open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: Account Security and You!
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 2 [3] 4 5 6

Author Topic

CCP Sreegs

Posted - 2010.11.19 21:10:00 - [61]
 

Originally by: Furb Killer

It is quite simple, you have to choose which method is the smallest security risk. And if people have access to your house already they can do anything anyway, like installing keyloggers. It is just impossible to expect everyone to have for every different site different logins, with different passes that are all 'good' passwords.


If your house were the only place you used your passwords then I'd agree. It's a difficult issue to be clear. Oftentimes the recommendation (such as use a different password everywhere) is somewhat unrealistic, which is probably what they're speaking to. I do think though that we can aim for the moon and hope at least some of us breach the atmosphere which is typically the intent. Were I to say "Eve players use a unique password to Eve and write it on your monitor" then the second some dude's dorm-mate steals his account I've given bad advice. How you remember your password is a problem as unique to you as how many passwords you need to remember. In an Eve bubble, have a unique password is the best advice I can give.

I'd rather just solve the problem better. No one solution really works for everyone, as is evident by the number of people who have a really hard time remembering the names of their characters. I'm not saying there's anything wrong with them, we're all different dudes, I have to keep a running list of things to do or I forget. I'm just saying that no solution will ever work for everyone, so we need to try to reach the largest subset of people. That's what we were aiming for with the username auth, and what we'll be focusing on with future solutions. The customer experience is ALWAYS a part of the consideration.

CCP Sreegs

Posted - 2010.11.19 21:11:00 - [62]
 

Originally by: Zirator
@ CCP Screegs

I was wondering if the character transfer mechanism can be changed?

I think it's pretty ******ed that I have to give up one of the 2 secret parts on my login credential to recieve a character.

Can't it be changed to either the name of a character on the recieving account or a random code that's unique for each account and that can be seen on the account management section of the recieving party.

I'm currently interested in buying a character for one of my accounts but this is keeping me from not doing it. And creating a 4th account just to recieve characters on and then transferring them to one of my main accounts isn't an option either.

Wondering if you could give us some feedback on this.



I am aware of this issue and will look into it. I can't promise a timeframe or even a change at this point however.

Milo Caman
Gallente
Anshar Incorporated
Posted - 2010.11.19 21:13:00 - [63]
 

Anything in place to stop password guessing/Brute Force and such?

Last I checked, EVE didn't block logins for any amount of time if you got your password wrong 30 times.

The Snowman
Gallente
Aliastra
Posted - 2010.11.19 21:15:00 - [64]
 

Edited by: The Snowman on 19/11/2010 21:20:39
I can offer some good advice for people wondering how on earth to remember so many passwords ;-

OK, so you realise that writing down your log-in and password ANYWHERE is a risk, as soon as it leaves the security of your brain its is at risk. no matter what measures you use. You can try selecting a 3/4 passwords that you use for most things.. but as the blog points out, any kind of pattern means that if one password is compromised, many other accounts are compromised.

One thing about this method however is remembering your username. Theoretically if someone knows your user name it shouldnt matter, so long as they dont know your password. thats not to say you should use a simple username though. always use numbers + characters.

So, this method involves using a 'magic' word which only you know, or, if you want to go a step further multiple magic words.

Rather than explain it, i'll illustrate it.

Let's say your 3 magic words are something like. FatEGG22, 1PinkArse2, Nerfdrakesss

you have magic word 1, magic word 2 and magic word 3. you dont write these words down anywhere but you do know them.

What you do however is make your REAL password something like. me1beans. Write this password down ANYWHERE personally I enter them into a list on my blackberry.

Anyone looking at this password will think, aha.. I have the password, but it doesnt work, why?.. because the REAL password is meFatEGG22beans

Do you see what I did there?.. the number 1 in the written down password actually indicates 'insert magic word 1'

Now, providing you use this sytem, you can write down every single password on any peice of paper or anywhere, knowing that its entirly safe because noone knows your magic words, right?

