open All Channels
seplocked EVE General Discussion
blankseplocked Eve Passwords MUST contain a capital letter
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 [2]

Author Topic

Matalino
Posted - 2011.03.11 03:14:00 - [31]
 

Key points in this thread:

Originally by: Aessoroz
Five bucks that 90% of users are making the first letter capital or the last one,thus negating any potential security gains and just ****ing off users.
+1

Originally by: Lothris Andastar
A Password that can POSSIBLY have an all lower case password is harder to crack than a Password where one letter is CERTAINLY a Capital Letter. By forcing at least 1 capital letter, you eliminate the billions of potential all lower case passwords, meaning less word for any attacker to try and find the password.

Add to the fact that a grand total of zero accounts are compromised by brute force attacks (they are comprimised via keyloggers because naughty people buy isk), this has zero impact on account security and just annoys people.
+2

Given that the effect of requiring a mixed case password is to protect against a form of attack that doesn't work (if real preventions are put in place) and it even still doesn't help prevent against that, then why bother annoying your users.

Originally by: CCP Adida
It helps with your account security.
No it doesn't! Because now those who have all lower case passwords and do not want a capital letter in their passwords are forced to choose between changing to a mixed case password or keeping their existing password. You have introduced strong incentive for many users to keep their current passwords indefinitely. This change is just an example of security theatre, it LOOKS like you are doing something to improve account security, when in fact you are just screwing around making changes that have no real effect other than annoying your users.


Originally by: Awesome Possum
On a related issue, I dislike the fact that CCP keeps a record of peoples' old passwords. What should happen if that fell into the hands of the "bad people"? Once I change my password, there should be no record or indication of what it was in your files.
They probably don't store your password. They store a hash of your password. Getting the list of past password hashes will not give their past passwords.



Fondon
Posted - 2011.03.12 01:01:00 - [32]
 

Originally by: Matalino
No it doesn't! Because now those who have all lower case passwords and do not want a capital letter in their passwords are forced to choose between changing to a mixed case password or keeping their existing password. You have introduced strong incentive for many users to keep their current passwords indefinitely. This change is just an example of security theatre, it LOOKS like you are doing something to improve account security, when in fact you are just screwing around making changes that have no real effect other than annoying your users.



Time needed to crack a password:

8 characters, just lower case: 4 days.
8 characters mixing lower and capital letters: 4 years.
Add some numbers and you'll need more than 100 years.


Alotta Baggage
Amarr
Imperial Shipment
Posted - 2011.03.12 01:08:00 - [33]
 

My password is 27 characters with capitals, numbers, and "special" characters Very Happy

Ban Doga
Posted - 2011.03.12 01:18:00 - [34]
 

Originally by: Lothris Andastar
Actually, CCP Adida, it Weakens account security.

A Password that can POSSIBLY have an all lower case password is harder to crack than a Password where one letter is CERTAINLY a Capital Letter. By forcing at least 1 capital letter, you eliminate the billions of potential all lower case passwords, meaning less word for any attacker to try and find the password.

Add to the fact that a grand total of zero accounts are compromised by brute force attacks (they are comprimised via keyloggers because naughty people buy isk), this has zero impact on account security and just annoys people.


You only need 100 words to contradict yourself.
That's what I call true skill...

Infinity Ziona
Minmatar
Cloakers
Posted - 2011.03.12 01:29:00 - [35]
 

Originally by: Fondon
Originally by: Matalino
No it doesn't! Because now those who have all lower case passwords and do not want a capital letter in their passwords are forced to choose between changing to a mixed case password or keeping their existing password. You have introduced strong incentive for many users to keep their current passwords indefinitely. This change is just an example of security theatre, it LOOKS like you are doing something to improve account security, when in fact you are just screwing around making changes that have no real effect other than annoying your users.



Time needed to crack a password:

8 characters, just lower case: 4 days.
8 characters mixing lower and capital letters: 4 years.
Add some numbers and you'll need more than 100 years.



Brute forcing is not necessarily attempting every permutation. Its more common to use lists you can subscribe to or hack into and then use those lists to run through an account, changing case, appending digits.

Linkage

Notice of those 3 sites, that around 800 people were using "password" as passwords.... people are lazy, they'll use easy to guess common words usually.

If you want to steal non specific accounts you don't want to steal the hardest to guess accounts, you want to steal the easy to guess accounts.

Basically all CCP's enforcing of capital letters will do is make the difficult to guess passwords difficult to guess (no change) and the easy to guess passwords (password) will become easy to guess (Password). No changes.

Ban Doga
Posted - 2011.03.12 01:34:00 - [36]
 

Originally by: Infinity Ziona
Brute forcing is not necessarily attempting every permutation. Its more common to use lists you can subscribe to or hack into and then use those lists to run through an account, changing case, appending digits.


