's for similar reasons that isolated networks are more secure than those connected to the web, there is a physical seperation that has to be overcome in order to access the information.

Edit: I'll also add that it comes with serious benefits, it is low technology and cost. Is easily implemented by any user and greatly increases the exposure cost of attempting to gain the information. After all, no system is 100% secure, it's just a matter of trying to make the cost/risk of gaining access unacceptably high for the rewards it offers. Requiring physical exposure to gain that access is a huge jump in the risk factor.


I don't disagree with what you're saying on its face that perhaps that factor would be a less risky factor. I think in general my point was meant to be that when you lock your password in a drawer and forgetting it you're merely changing the factor. I'll explain a bit:

A "Factor" is something which is used to determine the identity of the person requesting access to a particular piece of information. There are three known factors available today for use in this regard:

1. Something you know - A password for example
2. Something you have - A token, a phone or a smart card are the most common implementations
3. Something you are - This is biometrics such as fingerprint, voice or eye scanners

Passwords are something people are used to dealing with. They're mobile and a piece of paper locked in a drawer at home is not. A piece of paper in your pocket isn't really anywhere near as safe as one locked in your home. People want their Eve accounts to be available wherever they are. My belief is that it is preferable to decrease the complexity of the password factor to one that is easily remembered by most people, and add an additional factor for authentication to get the most bang for the buck.

I'm rambling I think but my point is that by writing down a password you merely change the factor which from a theoretical standpoint doesn't necessarily have the hugest impact on security. This is why when you see banks implement tokens or "Something you have", they still require you to have a password.


CCP Sreegs

Posted - 2010.11.22 16:10:00 - [132]
 

Originally by: Tusseluring
Updating the browser and running some antivirus software isn't quite enoguh imo.
It's just as important to update flash, shockwave, quicktime, java, adobe reader, all those programs that your browser might use as plugins to render webpage content.

Check out secunia.com and test their vulnerability scanner, it isn't an antivirus program, it doesn't search for malware, it scans your normal programs and plugins to check if there are security-related updates to them, and then tell you what and how to update, and how dangerous any vulnerabilities in your software are.


This is a good point and sadly one I missed when writing the blog. Thanks!

CCP Sreegs

Posted - 2010.11.22 16:14:00 - [133]
 

Originally by: TheLostPenguin
I wonder if there's some sweapstake going on in the CCP office as to who can lose the most customers, now it's not only stupid changes to gameplay/client but you want to make it harder and harder just to get to even playing the game as well? Keyfobs and other such similiar additional measures are little more than a placebo, if they're not required to access the commercial bank accounts (held with a large international bank) where I work then I really have to question the usefullness of them, lets face it if anything needs securing it's business banking vastly more than videogame assets. By all means offer this as an OPTION to those that would feel better for using it, just don't ram it down our throats like every other dumb idea you (CCP) come up with ingame.

Also can we please have an option to disable the stupid popup asking for a char name to log into the forums EVERY SINGLE TIME I login to the forums? After all it's not like logging into the forums is the first thing I'd be doing if I'd just gotten hold of someones login details with a view to draining their stuffs, it's just an annoying nuisance that does nothing for security as I can login to the game just fine without triggering it regardless of how I'm connecting.

By all means add as many bells and whistles to security layers as you like, just let those of us that aren't complete ******s carry on using a perfectly acceptable level of security in a username/password combo and let the paranoid/stupid ones have loads of extra stuff that wont help against most attacks/will be bypassed when they give away their details anyway.


If you have any actual published data that speaks to your claim that multiple factors of authentication are a placebo I'd be very interested in seeing it, because this is literally the first time I've ever heard someone say that in my life. I'm happy to be educated however.

CCP Sreegs

Posted - 2010.11.22 16:16:00 - [134]
 

Originally by: Iokasti palaiologou
First of all let me congratulate you on the analysis, and welcome to our little-big universe CCP Sreegs.

I am kind of wonderign though. Today with not so much money we can have a web cam or even a fingerprint scaner or a microphone. I feel that biometrics should-could be used as means for our own security. i realise that this is a big issue for some, but at least CCP as poven to be trustworthy.

I would like to see some implementation of one sort or the other of such means in order to enchance our security.

Also i would like to ask AGAIN for wallet divisions that COULD have password protection as well.

