open All Channels
seplocked EVE General Discussion
blankseplocked CCP's Password Requirements may reduce security
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 [2] 3 4 5

Author Topic

Niccolado Starwalker
Gallente
Shadow Templars
Posted - 2011.02.06 20:02:00 - [31]
 

Originally by: masternerdguy
This has probably been brought up before, but in the old password system people could choose any password they wanted. Now you need a capital letter and numeric character.

Since most people are probably going to capitalize the first letter and add a 1 or something to the end, doesn't this lower account security? Also, doesn't it make an old password from before the changes more secure from the brute forcing?


I guess that means your password would be Masternerdguy1 ?


T'Laar Bok
Posted - 2011.02.06 20:07:00 - [32]
 

Originally by: Jenny Spitfire
I am sure you can buy a reception booster from your mobile provider.


They're illegal in AU and if they weren't I wouldn't pay around $800-$1000 just to get a password from CCP.

Originally by: Jenny Spitfire
Alternatively, CCP can send validation code through email first to authenticate.


I really think you're sitting back in your chair just giggling yourself silly thinking up the most stupid ideas you can and watching people respond.

Jenny Spitfire
Caldari
Posted - 2011.02.06 20:09:00 - [33]
 

Originally by: masternerdguy
Originally by: Jenny Spitfire
Edited by: Jenny Spitfire on 06/02/2011 19:42:24
Originally by: Mikalya
Unfortunately none of these would be effected by the password requirement change.


But fortunately, the mobile authentication would work on those scenarios, wouldn't it?


My mobile bill would stack to the sky if I had to call iceland for a password.


But if you read what I mentioned earlier, CCP sends you a text when you click on a Authenticate Me button on the web login page. CCP sends you a SMS with a new validation code that is valid for an hour. In that hour, you can login as many times without revalidation. After that, you will need a new validation code.

You then use the SMS plus your username and password to login into the client.

Jenny Spitfire
Caldari
Posted - 2011.02.06 20:11:00 - [34]
 

Originally by: T'Laar Bok
Originally by: Jenny Spitfire
Alternatively, CCP can send validation code through email first to authenticate.


I really think you're sitting back in your chair just giggling yourself silly thinking up the most stupid ideas you can and watching people respond.


Tell me what is so stupid about getting the code through email if SMS is not an option?

You are about to play the game, you have access to email. Get code through email and login as usual. What is so stupid about it?

T'Laar Bok
Posted - 2011.02.06 20:22:00 - [35]
 

Originally by: Jenny Spitfire
Tell me what is so stupid about getting the code through email if SMS is not an option?


Lets just dump the SMS idea, its stupid.

Originally by: Jenny Spitfire
You are about to play the game, you have access to email. Get code through email and login as usual. What is so stupid about it?


The more steps authentication requires the more potential avenues of attack there are. Its simple.

Jenny Spitfire
Caldari
Posted - 2011.02.06 20:26:00 - [36]
 

Originally by: T'Laar Bok
The more steps authentication requires the more potential avenues of attack there are. Its simple.


So I guess you think banks' authentication system for online banking is also stupid because they have multi-level systems.

I think the risk of people get into your account with username and password is higher than multi-level systems. Then again, a simple username and password is also sufficient if the password requirements are good.

I was only suggesting as the topic but it does not mean I disagree with you, as you can tell.

T'Laar Bok
Posted - 2011.02.06 20:52:00 - [37]
 

Originally by: Jenny Spitfire
So I guess you think banks' authentication system for online banking is also stupid because they have multi-level systems.


The only online banking I've done only requires a username/password although one bank offers for $20 a keyring thingy that generates a random token based on your account details that you can enter in addition to your username/password - but its optional to enter so it doesn't really do anything.

Originally by: Jenny Spitfire
I think the risk of people get into your account with username and password is higher than multi-level systems.


I find 600 or so CCP password emails in a hacked account 'cause someone was too lazy to delete them. It wouldn't take long the reverse engineer to find out the generation formula. CCP would have to change the way the passwords were generated at least daily to avoid this.

On the other hand - no password emails - no additional avenue of attack.