You might want to read http://en.wikipedia.org/wiki/Brute-force_attack and http://en.wikipedia.org/wiki/Dictionary_attack

Alotta Baggage
Amarr
Imperial Shipment
Posted - 2011.03.12 02:11:00 - [37]
 

Originally by: Infinity Ziona
Originally by: Fondon
Originally by: Matalino
No it doesn't! Because now those who have all lower case passwords and do not want a capital letter in their passwords are forced to choose between changing to a mixed case password or keeping their existing password. You have introduced strong incentive for many users to keep their current passwords indefinitely. This change is just an example of security theatre, it LOOKS like you are doing something to improve account security, when in fact you are just screwing around making changes that have no real effect other than annoying your users.



Time needed to crack a password:

8 characters, just lower case: 4 days.
8 characters mixing lower and capital letters: 4 years.
Add some numbers and you'll need more than 100 years.



Brute forcing is not necessarily attempting every permutation. Its more common to use lists you can subscribe to or hack into and then use those lists to run through an account, changing case, appending digits.

Linkage

Notice of those 3 sites, that around 800 people were using "password" as passwords.... people are lazy, they'll use easy to guess common words usually.

If you want to steal non specific accounts you don't want to steal the hardest to guess accounts, you want to steal the easy to guess accounts.

Basically all CCP's enforcing of capital letters will do is make the difficult to guess passwords difficult to guess (no change) and the easy to guess passwords (password) will become easy to guess (Password). No changes.


Unless they throw 'passwoRd' at you Very Happy

Infinity Ziona
Minmatar
Cloakers
Posted - 2011.03.12 02:23:00 - [38]
 

Edited by: Infinity Ziona on 12/03/2011 02:28:33

Originally by: Ban Doga
Originally by: Infinity Ziona
Brute forcing is not necessarily attempting every permutation. Its more common to use lists you can subscribe to or hack into and then use those lists to run through an account, changing case, appending digits.


You might want to read http://en.wikipedia.org/wiki/Brute-force_attack and http://en.wikipedia.org/wiki/Dictionary_attack


In practice not a bit of difference. Spamming a server with lists or random characters has the exact same effect.

Originally by: Alotta Baggage

Unless they throw 'passwoRd' at you Very Happy

Well we know that theres a requirement for at least 1 capital. So we try all purmutations of the word with at least 1 capital and more.

Password
pAssword
.
.
and eventually we come to
passwoRd.

Ban Doga
Posted - 2011.03.12 02:32:00 - [39]
 

Edited by: Ban Doga on 12/03/2011 02:34:02
Originally by: Infinity Ziona
Originally by: Ban Doga
Originally by: Infinity Ziona
Brute forcing is not necessarily attempting every permutation. Its more common to use lists you can subscribe to or hack into and then use those lists to run through an account, changing case, appending digits.


You might want to read http://en.wikipedia.org/wiki/Brute-force_attack and http://en.wikipedia.org/wiki/Dictionary_attack


In practice not a bit of difference. Spamming a server with lists or random characters has the exact same effect.


Except that "brute force" is exactly trying every possible combination.
So if you don't try every possible combination and rather follow lists that's - by defintion - not using brute force.

That's like saying something is blue except that it's not blue.

Max Romeo
Posted - 2011.03.12 03:08:00 - [40]
 

If you've ever bruted casual players/forums hashes, you generally know that you're going to try the simple strats before you go onto anything complex. Usually starting with doing a pass of 'numerals only' over the searchspace length of the locale(if you know)'s cellphone number length. This should pick up the tards that use dates/landline/mobile numbers.(12% of the compsci students at a uni I have worked with used full numerals... heh :/) Then you go for a list of common keyboard patterns followed by the traditional bulk wordlists + special permutations of each (concatenations, all caps, no caps, l33t etc). You'll seldom bother with crawling caps and stuff as the hit rate is pretty low. Finally you eliminate as much from the search-space as possible (and add in any rules, i.e 1+ caps) to come up with your optimal search-space and go brute it. Once you're here you'll most likely have hit 60-70% of your hashes in a matter of maybe 5-6 hours.

