open All Channels
seplocked EVE General Discussion
blankseplocked CCP's Password Requirements may reduce security
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 2 [3] 4 5

Author Topic

Misanth
RABBLE RABBLE RABBLE
Posted - 2011.02.07 09:29:00 - [61]
 

5/10

Ashley Dinova
Very Important POD Pilots
Posted - 2011.02.07 11:38:00 - [62]
 

Originally by: masternerdguy
This has probably been brought up before, but in the old password system people could choose any password they wanted. Now you need capital letter(s) and numeric character(s).

Since most people are probably going to capitalize the first letter and add a 1 or something to the end, doesn't this lower account security? Also, doesn't it make an old password from before the changes more secure from the brute forcing?


If people are dumb enough to do that then yes ( and some probably are).
Yes you require at least ONE capital and ONE numeric, but that doesn't mean you can't use more,
plus you can use other symbols aswell (#, !, @, etc)...

In short, no it does not lessen security... my passwords for example can not be guessed by a smart algoritm.
I don't care how smart it is, and by the time it finally guessed it, two things have happened:

(1) We're 100 years later
(2) I have changed my password


People are responsible for the strength of their own passwords,
if you use easy ones then that's your fault.

Artemis Rose
Clandestine Vector
THE SPACE P0LICE
Posted - 2011.02.07 11:52:00 - [63]
 

They should require you to use a password of randomly assorted characters, capitalized and uncapitalized, mixed with numbers. They can't force you to use a unique password but it should highly encouraged.

If you don't doing that already, you really should start.

Wacktopia
Sicarius.
Legion of The Damned.
Posted - 2011.02.07 14:13:00 - [64]
 

Originally by: masternerdguy
blah blah-rabble rabble-load of carp


Have you been away? I've not seen a mng lolthread like this for a while...

Kara Sharalien
Gallente
Federal Navy Academy
Posted - 2011.02.07 14:16:00 - [65]
 

Edited by: Kara Sharalien on 07/02/2011 14:23:34
Originally by: T'Laar Bok
Originally by: Jenny Spitfire
I am sure you can buy a reception booster from your mobile provider.


They're illegal in AU and if they weren't I wouldn't pay around $800-$1000 just to get a password from CCP.



Passive reception boosters (also known as ****off huge antennas) are perfectly legal in Australia.

In addition, I shall point out again that if you require a password to be a minimum length, you dramatically reduce the number of tries needed to brute force a password.

Since CCP's minimum length is now 8 characters IIRC, including all characters (caps, numbers and symbols) on the standard US keyboard, that eliminates 24,928,547,056,768 possibilities.

My math is as follows:

82 different characters on my keyboard, any or all of which may be repeated. You no longer need to test all the permutations of passwords containing 7 or less characters, as you know it has at least 8. Thus, to find the total number of possible permutations of those keys that you no longer need to try, 82^7.

82*82*82*82*82*82*82

Please correct me if I'm wrong.

The key to any form of security is to give your enemy absolutely nothing to go on. By making a minimum password length and forcing a number, a letter and a caps (thats right, you cant have a password that contains only numbers and a caps, it has to have a lowercase letter as well), CCP has reduced account security, because they have told potential hackers that all passwords have those things in common. A more appropriate thing to do would be to suggest people make complex passwords, and accept that allowing some people to use bad (aka short or uncomplicated) passwords forces hackers to do things the long way for everyone.

Dr BattleSmith
PAX Interstellar Services
Posted - 2011.02.08 03:52:00 - [66]
 

Edited by: Dr BattleSmith on 08/02/2011 03:57:16
I don't believe.... Is there a study on this available somewhere?

I have seen many, many, many user passwords and the ******ed **** they use.
Most user passwords are *very* easy to crack.

I don't believe that forcing all these dumb users to use a proper password is a reduction in security.

Technically on the math of the number of combinations, sure.... some don't need to be checked anymore,
but this doesn't include the numbers on "how dumb people are".

From my perspective 50,000 users with proper passwords is better then 25,000 users with "mycharacterrocks" or "password1".

Val'Dore
Word Bearers of Chaos
Word of Chaos Undivided
Posted - 2011.02.08 04:19:00 - [67]
 

24 character passwords ftw.

Dr BattleSmith
PAX Interstellar Services
Posted - 2011.02.08 05:19:00 - [68]
 

Originally by: Val'Dore
24 character passwords ftw.