Ai Shun
Caldari
Posted - 2011.02.06 21:42:00 - [38]
 

Edited by: Ai Shun on 06/02/2011 21:43:39
Originally by: Jenny Spitfire
How about this? CCP buys a mobile SMS provider. Player base register their mobile numbers to CCP server. Each time a player wants to login, CCP server issues a security code that is valid for one hour of authenticated login pass and sends to the mobile of the player.


I was waiting for you to suggest they should call us to confirm if we are actually trying to login :)

Originally by: Jenny Spitfire
Alternatively, CCP can send validation code through email first to authenticate.


Have you noticed how secure email is?





Furb Killer
Gallente
Posted - 2011.02.06 21:59:00 - [39]
 

Edited by: Furb Killer on 06/02/2011 22:00:31
Surpringly, mng got a point for once. It has indeed been brought up, everyone who hass a pass that is easy to find with dictionary attack (which is highly unlikely they will do, bruteforce is impossible, more about that later), will when you force people to use capital letters just mean the first letter is a capital.

Regarding the bruteforcing, I think the first reply covered pretty much why that is impossible, although he didnt meant to proof that. With you 8 character pass at 500k attempts per second you go from 4 days to 3 years, impressive increase. At the same time a completely useless increase. Regardless of what CCP has done wrong, i dont expect CCP would be stupid enough to not notice that 4 days in a row passes are being tried on an account.
And it would be hard not to notice, since the freaking login server would be down the instant you try it with 500k attempts per second. I think it would be more realistic to say the login server can handle 500 attempts per second, which would mean it takes 10 years to bruteforce the 8 char all lowercase pass. Eventually even CCP should notice that.

Disclaimer: I didnt bother checking if people on that site did their math correctly.

TL;DR, online passes of 8 chars + are impossible to bruteforce.

Jenny Spitfire
Caldari
Posted - 2011.02.06 22:58:00 - [40]
 

Originally by: T'Laar Bok
Originally by: Jenny Spitfire
So I guess you think banks' authentication system for online banking is also stupid because they have multi-level systems.


The only online banking I've done only requires a username/password although one bank offers for $20 a keyring thingy that generates a random token based on your account details that you can enter in addition to your username/password - but its optional to enter so it doesn't really do anything.




Then your bank has not done it right. The verisign token is for your bank to authenticate yourself so that when you need to perform critical or high risk activity like third party transaction then it prompts you for verification. Failure to do so will cause the system to reject your request.

Tokens are also useful in making sure requests like address and personal details changes like phone number are indeed done at the request of the token holder.

Tom Gerard
Caldari
Blue Republic
RvB - BLUE Republic
Posted - 2011.02.06 23:00:00 - [41]
 

I use the same password for everything, and I have since I was like 8 and had to login to a computer for the first time. My password is so simple its foolproof only a 8 year old would be able to crack it.

Ai Shun
Caldari
Posted - 2011.02.06 23:01:00 - [42]
 

Originally by: Jenny Spitfire
Tokens are also useful in making sure requests like address and personal details changes like phone number are indeed done at the request of the token holder.


It may be worth watching some of Steve Riley's speeches on security. Particularly some of his pieces on how what can seem like an increase in security simply increases the attack footprint and the number of different entities that must be trusted with your information.

His presentations on information security and so forth are fairly incredible if you've never been to them. And he is a very engaging speaker as well.

Jenny Spitfire
Caldari
Posted - 2011.02.06 23:07:00 - [43]
 



Quote:


Have you noticed how secure email is?




Yes. It is very insecure. I remembered the IT boys did tell me that for the purpose of throw away validation that will expire in some minutes, it does not matter. Same as GSM text messages that they are insecure.

Some people still do receive their serial numbers through email. The bottom line is to make it harder for others to get into your account. In this method, they need to get into your mail then your key and finally your password plus username. It is not that easy.

Jenny Spitfire
Caldari
Posted - 2011.02.06 23:09:00 - [44]
 

Originally by: Ai Shun
Originally by: Jenny Spitfire
Tokens are also useful in making sure requests like address and personal details changes like phone number are indeed done at the request of the token holder.