That alone should ruin the day out of every second hacker....




I don't think we'll be considering the use of biometrics for Eve logins any time soon. I'm pretty sure there are technological as well as legal hurdles on a global scale that make this an undesirable solution to the problem. I use them personally to increase my authentication factors, but I'm not aware of anyone anywhere using them to authenticate a videogame account.

CCP Sreegs

Posted - 2010.11.22 16:17:00 - [135]
 

Originally by: NOGC BLAST
CCP Sreegs, you mentioned something called Sandboxie... where do we get it, as there could be many fakes out there, and i would like to avoid that.
I'm sure others feel the same.


Sandboxie

CCP Sreegs

Posted - 2010.11.22 16:18:00 - [136]
 

Originally by: Callidus Dux
Point: 10. NEVER EVER EVER USE THE SAME USERNAME OR PASSWORD ON ANOTHER SITE ON THE INTERNET ANYWHERE EVER - :mad:

I want different account names and an other password for EVEGate than I use in EVE itself. I am not so dumb and log in from a computer which is not my own or under my control.

Quotation from EVEGate: EVE Gate increases your ability to participate in and further enjoy EVE Online from virtually anywhere.

Thats nonsense If i must use my real EVE-Account data. Or did I miss something? This is also one point, wherefore I do not use EVEGate. I have installed EVE on my computer. I can do everything in EVE. Therefore I do not need EVEGate. Log on from an unknown system seems to be a bad idea when I am forced to log with my real account data.

Please correct me if I am wrong. :-/


We own Eve Gate so I'm not sure what you're asking? If you'd clarify I'd like to understand it.

CCP Sreegs

Posted - 2010.11.22 16:20:00 - [137]
 

Edited by: CCP Sreegs on 22/11/2010 16:30:19
Originally by: Gabriel Ironfist
Will you allow us to change our Usernames as well like the passwords? that would add another layer of security...


I will look into this. I don't expect a quick answer because of how this data is handled. If we make this change you guys will be the first to know about it.

Alexander Renoir
Posted - 2010.11.22 16:55:00 - [138]
 

Edited by: Alexander Renoir on 22/11/2010 17:26:22
Edited by: Alexander Renoir on 22/11/2010 17:25:17
Edited by: Alexander Renoir on 22/11/2010 17:11:08
Originally by: CCP Sreegs
Originally by: Callidus Dux
Point: 10. NEVER EVER EVER USE THE SAME USERNAME OR PASSWORD ON ANOTHER SITE ON THE INTERNET ANYWHERE EVER - :mad:

I want different account names and an other password for EVEGate than I use in EVE itself. I am not so dumb and log in from a computer which is not my own or under my control.

Quotation from EVEGate: EVE Gate increases your ability to participate in and further enjoy EVE Online from virtually anywhere.

Thats nonsense If i must use my real EVE-Account data. Or did I miss something? This is also one point, wherefore I do not use EVEGate. I have installed EVE on my computer. I can do everything in EVE. Therefore I do not need EVEGate. Log on from an unknown system seems to be a bad idea when I am forced to log with my real account data.

Please correct me if I am wrong. :-/


We own Eve Gate so I'm not sure what you're asking? If you'd clarify I'd like to understand it.


The official main reason for EVE Gate is: Quotation from EVEGate: EVE Gate increases your ability to participate in and further enjoy EVE Online from virtually anywhere.

I will not use another computer than my own to log in on EVE Gate, if I can not be sure that this computer is clean or safe. For example I think it would be dumb to use EVE Gate from a computer in a internet cafe or from my buddy who downloads a lot of **** :-) Because of keylogger etc.

I have installed EVE on all my EVE-relevant computers. I can do all thinks in EVE (the game) which I can do in EVE Gate. The risk to share my account details with other people who controls the keylogger is to high. Therefor is the main advantage to be "part of the EVE community from everywhere" no advantage, if I am forced to use my real EVE Account Names and passwords to log in and have the risk to share my account-details with others. I hope I have made clear what I mean and say sorry for my little rugged english. :-)
Btw a good blog CCP Sreegs. But point 10 is the main reason why I do not use EVE Gate nor write a lot in this official EVE forum (from other computers than my own). Therefore EVE Gate is useless for me. :-(

Callidus Dux
Caldari
Posted - 2010.11.22 16:58:00 - [139]
 