Trust me, once you employ this method for all your passwords, for anything! not just online accounts it makes things much easier and you never have to get stressed about forgetting the password. Its kind of like your own personal encryption. My examples are rather complex but the method works even for simple magic words and passwords.

Hope this helps you manage passwords in this modern digital age.


CCP Sreegs

Posted - 2010.11.19 21:15:00 - [65]
 

Originally by: Milo Caman
Anything in place to stop password guessing/Brute Force and such?

Last I checked, EVE didn't block logins for any amount of time if you got your password wrong 30 times.


There are protections for this. There will be more. I can't get into specifics here except to say that what you're saying is known and protections are still in place.

Caldari Citizen4714
Posted - 2010.11.19 21:51:00 - [66]
 

Edited by: Caldari Citizen4714 on 19/11/2010 21:53:37
Originally by: CCP Sreegs
Originally by: BenjaminBarker
Does this mean we're never getting keyfob tokens for account security?


No this does not mean that.
Wow, one of the clearest answers I've ever seen from CCP.

Seriously, I am not being sarcastic. Thanks, we love it when you do that.

My thoughts:

Generally good recommendations, but...

Changing your password frequently is foolish. Look at the list of things ways to get your account stolen. It doesn't actually prevent a single one! If you give your login details to someone, they effectively have your items already, or can, in literally seconds. What good is changing it 29.99984 (that gives them 30 days less the five minutes it'll take to clean you out) days later gonna do? Even better, it often leads to writing the password down, which is worse. And everybody with the slightest experience with IT security already knows, everybody just increments a number in their password somewhere (usually on the end) if you make them change it often, so it's pretty annoying and not at all effective, since, if they have an old one, they'll just increment your number (which is always obvious) and keep trying till the get the current one.

Just look at debit cards, how often do you have to change your ATM pin? That's right, never, because it's stupid.

If you really wanted to help, you'd let us save passwords (via one-way hash) in the client again so that we don't risk exposing them to trojans/keyloggers every time we log in instead of just once, or give us optional FOBs.

Recommending changing it frequently is a frantic, desperate, and annoying attempt to force clueless users to not be foolhardy with their computers/logins, and it doesn't work cause the problem is the user is generally unaffected and remains a clueless, foolhardy user.

The people who agree with all these recommendations are already doing them and don't need to be told.

Ugh, security theater < security.

xXxCCxXx
Ray of Matar Assembly
Posted - 2010.11.19 22:32:00 - [67]
 

remove sent buddy invites in the eve account management... that will reduce the number of emails to hack

Hratli Smirks
GoonWaffe
Goonswarm Federation
Posted - 2010.11.19 22:34:00 - [68]
 

Would "onehundredfiftydollarsworthofharmonicas" be a good password?

(CCP Ahuj9)

Ulair Memmet
ORIGIN SYSTEMS
Posted - 2010.11.19 23:11:00 - [69]
 

Sandboxie is pretty awesome. Thanks for that tip Very Happy

adriaans
Amarr
Ankaa.
Nair Al-Zaurak
Posted - 2010.11.19 23:22:00 - [70]
 

Ability to change login name would have nice for those of us who are extra paranoid Razz


Daneel Trevize
Gallente
Posted - 2010.11.20 00:14:00 - [71]
 

Edited by: Daneel Trevize on 20/11/2010 00:24:43
I'd hope the login thing has exponential backoff/delay (I CBA/dont want to risk testing). Plus there's the challenge about logging in from an unknown location and having to name a char on that account.

As a fan of the FOSS way of things, I'd argue there shouldn't be a need to be secretive about the safeguards, security through obscurity doesn't work. If we can see the mechanisms we can see any mistakes and help improve, because currently any attacker could create a throwaway temp account to probe your mechanisms so they can study them anyway. The best encyption mechanisms are fully open, many smart people are constantly trying to show any weakeness in the pure time/processing effort required to brute force such systems, or that the implementations differ in vital ways from the theory that's so strong.

