open All Channels
seplocked EVE General Discussion
blankseplocked Keyloggers? And save password button? Whats the point?
 
This thread is older than 90 days and has been locked due to inactivity.


 
Author Topic

Gone2mars
Amarr
Viziam
Posted - 2003.07.11 16:52:00 - [1]
 

Er... Just seen this new patch.. And they've got rid of the "Save Password" button? WTF?

I'm guessing that it's bacause of all this nonsense about Keyloggers and Trogens?

Umm... has no one noticed that you've made the situation worse?? LEts put this simply... you have two types of program,

The first, a Trogen hides on your computer and opens the "Prefs.ini", goes to the line that stores your ENCRYPTED password and sends it to the user..

The Second file, A Keylogger waits for the user to open their Eve window (Easy to look for) and Keylogs anything that they type...

Surely the more common of program will surely be a Keylogger... Which from a programmers point of view, is simple to do! Surely by taking away the Save password, Your encouraging people to type their password in EVERYTIME they log in and hence making it easy for a simple keylogger to grab your password? Which wouldn't have before when you had the save password feature?

Also, A Trogen as i hinted earlier, to get a password from the Prefs.ini on your harddrive, would have to break the Encyption... and to be fair, seeing as this is a service that were paying for, surely this would be some Heavy encryption anyway??

So surely, CCP, without having a flame, instead of just quickly fixing the problem and making it worse... why in the next patch, don't you just improve your encryption and put the Save password function back!?!?


Jean Francois
Posted - 2003.07.11 18:20:00 - [2]
 

Any self respecting programmer can decrypt this "encrypted" password.

The EVE client does it for you...

It just takes a little reverse engineering.

If someone has gone to the trouble of doing this, then they sure as hell will be capable of coding a keylogger too.

On the flipside of this, if this new "feature" saves just one person of his months work of game time from some spotty little freak who steals everything, then I saw it is a good thing.

Its not so annoying to type in my password.

Akara
Minmatar
Posted - 2003.07.11 18:33:00 - [3]
 

damn those self-respecting sha1 decrypters...

Yatar Kindoki
Caldari
H.Y.D.R.A.
Posted - 2003.07.11 18:58:00 - [4]
 

Never heard of one-way encryption?

Also, your client doesn't decrypt the password, it's simply compared to the value the server gets when it encrypts your stored password there (big chance the original password isn't stored at all in the DB, just the encrypted version...).

BSOD
Gallente
Calista Industries
Posted - 2003.07.11 19:00:00 - [5]
 

Coding a keylogger is a LOT harder than coding a program to grab a file in a known location. Same for getting a keylogger installed without someone noticing it vs. a program that runs once, grabs the file, and then deletes itself.

One doesn't need to decrypt the password to use it. Just put the encrypted password in your prefs.ini and you're good to go. (Well, that was all that would've been needed before the change.)

Keep in mind that in the past there were LARGE numbers of IE (and some Netscape) exploits that would allow for a file in a known location to be read, but not for any software to be installed.

Klydor
Minmatar
Posted - 2003.07.11 19:01:00 - [6]
 

Keyloggers or tojons that rip the password from prefs.ini are both easy to create. However ini file readers are even easier than keyboard loggers... I can create a program to read an ini file and email the contents or tunnel the contents through existing traffic in no time. (only the tunneling part takes time to add) A key logger takes a bit longer due to the different OS's 98,95,xp, etc that can pose problems.


Encryption isn't worth a damn. you don't need to decrypt the passy in order to reuse it. It could be the worlds best one way cipher in use, but you could still copy it and put it in your prefs.ini and steal there stuff.

At least key loggers have to be running all the time in order to have a chance of grabbing your passy, ini file stealers just run once copy the file contents send it out and remove themselves.

Before patch both methods worked, post patch only the keylogger will... at least thats one down. The 2nd they can do nothing about and to be honest I'd be more concerned about the keylogger loggin my credit card number than I would my eve account password.





Edited by: Klydor on 11/07/2003 19:03:42

Edited by: Klydor on 11/07/2003 19:05:10

Scragg
Caldari
Tyrell Corp
INTERDICTION
Posted - 2003.07.11 19:04:00 - [7]
 

I would think key loggers would be easier to detect since they all work esentiually the same way and I think many antivirus progarms should be able to pick them up. There are several ways to make a program that can pick out your password from the ini.

Their answer is not 100% bullet proof but it does solve some problems. You can't remotely grab the password from the ini, rommates, family memebrs etc.. cant log in dork with your account when your not around.