^^

KeePass is handy software for storing all your massive 100+ bit passwords.

1 strong password to access encrypted storage of all your extra strong passwords.

Ai Shun
Caldari
Posted - 2011.02.08 05:35:00 - [69]
 

There is a lot of intellectual ************ in this thread. Has anybody checked if CCP throttles password attempts? Or locks an account out after a certain number of retries? If that is the case - good luck on trying a brute force attack.

Val'Dore
Word Bearers of Chaos
Word of Chaos Undivided
Posted - 2011.02.08 05:38:00 - [70]
 

Originally by: Dr BattleSmith
Originally by: Val'Dore
24 character passwords ftw.


^^

KeePass is handy software for storing all your massive 100+ bit passwords.

1 strong password to access encrypted storage of all your extra strong passwords.



It actually ****es me off when a program or website limits pw length. I mean, what right do they have to tell me I can't have a more secure pw?

Kara Sharalien
Gallente
Federal Navy Academy
Posted - 2011.02.08 11:35:00 - [71]
 

Edited by: Kara Sharalien on 08/02/2011 11:35:30
Originally by: Ai Shun
There is a lot of intellectual ************ in this thread. Has anybody checked if CCP throttles password attempts? Or locks an account out after a certain number of retries? If that is the case - good luck on trying a brute force attack.


That is my very point. If you assume it takes .1 of a second to get a positive/negative response on a password attempt from CCP, assume there is no timeout on repeated failed attempts, assume that one computer is making only one attempt at a time and assume a *very* stupid password generation algorithm from the brute attack (most of which shouldn't be true but serve the purpose of demonstrating how much security has been lowered), CCP has wiped off 78,000 Years from the time it potentially takes to do a brute force attack.

So yea, a brute force attack was never really a risk from a number-crunching standpoint. But if you ask the question "have the password restrictions reduced security?" literally, yes they have. Significantly.

Nnamuachs
Caldari
Kiith Paktu
Curatores Veritatis Alliance
Posted - 2011.02.08 12:22:00 - [72]
 

Well this certainly makes me curious. Since the new password requirements are only for new and changed passwords. Wouldn't this massively "increase" the security on people with old passwords that don't meet the new requirements?

Hakkar'al Gallente
Posted - 2011.02.08 14:04:00 - [73]
 

Yes the new password regime may make your login less secure.
But not as you think.

The more complex it is, the more likely it is that you write it down somewhere (preferably under your keyboard or tacked to the screen =p) instead of trying to remember it.

Barakkus
Posted - 2011.02.08 16:05:00 - [74]
 

Edited by: Barakkus on 08/02/2011 16:14:13
Originally by: Lex Alandar
In practice, brute force attacks against a server can not possibly occur at the rates from that linked table. Imagine the sheer number of proxy servers required for that. With a few thousand (that's a lot!!!) anonymous proxies at your disposal, you could make about 200 attempts a second.


Um no.
In regards to brute forcing TQ, then yes. In general, no.

And for all you going on and on about how long it takes to crack passwords in general, none of you have obviously used this: http://www.l0phtcrack.com/ It will crack moderately secure passwords in a lot less time than you think, it's not really applicable to the discussion of CCP's password policy though.

Myra2007
Millstone Industries
Posted - 2011.02.08 16:14:00 - [75]
 

Originally by: Wacktopia

Have you been away? I've not seen a mng lolthread like this for a while...


Shocked
Have YOU been away?

Dr BattleSmith
PAX Interstellar Services
Posted - 2011.02.09 02:27:00 - [76]
 

Originally by: Barakkus

And for all you going on and on about how long it takes to crack passwords in general, none of you have obviously used this:


LM hash are weak and poorly implemented. Windows networking has always been insecure in this way.
It's fast because it only has to do half the work. Not really related to password strength and brute force CPUHours.

KaarBaak
Minmatar
Seatec Astronomy
Posted - 2011.02.09 02:40:00 - [77]
 


I'm pretty sure BF attacks are rarely used for account hacks, especially for MMOs since so many people freely give their passwords to account harvesters via RMT purchases, power-leveling sites, redundant password usage and generally poor web browsing habits.

Why spend 2-days trying to BF my way into someones account when I can just set a Lotto/Poker/KB site in 20 minutes and get dozens of people to send me their PWs?

Of course, if it's a targeted attack at a specific player...