Alexander Renoir = Callidus Dux. You see.. I do not use this forum often. :-)

Rok Asgard
Posted - 2010.11.22 20:05:00 - [140]
 

Sreegs, thanks for the post. Two thoughts:

- Add ďrun your browser without administrative rightsĒ to the list of simple things you can do to prevent compromise. User-land processes cannot hook into critical APIs needed for things like keystroke logging and DNS manipulation. Malware would need to chain exploits to do anything useful and that makes it way harder for the bad guys. This applies to any O/S, but itís especially true for Windows. According to Ars Technica, 94% of all IE exploits were harmless without admin rights to leverage.
http://arstechnica.com/microsoft/news/2010/03/half-of-windows-flaws-mitigated-by-removing-admin-rights.ars

- Offer me the option to restrict my game client logins to my network block (i.e. inetnum from Arin, RIPENCC, APNIC, etc). Giving it a 30 second think, Iím sure itís been kicked about by CCP and issues around reliably implementing in a user friendly way discussed, but if it were possible it would be a huge win.

BeanBagKing
Terra Incognita
Intrepid Crossing
Posted - 2010.11.22 21:27:00 - [141]
 

Originally by: CCP Sreegs
I don't think we'll be considering the use of biometrics for Eve logins any time soon. I'm pretty sure there are technological as well as legal hurdles on a global scale that make this an undesirable solution to the problem. I use them personally to increase my authentication factors, but I'm not aware of anyone anywhere using them to authenticate a videogame account.


I've always wondered why this hasn't become a default by now. Sure there are ways to hack biometrics, nothing will ever be 100% secure, but it seems to me like this is the most logical choice for security. First of all, it's "something you are" to quote your #3 point for a post above. You don't have to memorize it (password), you don't have to remember not to leave it at home (fobs), and nobody else has the same one. The fact that it's unique means it would be near impossible to duplicate or brute force. Hell, you wouldn't even need a username anymore, a fingerprint would act as both a username and a password.

I understand where some people would object to biometric identification, it can be seen as a very private piece of info, despite the fact that my fingerprint is probably in about 3 dozen places this morning alone. However, I don't see where a problem could be in making it an option (similar to fobs).

CCP leads the way right? Being bold and innovative right? If you feel this could improve security, I don't see any reason why CCP should seriously be looking to implement this technology, at least as an optional measure. Perhaps it would turn out to be impossible thanks to the lawyers, but why say you aren't even considering it, if indeed you do feel it would help.

Hoshi
Hedron Industries
Red Dwarf Racketeering Division
Posted - 2010.11.22 21:50:00 - [142]
 

Originally by: CCP Sreegs
Originally by: Shade Millith
Recently, I was going to change my PW's, for both my accounts.

I then discovered that I would also be required to use a capital letter, in addition to a number.

So I didn't.



I'm just going to use this as a general catch-all for "I hate changing passwords, they suck and it doesn't fix anything".

That just means you don't get the problem.

I used to use the same password for eve as I use everywhere else but a while ago I changed it to something that I use only for EVE. Now luckily I did this before you changed the requirements to include a capital letter and a number because had that requirement been there at that time I would not have changed my password and because of it I will never under any circumstances change my password for eve again.

Should you force me to I would just stop playing eve instead because having to write a password like that several times per day is not worth the hassle to me. Security is always a walk on a tightrope with security on one side and inconvenience on the other and your password requirement fell off on the wrong side.

Marlenus
Ironfleet Towing And Salvage
Posted - 2010.11.22 22:22:00 - [143]
 

Let me echo Hoshi in mellower terms.

EVE is, at the end of the day, a game. Thus I think the amount of inconvenience we users should be required to undergo for the security of our accounts should be, to an extent, up to us. Certainly that's the case when it comes to password complexity.

Remembering and typing a password that's got X mandatory numerals, Y mandatory special characters, and Z mandatory capitals is a monumental pain in the arse. Is it kosher to recommend that a password contain some numerals and capitals? Sure. But if a user wants to stick with the password he can type entirely with his left hand from the home row while he grabs a swig of beer with his right, because that's his password paradigm that he's been using since he started logging onto mainframes in 1983, well, it's just a game; I think it's reasonable to let him.

Cyril
Hounds Of War
Intergalactic Exports Group
Posted - 2010.11.23 03:59:00 - [144]
 

Here is my take on a few things.