It may be worth watching some of Steve Riley's speeches on security. Particularly some of his pieces on how what can seem like an increase in security simply increases the attack footprint and the number of different entities that must be trusted with your information.

His presentations on information security and so forth are fairly incredible if you've never been to them. And he is a very engaging speaker as well.


Link please?

Ai Shun
Caldari
Posted - 2011.02.06 23:13:00 - [45]
 

Originally by: Jenny Spitfire
Link please?


Here. I don't keep a list handy, I attended them in person.

Jenny Spitfire
Caldari
Posted - 2011.02.06 23:19:00 - [46]
 

Originally by: Ai Shun
Originally by: Jenny Spitfire
Link please?


Here. I don't keep a list handy, I attended them in person.


Oh. That is very helpful.

TimMc
Brutal Deliverance
Gypsy Band
Posted - 2011.02.06 23:20:00 - [47]
 

Please stop posting.

Scorpyn
Caldari
Infinitus Odium
Posted - 2011.02.06 23:46:00 - [48]
 

Originally by: masternerdguy
This has probably been brought up before, but in the old password system people could choose any password they wanted. Now you need a capital letter and numeric character.

Since most people are probably going to capitalize the first letter and add a 1 or something to the end, doesn't this lower account security? Also, doesn't it make an old password from before the changes more secure from the brute forcing?

That depends on what the password was before the change and how you change it.

In many cases, people use really bad passwords like "hello" or "banana". Changing those passwords to "Hello1" and "Banana1" won't really add any noticeable security, but on the other hand it won't really make them less secure either.

Sometimes, people use somewhat random passwords, like "dabdodi" or "mabkbxp". Those passwords are better, but still only a few lower case a-z characters. In these cases, changing them to "Dabdodi1" or "Mabkbxp1" will increase security noticeably since it takes a lot longer to go through all passwords when you can't rely on a dictionary. However, if the policy is forced, there won't really be much difference in this case either.

A bad password is still a bad password, whether you force them to seem good or not. However, as long as you don't simply capitalize the first character and add 1 to the end, forcing uppercase and numbers will increase the security in many cases. Unfortunately, it may also add a false sense of security.

How to generate good passwords on a linux system.

Skylitsa
Posted - 2011.02.07 01:48:00 - [49]
 

The practice I like to follow is to start my password with a 1 and capitalize the last letter 1skylitsA. Since most people do the reverse thing, I think my way is much more secure!:)

Ragnar256
Minmatar
Posted - 2011.02.07 02:02:00 - [50]
 

My current password will take up to 39397489541 years to crack my account. Razz

T'Laar Bok
Posted - 2011.02.07 02:14:00 - [51]
 

Originally by: Jenny Spitfire
Then your bank has not done it right.



I know. Their explanation was that using the token proves I and only I could have logged in.

So I said what if I give the token to my wife and she logs in or someone steals it and they have my login details. The keyring sits by my computer after all. Am I responsible for the transactions done because the token proves it was me when it could have been someone else? Can I do any transaction I want and not be responsible because I didn't put in the optional token.

I was put on hold while she checked with her supervisor and the call eventually dropped after 45min.

They're idiots.

Zeba
Minmatar
Honourable East India Trading Company
Posted - 2011.02.07 02:32:00 - [52]
 

Ok.

What I want to know is how does the op know that every single player in the game is going to capitalize the first letter and use a number as the last character in the password.

Why can't they capitalize the fourth letter and use a number for the second character? Or any other combination for that matter?

Captain Mung
Posted - 2011.02.07 05:48:00 - [53]
 

To answer the OPs questions: 1) No. 2)No.

/thread

Chainsaw Plankton
IDLE GUNS
IDLE EMPIRE
Posted - 2011.02.07 05:57:00 - [54]
 

Originally by: Zeba
Ok.

What I want to know is how does the op know that every single player in the game is going to capitalize the first letter and use a number as the last character in the password.

Why can't they capitalize the fourth letter and use a number for the second character? Or any other combination for that matter?


because people are lazy, and most are rather predictable. besides Password1 is easier than pasSwo1rd

and @ the "eight year old made password" is it willy? or maybe boobies, or hehepeepee?