KB


Akita T
Caldari Navy Volunteer Task Force
Posted - 2011.02.09 02:43:00 - [78]
 

Edited by: Akita T on 09/02/2011 02:46:14
Originally by: Hakkar'al Gallente
Yes the new password regime may make your login less secure.
But not as you think.
The more complex it is, the more likely it is that you write it down somewhere (preferably under your keyboard or tacked to the screen =p) instead of trying to remember it.

My "secure" passwords are between 12 and 15 characters long, contain at least 2 uppercase letters and at least 2 numbers, and I never write any of them down. Also, not afraid of dictionary attacks, most of the characters in there are nothing alike any word in any language I know.
Obviously, my main account has one of those, and so do my important email accounts.
Alts, when any exist, or not-so-important logins, slightly less secure, something like 8 to 10 characters long and one or two uppercases or numbers.
Of course, my "who cares if somebody breaks that" passwords are between 6 and 8 characters long and seldom contain anything other than lowercase letters... and they're just a few of them (which one is used based on a "how much I trust the site" feeling - the less important and/or less secure-feeling get one of the crappier passwords).

Granted, it happens to have to enter the "secure" passwords a few times if I don't use them for a while until I remember which one goes where and why I capitalized a particular letter instead of another.
Not amnesia-proof nor rubber-hose cryptanalysis safe, but it beats the alternatives.

Infinity Ziona
Minmatar
Cloakers
Posted - 2011.02.09 03:59:00 - [79]
 

Edited by: Infinity Ziona on 09/02/2011 04:02:05
Originally by: BeanBagKing
Edited by: BeanBagKing on 06/02/2011 17:42:19
Originally by: masternerdguy


yes but as a human being I know that people are more likely to cap first letter and put a # at the end.


A brute force attack, which is what was being discussed, doesn't rely on logic. Computers aren't human. etc.

I disagree with your comments so far.

A password of 8 characters is as close to or as easy to crack as a password of 8 characters (with a requirement of a mandatory capital letter and a number)

Reasons:

1. Human beings are predictible. A person whose password is 'cypher' will change his password to Cypher1. The only change here is that 'cypher' is capitalized and 1 is added to the end.

2. The average person unless forced to pick a cryptic password will use a password that is easily remembered and usually specific to the individual (child, car, interest etc). These will generally be common words. Lists of frequently used passwords are available on the internet.

3. Brute force attacks do rely on logic. The more logic the better. A brute force password hack can and do use the above mentioned lists of words, they run them through from top to bottom. They can use regional information to run the most likely words, they can scan word processing documents, pull information from the windows registry and add run lowercase and uppercase with appended numbers.

Given the above, if passwords for a specific application are restricted, lets say a mandatory capital and a mandatory number, the program now can exclude all lower case tries and all tries without numbers. Essentially cutting its count of tries by 66%.

Given that, and the understanding that most passwords are common words in available lists, the tries are cut from billions to the count of the words in the list / 2 (assuming upper and lowercase are in the list) * 9.

The best way to secure accounts is for the server to generate a random password for the user which the user writes down or stores somewhere or by using an electronic device like Blizzards Autheticator.

Kara Sharalien
Gallente
Federal Navy Academy
Posted - 2011.02.09 04:33:00 - [80]
 

Originally by: Infinity Ziona
or by using an electronic device like Blizzards Autheticator.


I've said it before and I'll say it again. I want an eve themed authenticator. Even just as a thing to dangle off my keychain it would be worthwhile!

Dr BattleSmith
PAX Interstellar Services
Posted - 2011.02.09 04:36:00 - [81]
 

Interesting tidbit, EveOnline should have more secure passwords vrs brute-force then the average website due to the high proportion of male subscribers.

Female users often choose passwords which are the easiest to crack, usually some social relationship. People/pet names, birth dates etc.


Kesshisan
Minmatar
Posted - 2011.02.09 07:55:00 - [82]
 

Originally by: Akita T
Edited by: Akita T on 09/02/2011 02:46:14
My "secure" passwords are between 12 and 15 characters long, contain at least 2 uppercase letters and at least 2 numbers, and I never write any of them down. Also, not afraid of dictionary attacks, most of the characters in there are nothing alike any word in any language I know.


I discovered a very secure way to make passwords un-dictionary-attackable, yet still easy to remember and type fast.