Oh.. and the feature is still there to enable the password saving. Go figure our how to turn it on.

The bottom line... a good anti-virus program, a good personal firewall program, and some comon sense are your BEST defense from hackers. The next line of defense is a reasonably secure client and game. What they have done is a step in that direction.




Lexington Cabot
Minmatar
Brutor Tribe
Posted - 2003.07.11 19:13:00 - [8]
 

Because they finally learned what every other MMO out there has. You can't have a save password feature or it opens people up to being hacked.

Most people that own computers don't have firewalls. Most people that own computers don't update their virus software or virus definitions. I know it sounds insane but ask around, and you'll notice in general that people aren't good with keeping their pc secure.

I know that it can be argued a keylogger is not that much more different, it can get your password. But it is even easier with the password save feature and the company is off the hook for the blame for you being hacked. It doesn't stop the good hackers from getting your password, it stops the amatuers. It's the same reason you lock your car doors. Locking them won't stop a good thief, but it will someone who's not very good. Cutting off the password save feature stops the best and easiest route to getting your account and password stolen.

I don't know why this is such a big issue. It takes about a second or two more to type in a password. If you play UO, you have to type in your password. Same with DAOC, same with SB.

Akara
Minmatar
Posted - 2003.07.11 19:26:00 - [9]
 

if the aim of all this was to protect people from having their prefs.ini's copied/read - you'd think they'd delete the saved password from prefs.ini wouldn't you?

Molly
Gallente
Doomheim
Posted - 2003.07.11 20:07:00 - [10]
 

Gone2mars,

add "networkAdvanced=1" to your prefs.ini and stop the whining.

Hoar
Amarr
Hoar Corp
Posted - 2003.07.11 20:14:00 - [11]
 

do what i do,
dont enter ya correct password, then the nasty hackers wont be able to log in

Jean Francois
Posted - 2003.07.11 20:41:00 - [12]
 

"Also, your client doesn't decrypt the password, it's simply compared to the value the server gets when it encrypts your stored password there (big chance the original password isn't stored at all in the DB, just the encrypted version...)."

Ever wonder how it knew how many characters your password was, by the number of stars?

*If* like you say, its not stored on the database, how did you log into this forum? ;)

flax0r
Minmatar
Brutor Tribe
Posted - 2003.07.11 20:41:00 - [13]
 

I think Lexington Cabot is 100% right. But I may add that a computer that is connected directly to the internet without any kind of protection ( READ : FIREWALL PROPERLY CONFIGURED ; READ : UPDATED ANTIVIRUS ) is very hmm.. bold ?

I think it wouldn't be so bad if the only problem resulting of bad general security on a computer is the EVE account owned by a keylogger :) Being a FTP or IRC server with tons of bandwith going on without you knowing anything can be a bit worse. Even worse when your ISP send the bill in :P

Fneb
Minmatar
Posted - 2003.07.12 01:35:00 - [14]
 

The curious part about this change is that my password is still in the prefs.ini file. Good idea, poor implementation.

Alvin
Posted - 2003.07.12 01:50:00 - [15]
 

"your client doesn't decrypt the password, it's simply compared to the value the server gets when it encrypts your stored password there"

If this were the case, the encryption does nothing for you; the encrypted form IS the password. No one cares what the plaintext required to create the encrypted form is. It's a match of the ciphertext that gets you in. For that matter, there's be no reason for the server to encrypt your password every time. You would just encrypt them all once, and store that result for later comparison.

And grabbing the encrypted form from a disk file means you can send the encrypted form to the server, and have the password match. You don't need to know the plaintext and do the encryption if you've already got the result of the algorithm.

You do one-way encryption on the server side to protect against your database of passwords being stolen, when the passwords are sent in the clear (or encrypted with some other method). If the server accepted encrypted passwords, then theft of the server database would give you the right answer for all passwords.

You would encrypt on the client side before transmitting to guard against packet sniffing. You do not encrypt on the client side to guard against the file being stolen, because there's no way to tell the difference between the password that's just been typed in, encrypted, and sent, and the password that's been stored (encrypted), stolen, and sent. But if the correct answer does not change each time, you are vulnerable to a replay attack.

To guard against replay attacks, the usual answer is to incorporate the date/time or a random challenge value from the server in the response. The password itself isn't sent, it's used as part of the key to produce the response that is sent. The server also calculates this response. A matching response demonstrates that not only do you know the challenge data, you have possession of the secret key. Possession of the response data, however, cannot be reversed to produce the key.




 

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only