Theqwert125
Qwertian Enterprises
Posted - 2011.02.07 06:04:00 - [55]
 

Edited by: Theqwert125 on 07/02/2011 06:08:17
Edited by: Theqwert125 on 07/02/2011 06:05:20
For once, could a security guy actually think instead of requiring certain things in a password? Why not require a password of certain cracking difficulty. For example, my school doesn't accept a password like "9i7tcfyhukhcdtrefgy8" but DOES accept "Password." because it has a capital and punctuation. The first would take 859535399874211300 years to crack vs the others 19, but noooo, the security guy is apparently incapable of doing simple permutations. Rolling Eyes

Mara Rinn
Posted - 2011.02.07 06:20:00 - [56]
 

Requiring a capital letter and at least one number or punctuation will only reduce security if the "special" characters are required to be at certain positions of the password.

You may think that it's easy to predict that the capital letter will be in the first position, and the digit will be in the last position. Then you have to remember that the user just stuck the number on the end of an existing password, so you still have to guess 8 characters.

Talaan Stardrifter
Universal Exports
Posted - 2011.02.07 06:40:00 - [57]
 

Edited by: Talaan Stardrifter on 07/02/2011 06:47:07
Originally by: masternerdguy
This has probably been brought up before, but in the old password system people could choose any password they wanted. Now you need a capital letter and numeric character.

Since most people are probably going to capitalize the first letter and add a 1 or something to the end, doesn't this lower account security? Also, doesn't it make an old password from before the changes more secure from the brute forcing?


8 characters, all lowercase:
26^8 = Approx 208 Billion variations

8 Characters, Requiring an Initial Capital, and a trailing numeric
26 * 26^6 * 10 = Approx 80 Billion variations
THIS REQUIRES THAT THE LOCATIONS BE FIXED

However, the locations of the capital and numeric aren't fixed
and by definition, a brute-force attack is required to check all permutations.

8 Characters, Requiring a Capital somewhere, and a number somewhere
(26 + 26 + 10)^8 = Approx 218,340 Billion variations

It is your own responsibility to ensure your password is secure.

Oh, and you can stop trolling now.
All of your threads I've seen today have been grossly ill-informed, or intentionally misrepresented.

Lay Lonie Mishi
Posted - 2011.02.07 06:57:00 - [58]
 

Originally by: masternerdguy
Originally by: BeanBagKing
Originally by: masternerdguy

yes if I put a capital A in the middle of my password sure. But most people won't do this.


It doesn't matter where you put it. It's a simple mathematical expression involving the number of tries a computer can make in an hour, and the number of possible combination. The computer doesn't know if you put an A at the beginning, at the end, in the middle, if you put 2 of them, or a bunch of different letters, etc.

The amount of possible combination for an 8 character lowercase password is 8^26 vs 8^52 for upper and lower, 8^62 if you continue adding numbers, and I forget how many symbols there are, but you get the idea. Figure out how many extra 0's that tacks onto the end for possible combination. It increases exponentially. Again, the computer doesn't know where you put these extra numbers/letters, so it doesn't matter where or how many.


yes but as a human being I know that people are more likely to cap first letter and put a # at the end.


Christ you're stupid. If he/she puts a capitol A and the begging, middle or end it's still more secure and would take longer to crack than otherwise. Again, it doesn't matter where, just that it's there.

Aamrr
Posted - 2011.02.07 07:10:00 - [59]
 

which constitute such a ludicrously low percentage of possible mixed case passwords that it doesn't really save them any significant time at all.

Halcyon Ingenium
Caldari
Bene Gesserit ChapterHouse
Sanctuary Pact
Posted - 2011.02.07 07:21:00 - [60]
 

Anyone who thinks EVE forum monitors are too strict need only read one of masternerdguy's threads, see that he isn't permanently or even temporarily banned, and just understand that they are wrong.

Seriously, I would argue that they are too lax with letting you continue to **** post to the degree that you do.


Pages: 1 [2] 3 4 5

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only