This however is not to say that bruting massive hash lists, but rather to show that you should not think of security policies as 'my account is strong' but rather of the whole population of accounts and how non-exact definitions(based on arb statistics) can lead to very large scale successes. Since eve passwords have for a long time(and may still) exclude a number of ascii characters already(unless the owners dont like to be able to log into the site?) you can exclude those pretty safely, adding in that you now have to have 1+ capital characters you can also exclude things like 'only numbers'. Since we're working with a slowish network resource and we want minimal abuse you can increase the bias of right handed starting/ending capitalized words, since the largest part of the population will most likely follow that slight trend. You'd be surprised how many places force 'two numbers' as a requirement, 55% of the time those are either going to be the first or last two characters, about 10% they'll be between two dictionary words and it increases the number of tards that use all numerals, which is effectively the smallest standard search space ;/

In short : if you're designing an authentication system give as few clues away as possible and rather do periodic strength testing (i.e not abusable instantly statistically rewarding) against good word lists and simple bruting methods. While people can cry that staff might then see the plaintext, staff could always just take the hash home with them... it's a moot point in my book and imposing a "no terrible passwords" policy is more than acceptable since it reduces support time. Even better is offering accounts that get repetitively hit an option to change username to avoid it, as well as lockout policies, after all it is their account.

Barakkus
Posted - 2011.03.12 03:16:00 - [41]
 

Edited by: Barakkus on 12/03/2011 03:17:36
Originally by: Max Romeo
If you've ever bruted casual players/forums hashes, you generally know that you're going to try the simple strats before you go onto anything complex. Usually starting with doing a pass of 'numerals only' over the searchspace length of the locale(if you know)'s cellphone number length. This should pick up the tards that use dates/landline/mobile numbers.(12% of the compsci students at a uni I have worked with used full numerals... heh :/) Then you go for a list of common keyboard patterns followed by the traditional bulk wordlists + special permutations of each (concatenations, all caps, no caps, l33t etc). You'll seldom bother with crawling caps and stuff as the hit rate is pretty low. Finally you eliminate as much from the search-space as possible (and add in any rules, i.e 1+ caps) to come up with your optimal search-space and go brute it. Once you're here you'll most likely have hit 60-70% of your hashes in a matter of maybe 5-6 hours.

This however is not to say that bruting massive hash lists, but rather to show that you should not think of security policies as 'my account is strong' but rather of the whole population of accounts and how non-exact definitions(based on arb statistics) can lead to very large scale successes. Since eve passwords have for a long time(and may still) exclude a number of ascii characters already(unless the owners dont like to be able to log into the site?) you can exclude those pretty safely, adding in that you now have to have 1+ capital characters you can also exclude things like 'only numbers'. Since we're working with a slowish network resource and we want minimal abuse you can increase the bias of right handed starting/ending capitalized words, since the largest part of the population will most likely follow that slight trend. You'd be surprised how many places force 'two numbers' as a requirement, 55% of the time those are either going to be the first or last two characters, about 10% they'll be between two dictionary words and it increases the number of tards that use all numerals, which is effectively the smallest standard search space ;/

In short : if you're designing an authentication system give as few clues away as possible and rather do periodic strength testing (i.e not abusable instantly statistically rewarding) against good word lists and simple bruting methods. While people can cry that staff might then see the plaintext, staff could always just take the hash home with them... it's a moot point in my book and imposing a "no terrible passwords" policy is more than acceptable since it reduces support time. Even better is offering accounts that get repetitively hit an option to change username to avoid it, as well as lockout policies, after all it is their account.



Fortunately the attackers in this case won't have password hashes to attempt to compare. None of that really matters when you can't actually get at the hashes to begin with. When you have to manually attempt to log in with tons of combinations regardless if they tell you you have to have at minimum (minimum being the operative word) it will not aid the attacker one iota in the case of EVE Online. It may be useful information in other circumstances, but not in this case.

edit: before someone starts going off on "manually" I'm talking about either a user sitting there typing a password OR a program that automates the login attempts...

Kazuo Ishiguro
House of Marbles
Posted - 2011.03.12 11:24:00 - [42]
 

Edited by: Kazuo Ishiguro on 12/03/2011 16:40:24
Originally by: Infinity Ziona
Originally by: Barakkus
I'm not suggesting that, I'm suggesting that the requirement of at least 1 uppercase character does not reduce the number of combinations that can be used for a brute force attack.

This is so wrong its ridiculous and can only be a troll.

Requiring a single capital letter reduces possible permutations because it eliminates every permutation that consists of only lowercase and every permutation that consists of lowercase and numeric characters.

I think the point Barakkus is trying to make here is that without the requirement, the majority of people would stick to lowercase and numeric characters only. Requiring 1 uppercase character significantly increases the range of passwords that have a chance of getting used.

If I'm required to set a password for a relatively unimportant system, I default to the shortest, simplest one that the system will allow. I expect a lot of other people do the same, through sheer password fatigue.

The Old Chap
Posted - 2011.03.12 11:51:00 - [43]
 

Originally by: Alotta Baggage
My password is 27 characters with capitals, numbers, and "special" characters Very Happy


ThAtS a LoT oF bAgGaGe.


Pages: 1 [2]

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only