First you need to learn another language. Or at least a phrase in another language. I will be using a Chinese phrase for "happy birthday" for this example. You can say "happy birthday" in Chinese by saying 祝你生日快乐. For those of you who don't read Chinese, the phonetics (in Mandarin) sounds something like "zhuni shengri kuaile" Subtract the spaces and you're at "zhunishergrikuaile."

Next you need to learn Dvorak. Convert your keyboard to QWERTY, and type Dvorak characters on it, or vise versa. For example, take the phrase "zhunishergrikuaile" put your keyboard in QWERTY mode, and type Dvorak. The output is:

"/jflg;jdluogv***pd"

Fake Edit: While previewing I noticed that the word f followed by an a and a g is in the above. Just in case you were wondering what the asterisks were.

And if your keyboard is in Dvorak mode, and you type QWERTY, the output is:

";dgbcod.bipctgacn."

Replace the characters most systems won't like, perhaps with a few numbers, figure out where you want your capitol letters, and suddenly you have an extremely difficult to crack password, yet the password is still very easy to remember how to type (for you.) Even if you accidentally show your password to someone (Ever think you're in the wrong window and start tying? Oops!) it probably won't be memorized. I bet a lot of people would have problems with memorizing even half of it because there seems to be no pattern, organization, or sorting to the characters.

And by the way, my password is not a variation of "happy birthday." ;)

SkinSin
Posted - 2011.02.10 16:18:00 - [83]
 


Darth Mustache
Viziam
Posted - 2011.02.10 16:43:00 - [84]
 

Originally by: KaarBaak

Why spend 2-days trying to BF my way into someones account when I can just set a Lotto/Poker/KB site in 20 minutes and get dozens of people to send me their PWs?



This. Any random 3rd party sites will get the passwords for a ****load of accounts and without getting IPs flagged for brute-forcing some login form.

You'll often get the login/password for eveonline account or even better the login/password for email account then you get all Eve accounts + whatever other **** the person has.

KaarBaak
Minmatar
Seatec Astronomy
Posted - 2011.02.10 16:57:00 - [85]
 

Will you guys quit it already!? I've had to change my PW like 5 times since this thread started:

Originally by: Fkn Arson
Password1

Originally by: BeanBagKing
Administrator1

Originally by: Niccolado Starwalker
Masternerdguy1

Originally by: Scorpyn
Banana1

Originally by: Kesshisan
happybirthday


Just stop it!!


Aessoroz
Nohbdy.
Posted - 2011.02.10 16:58:00 - [86]
 

Edited by: Aessoroz on 10/02/2011 16:59:55
Edited by: Aessoroz on 10/02/2011 16:58:59
Originally by: Dr BattleSmith
Edited by: Dr BattleSmith on 08/02/2011 03:57:16
I don't believe.... Is there a study on this available somewhere?

I have seen many, many, many user passwords and the ******ed **** they use.
Most user passwords are *very* easy to crack.

I don't believe that forcing all these dumb users to use a proper password is a reduction in security.

Technically on the math of the number of combinations, sure.... some don't need to be checked anymore,
but this doesn't include the numbers on "how dumb people are".

From my perspective 50,000 users with proper passwords is better then 25,000 users with "mycharacterrocks" or "password1".



Here's a study on it http://research.microsoft.com/pubs/74162/hotsec07.pdf

Also there can just be 25,0000 users with "Password1" :P

Azael Fox
Posted - 2011.02.10 17:00:00 - [87]
 

As a Security/Intelligence consultant, I find it funny that people are referencing those time tables when referring to brute force attacks against passwords, when in fact, statisically speaking, given the common nature of passwords for most users, it would be easy to brute force them far quicker than those tables. Just reference the recent case where a researcher purchased time off of Amazons EC2 infrastructure and was able to crack passwords in minutes. Though given the nature of most script kiddies, you will not have to worry about it. There is to many variables to discuss and I do not have time, but this topic amused me.

CCP Sreegs

Posted - 2011.02.10 18:07:00 - [88]
 

boy howdy this sure is a thread

There's a great deal of discussion going on here which is pretty cool because a lot of people seem to be alternating between googling, reading, playing with calculators or simply making things up and all of those things mean you're spending time on the subject.

I'll give this comment with the caveat that I wasn't here to make the decision on the complexity requirement and it may change at some point though not for the reasons listed in the OP which are reaching a bit. For reasons already stated by other posters in this thread the addition of character requirements such as uppercase or numerics is meant to increase the amount of time required to launch a successful brute force attack. Actually a specific KIND brute force attack as understood by me taking either a list of static or random account names and throwing random data at each in order to try to guess a password.