Edit: Caldari Citizen4714, a locally stored hash could stop a simple keylogger, but if your client side's compromised, rather than log your password they can retrieve that hash, send it off to their own machines and write a client to use it against the eve server in lieu of the real client, and still perhaps get the desired ingame action commanded/char info received.

Realistically I think atm you can't really mess with a char via the game client&server other than transfer assets in an easily tracked manner, but while the mechanism of moving of complete chars remains via the website and thus not using a hash safeguard, you're still vulnerable to keyloggers for this process even with a client that would securely stored passwords for usual gameplay.

Zex Maxwell
Caldari
Posted - 2010.11.20 00:29:00 - [72]
 

Edited by: Zex Maxwell on 20/11/2010 00:35:09
CCP sreegs, I like to note that if you do, do the external key thingy, keep in mind that some of us have more then one account. I really don't want to buy 3 separate keys for my 3 accounts that I own.

To other players. Lastpass is also something you guys can look into. It keeps your password in an encrypted database on the web. so all you need to know is your Master STRONG password.

Uh I forgot. there are also Facebook ads that say "CLICK HERE TO KNOW THE SERCETS OF EVE!" any way to tell facebook to pull them damn adds that the ISK sellers make?

CCP Sreegs

Posted - 2010.11.20 00:47:00 - [73]
 

Originally by: Zex Maxwell
Edited by: Zex Maxwell on 20/11/2010 00:35:09
CCP sreegs, I like to note that if you do, do the external key thingy, keep in mind that some of us have more then one account. I really don't want to buy 3 separate keys for my 3 accounts that I own.

To other players. Lastpass is also something you guys can look into. It keeps your password in an encrypted database on the web. so all you need to know is your Master STRONG password.

Uh I forgot. there are also Facebook ads that say "CLICK HERE TO KNOW THE SERCETS OF EVE!" any way to tell facebook to pull them damn adds that the ISK sellers make?


If we were to engage in what you are proposing with two factor auth then multiple accounts would certainly be a concern. I'm not going to endorse any particular app that doesn't exist on your own machine because... well they have access to your stuff now. I'd prefer to store my stuff locally personally. I can't speak to how we might deal with any particular company's ads. That's a Legal thing.

Dav Varan
Posted - 2010.11.20 00:50:00 - [74]
 

Originally by: Thyme Wasted
Originally by: Dav Varan
Edited by: Dav Varan on 19/11/2010 17:36:50

PERMA BAN PEOPLE WHO SUPPORT RMT.



People who buy isk from RMT'rs are the root cause of account theft.

No customers to sell isk too for $ = No point in stealing account info.

Scare people away from RMT by promising them if they are caught ALL there accounts will be deleted and they will be permanently banned from EVE.



Great idea, then we can use CCP as a personal hitsquad service:
1) purchase several billion isk from an RMT site using a trial / plex activated acct.
2) distribute it to anyone / corps you don't like.
3) laugh as your enemies and their assets are removed from Eve by CCP.

Why not just have PLEX for bans?



So simple to fix.
Do cash transfers like contracts.
Both sides have to aggre to the transfer.

BenjaminBarker
Posted - 2010.11.20 01:13:00 - [75]
 

Originally by: Dav Varan
Originally by: Thyme Wasted
Originally by: Dav Varan
Edited by: Dav Varan on 19/11/2010 17:36:50

PERMA BAN PEOPLE WHO SUPPORT RMT.



People who buy isk from RMT'rs are the root cause of account theft.

No customers to sell isk too for $ = No point in stealing account info.

Scare people away from RMT by promising them if they are caught ALL there accounts will be deleted and they will be permanently banned from EVE.



Great idea, then we can use CCP as a personal hitsquad service:
1) purchase several billion isk from an RMT site using a trial / plex activated acct.
2) distribute it to anyone / corps you don't like.
3) laugh as your enemies and their assets are removed from Eve by CCP.

Why not just have PLEX for bans?