1. Sandboxing good and not all that hard.

2. Password management is nice because I have hundreds of logins lastpass.com is my manager of choice using a yubikey OTP authentication to access it on everything buy my home PC. It will even find week and duplicated passwords for you.

3. The joy of EvE from a LEO/Intel point of view is that you have access to all information. There are several standard techniques (hope I don't give away of any of your secrets here) Association matrices, linked diagrams, org charts, etc. That could be easily generated in the logging system regardless of how it is implemented. This data could be all done on a psudo-random ID for every character, corp, alliance, and item so the security assessment can be done without bias. There are several events that could trigger alerts on elevated notices. The key is to get the code working efficiently enough that the overwhelming number of times that a suspicious activity is reported to a person (be it Sr GM or Dev) that it is legit. I have more specific ideas about how to implement some of this so if if you want to know more please let me know.

CCP Sreegs

Posted - 2010.11.23 16:19:00 - [145]
 

Originally by: Hoshi

That just means you don't get the problem.

I used to use the same password for eve as I use everywhere else but a while ago I changed it to something that I use only for EVE. Now luckily I did this before you changed the requirements to include a capital letter and a number because had that requirement been there at that time I would not have changed my password and because of it I will never under any circumstances change my password for eve again.

Should you force me to I would just stop playing eve instead because having to write a password like that several times per day is not worth the hassle to me. Security is always a walk on a tightrope with security on one side and inconvenience on the other and your password requirement fell off on the wrong side.


I think you'll find that if you read the rest of the response you quoted we've both said essentially the same thing. Today passwords are what we have, so I can't speak to how you can better secure your account today based on what may be in the future. This is today not the future.

Burzrujat
Posted - 2010.11.23 23:42:00 - [146]
 

I would pretty much love CCP if you made an authenticator similar to the one used by Battle.Net. They also have an Android application (and iPhone app) that serves the same purpose as a physical dedicated authenticator.

Annatar
The Galactic Empire
Executive Outcomes
Posted - 2010.11.27 19:41:00 - [147]
 

Originally by: Burzrujat
I would pretty much love CCP if you made an authenticator similar to the one used by Battle.Net. They also have an Android application (and iPhone app) that serves the same purpose as a physical dedicated authenticator.


I would even be happy to pay 50 Bucks/Euro or what so ever to KNOW my account is save.

The WoW app is the one and only i know of (at the Gaming sector, of course) and i would be happy to see Eve Online can also match with the same possible Account Security.

I doubt that buy / develop the Stuff can be that hard.
Aditionally, everyone with a RandomAccountLoginKeyphrase Calculator can't be usuing ISK/farm sevices bc nobody can get in there when the passphrase changes every 10 sec.

QuanTze Yang
Amarr
Imperial Academy
Posted - 2010.12.05 17:35:00 - [148]
 

Welcome aboard Sreegs,
Here's my suggestion to help with security.

Stop putting my actual account name in your email subscription reminders.

Use the player name, alt name, email name, my REAL name or even "Dear Eve Player/ Hey Dummy/ Sup' Noob?",
but dont put the actual account name in the email.

I have initiated several petitions on this, with no change, as yet.

Thanks and good luck in the new job

Bladacticus
SOL Industries
Black Thorne Alliance
Posted - 2010.12.07 20:38:00 - [149]
 

While I am thankful that EVE and other online businesses go to great lengths to ensure my account security. I am, however, confused about one thing. For every online account, there are password rules, or guidelines intended to make people use passwords more likely to thwart hacking attempts. I have to type a minimum of 8 characters including letters (upper and lowercase) and numbers and even, in some cases, special characters. So can anyone tell me, who we have all these rules for online passwords, yet when I use my debit/atm card, my pin is only a 4 digit number? Isn't it ironic that we take huge precautions with our virtual assets yet appear to allow anyone who has a few minutes to try all the 4 digit numbers access to our real world assets?

Blad

Balaenidae Megaptera
Posted - 2010.12.08 15:14:00 - [150]
 

RSS keys please. They are cheap and effective. WoW does it why not you guys?

http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24986&parentCategoryId&pageNumber=1&categoryId=4151

http://us.blizzard.com/store/details.xml?id=1100000822


Pages: 1 2 3 4 [5] 6

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only