Does this prevent every single type of password attack possible? No, not at all. It's not meant to. Security isn't changing a password requirement or pushing any other one magic button that makes things "safe". It's an ongoing process of analysis and response. In this particular case it was determined that for whatever reason we should up our complexity requirements. Perhaps that reason was just to bring them more in line with others, if nothing else.

To insinuate however that adding to your list of character choices makes your password somehow less safe is a bit of a stretch in my opinion. The only person who can make your password less safe is you. If our goal was to try to force you to have crazy passwords then we could certainly do so. We could say you must make your password 28 characters in length at a minimum and they must contain uppercase, lowercase, numeric, and Chinese characters and be changed every 2 days. Hi five guys I've just solved the password problem the rest of the world's been struggling with for years!

The reality is that any solution has to make some sacrifices for ease of access. Nobody is providing a perfect solution and you can look at pretty much any solution there is and point out the cracks in it. What we're doing today, which I'll be blogging about at some point in the nearish future, is looking at a combination of internal and external improvements which will roll out in waves. Sometimes you'll see it and when you do I'll point at it and go HEY LOOK! Sometimes you won't see it, but I'll have a spreadsheet that will make me happy as I sip some tea or something.

At the end of the day though if a simple change in password complexity can cause this much discussion I can't wait to see what happens in the next few months.

Azael Fox
Posted - 2011.02.10 18:39:00 - [89]
 

Originally by: CCP Sreegs
boy howdy this sure is a thread

There's a great deal of discussion going on here which is pretty cool because a lot of people seem to be alternating between googling, reading, playing with calculators or simply making things up and all of those things mean you're spending time on the subject.

I'll give this comment with the caveat that I wasn't here to make the decision on the complexity requirement and it may change at some point though not for the reasons listed in the OP which are reaching a bit. For reasons already stated by other posters in this thread the addition of character requirements such as uppercase or numerics is meant to increase the amount of time required to launch a successful brute force attack. Actually a specific KIND brute force attack as understood by me taking either a list of static or random account names and throwing random data at each in order to try to guess a password.

Does this prevent every single type of password attack possible? No, not at all. It's not meant to. Security isn't changing a password requirement or pushing any other one magic button that makes things "safe". It's an ongoing process of analysis and response. In this particular case it was determined that for whatever reason we should up our complexity requirements. Perhaps that reason was just to bring them more in line with others, if nothing else.

To insinuate however that adding to your list of character choices makes your password somehow less safe is a bit of a stretch in my opinion. The only person who can make your password less safe is you. If our goal was to try to force you to have crazy passwords then we could certainly do so. We could say you must make your password 28 characters in length at a minimum and they must contain uppercase, lowercase, numeric, and Chinese characters and be changed every 2 days. Hi five guys I've just solved the password problem the rest of the world's been struggling with for years!

The reality is that any solution has to make some sacrifices for ease of access. Nobody is providing a perfect solution and you can look at pretty much any solution there is and point out the cracks in it. What we're doing today, which I'll be blogging about at some point in the nearish future, is looking at a combination of internal and external improvements which will roll out in waves. Sometimes you'll see it and when you do I'll point at it and go HEY LOOK! Sometimes you won't see it, but I'll have a spreadsheet that will make me happy as I sip some tea or something.

At the end of the day though if a simple change in password complexity can cause this much discussion I can't wait to see what happens in the next few months.


Something I like to say when in meetings with clients. You can have the most complex passwords, the latest and greatest in security, and also the best policies put in place. At the end of the day, the weakest element in your setup is the human element.

beautyispain
Posted - 2011.02.10 21:32:00 - [90]
 

Edited by: beautyispain on 10/02/2011 21:33:47
A password made of 8 characters (letters (upper and lower), numbers and symbols)
Quote:
Out[39]: a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x , y, z, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, !, @, #, $, %, ^, &, *, (, ), _, -, =, /, ], [, "


has 1.517.108.809.906.561 (1.57 x 10^15) different combinations

Now letīs say everyone will do like you say and fix the first character as upper case letter and a number at the end you will have 63.202.738.435.460 (6.32 x 10^13) different combinations ...

Now compare that reduction of security to how easy it is for a computer to run a finite list of words (and combinations of) on accounts, dictionary attacks are the easiest to find passwords and often in first attempt.


Pages: 1 2 [3] 4 5

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only