So simple to fix.
Do cash transfers like contracts.
Both sides have to aggre to the transfer.



Right, cause when you send someone a stack of cash for nothing they're going to decline it?

Bomberlocks
Minmatar
CTRL-Q
Posted - 2010.11.20 01:36:00 - [76]
 

Good blog there Sreegs.

Ashemi Darkhold
hirr
Morsus Mihi
Posted - 2010.11.20 01:53:00 - [77]
 

Originally by: Chribba
I would still very much like to be able to lock my accounts to my static IP...

/c


1000x this

Tres Farmer
Gallente Federation Intelligence Service
Posted - 2010.11.20 02:22:00 - [78]
 

Edited by: Tres Farmer on 20/11/2010 02:45:29
Space Dragons?
Not sure if OP is seriouz?!

Also onTopic:
- I would like to have a switch for my accounts to set a freeze period for char transfers FROM my account of let's say.. 15-30 days at least (same way desintegrating of you char works, just longer)
- I would like a special wallet-division for my chars that allows isk transfers FROM it with a delay involved.. 24-48 hours maybe? (like when you want to get a big pile of cash from your RL bank account, you have to tell them 1-2 days upfront)
- I demand different passwords for the forums vs. the game (it also doesn't help that I have to log back into the forums every XX minutes.. thank god firefox at least keeps the login details.. otherwise I wouldn't bother with Eve-O at all!!!)

Kolatha
Posted - 2010.11.20 02:58:00 - [79]
 

One further piece of advice for those who use GMail.

Check the last account activity.

A quick guide here

Check it regularly, particularly if you use your gmail account for pretty much everything.

Comstr
Bat Country
Goonswarm Federation
Posted - 2010.11.20 03:16:00 - [80]
 

What does Sreegs mean?

On topic, I would use a a iphone key generator if it was available.

Considering the amount of customer service time hacking takes up, next time you sell a boxed copy of Eve, add in a free key generator in the box- it will probably get existing players to buy it too. of course, allow people to buy it separately from the website. And a lot of people will use smart phones anyway.

Will you be working against the botters and RMTers too?



De'Veldrin
Minmatar
Norse'Storm Battle Group
Intrepid Crossing
Posted - 2010.11.20 03:16:00 - [81]
 

Originally by: Aiko Intaki
1. Have someone at CCP with an android/iOS smartphone subscribe to WoW.
2. Have said person enable the added 1-time passkey account security feature.
3. Start WoW, Start App.
4. Log into WoW character to see how the 1-time passkey feature works.
5. Apply your new experience to EvE.

DO: Make smartphone apps to generate 1-time passkeys (99% of users).
DO: Sell key generating fobs like Blizzard does for those with 'dumbphones'.

Extra Credit: Give away a free, otherwise unobtainable in-game vanity ship to any account which activates this added security feature for the first time. (WoW, for instance, gives away a mini-Cerberus pet.)

Make it so.


This

(This)^(n^2) where n is (Chribba's Wallet + GDP-Jita) in ISK.

Shade Millith
Caldari
Macabre Votum
Morsus Mihi
Posted - 2010.11.20 05:00:00 - [82]
 

Recently, I was going to change my PW's, for both my accounts.

I then discovered that I would also be required to use a capital letter, in addition to a number.

So I didn't.

Putting restrictions on PW's doesn't help keep accounts secure, it just means that I'm more and more likely going to HAVE to write the PW down somewhere. Along with the 30 other PW's and accounts.

This kind of 'defence' does nothing to shield from a keylogger. And I doubt bruteforcing a PW would work at all, considering the amout of effort you're using to scream to protect our accounts, I'd imagine you'd have a limit of loggin's before an alarm goes off.

TL:DR I'm sick of your PW limitations, and I'm less secure because of them. They either don't help, or CCPs security is poorly thought out


Sturmwolke
Posted - 2010.11.20 05:42:00 - [83]
 

Have you considered the idea of hooking up the EVE client login to well known passswd management programs like KeePass (or anything similar)? In fact I wouldn't mind a client that features automated password management for multiple logins, locked down with a master password.

Almost half the bullets relate to how the customers manage their logins and passwords. You also know that it's virtually an impossible task (well not literally, but very difficult) to keep each one unique in face of all the other website logins out there. The above would naturally improve customer experience and lessen the impact if you were to implement a mandatory password change every 3 months (1-2 month is too severely disruptive).

Two factor authentication will (almost) eliminate the common weakenesses, but it's not without costs (both hardware and customer support) and you're still dilly-dallying about it. I'd just like to leave a note, at this point in time, the prevalent perception is that CCP is passively doing nothing except dispensing verbal advice .... which may/will be read, but eventually forgotten or ignored. You need to be more concrete.

Dominatus Crispus
Nation of Muppets
Posted - 2010.11.20 06:01:00 - [84]
 

Originally by: adriaans
Ability to change login name would have nice for those of us who are extra paranoid Razz
^^ this Wink

El Mauru
Amarr
Interwebs Cooter Explosion
Important Internet Spaceship League
Posted - 2010.11.20 06:09:00 - [85]
 

This is me posting to applaud this blog and mentioning that my account has once been "hacked" by guessing obvious passwords and that CCP reacted in a pretty descent way regardless of some time-related inconsistencies.

Hope you keep up your work on both sides of the fence.
M.

ceaon
Posted - 2010.11.20 06:26:00 - [86]
 

link related to blog and stuff
http://www.youtube.com/watch?v=PWvHcoqru7I take a look from minute 24

timmus
Posted - 2010.11.20 06:30:00 - [87]
 

i was hacked today. someone got into my account, sold my stuff, and put my character on the auctionblock. im still trying to get him off the auctionblock, and wondering if changing my passwords is enough.i play eve the same way for 7 years. i dont buy isk, i dont buy characters. i dont know how i got hacked but i did. felt like someone broke into my home. any chance im going to get any ships/items back? would be nice to hear back on my petitions sooner then later. ive picked eve over alot of old girlfriends. i hope some hacker cant come in and ruin everything...

Birds Away
Posted - 2010.11.20 07:25:00 - [88]
 

Of course, following the guidelines in the blog grants no immunity from being arbitrarily permabanned by CCP.

free karttoon.

SXYGeeK
Gallente
do you
Posted - 2010.11.20 07:33:00 - [89]
 

Thanks Sreegs!!!
It's good to see someone dedicated to security.

The topic of multi-factor authentication has been discussed quit a bit.
I have been pushing the topic in the Assembly hall, some discussion here...
http://www.eveonline.com/ingameboard.asp?a=topic&threadID=1394382

I do believe that as far as protecting individual accounts goes, multi-factor auth may be the single best thing we could have added as an option to secure our accounts.
hardware keys, smartphone apps, even email/sms based, a combination of these options to allow us to decide what works best to secure our accounts as an individual.

I look forward to reading more, keep it coming Sreegs!

Lost Hamster
Hamster Holding Corp
Posted - 2010.11.20 08:01:00 - [90]
 

Originally by: CCP Sreegs
Originally by: Zirator
@ CCP Screegs

I was wondering if the character transfer mechanism can be changed?

I think it's pretty ******ed that I have to give up one of the 2 secret parts on my login credential to recieve a character.

Can't it be changed to either the name of a character on the recieving account or a random code that's unique for each account and that can be seen on the account management section of the recieving party.

I'm currently interested in buying a character for one of my accounts but this is keeping me from not doing it. And creating a 4th account just to recieve characters on and then transferring them to one of my main accounts isn't an option either.

Wondering if you could give us some feedback on this.



I am aware of this issue and will look into it. I can't promise a timeframe or even a change at this point however.


Why not to use the "User ID", which is in the API page?
You don't need to implement any new thing. It's already heavily used by the users, so I think that would be an easy change.


Pages: 1 2 [3] 4 5 6

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only