|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Paknac Queltel
Swords Horses and Heavy Metal
|
Posted - 2010.10.13 10:19:00 -
[1]
Originally by: gfldex Keyloggers have a problem with the space key. Don't you know that?
Man, I wish I could use the tab key in passwords. - Paknac Queltel
|
Paknac Queltel
Swords Horses and Heavy Metal
|
Posted - 2010.10.13 11:21:00 -
[2]
Originally by: Arkanor On a related note, I think there was a study (yeah don't quote me on this) on forcing password restrictions like this. It tends to make people choose easier passwords, making accounts even easier to hack. Personally it just annoys the **** out of me.
It also makes it easier on those that try to brute-force it (idiots who try to brute-force passwords over a network do exist). When there must be 6 characters, at least one capital and at least one number, many passwords will have a capital at the start, 4 lowercase letters, then a number. - Paknac Queltel
|
Paknac Queltel
Swords Horses and Heavy Metal
|
Posted - 2010.10.13 12:03:00 -
[3]
Originally by: Manackel 'Cause having to remember a few extra buttons really is a terrible thing. Fair enough it's your choice, I just think it's silly to complain that CCP are trying to do their part in keeping your accounts secure.
Security theater isn't security. - Paknac Queltel
|
Paknac Queltel
Swords Horses and Heavy Metal
|
Posted - 2010.10.13 12:14:00 -
[4]
Originally by: Buck Marui And it never occured to them to use the industry security standard of sentences?
People tend to take words like 'password' literally, unfortunately.
I do so prefer sentences. Easy to remember, easy to type, typically harder to read over the shoulder of someone typing it in...
But of course, some idiot will have put a maximum limit on password length "so they won't forget it as easily".
FFFFFFFUUUUUUUUUUUUUUUUU!!! - Paknac Queltel
|
Paknac Queltel
Swords Horses and Heavy Metal
|
Posted - 2010.10.13 12:22:00 -
[5]
Originally by: Buck Marui hehe I think you misunderstood, you dont actually use the sentence
You use certain letters of a sentence, so when someone says whats the password to "server" you can say something like "the grass is greener" and the password would be "tgig" obviously very simple there but you get the idea.
Ah, that makes sense.
You know we once had someone working for us who had her current city of residence and some date as her password? She still wrote it down and taped the paper to her monitor. No password remembering scheme will help regular users. - Paknac Queltel
|
Paknac Queltel
Swords Horses and Heavy Metal
|
Posted - 2010.10.13 19:03:00 -
[6]
Originally by: Mr Epeen Biometrics FTW! Passwords are so last century.
Please do press your password on everything you touch. - Paknac Queltel
|
Paknac Queltel
Swords Horses and Heavy Metal
|
Posted - 2010.10.14 06:05:00 -
[7]
Originally by: Terminal Insanity CCP got sick of spending hours upon hours repairing accounts stolen due to idiots using "hello" as their password, so they decided to add some 'restrictions' to try and idiot-proof passwords... and now the idiots actually complain that they cant use their stupid passwords? lol.
the 'restrictions' you talk about are basically standard practice for picking a password. You're a dumbass if you think this is a bad idea.
Look how misinformed you are. Password complexity is mostly irrelevant. If someone can bruteforce even a 4-letter password, or get through a dictionary down to 'hello', then CCP set up the authentication system completely wrong.
The threat is from keyloggers, phishing and dumbasses using their EVE log-in credentials on untrustworthy EVE-related sites or software. No amount of complexity rules will change that. - Paknac Queltel
|
Paknac Queltel
Swords Horses and Heavy Metal
|
Posted - 2010.10.14 06:43:00 -
[8]
Originally by: Terminal Insanity Edited by: Terminal Insanity on 14/10/2010 06:14:04
Originally by: Paknac Queltel Look how misinformed you are. Password complexity is mostly irrelevant. If someone can bruteforce even a 4-letter password, or get through a dictionary down to 'hello', then CCP set up the authentication system completely wrong.
The threat is from keyloggers, phishing and dumbasses using their EVE log-in credentials on untrustworthy EVE-related sites or software. No amount of complexity rules will change that.
I have to return your complement. when i was a cracker, my dictionary list was arranged in a way that moves the most commonly used password phrases to the top, based on how many successful cracks its made. It then trys an assortment of common numbers preceding and following the phrase.
And, to put the nail in this argument, i have only one word: Proxies. See, no amount of server-side security will prevent a brute force attack, simply because you've got a proxy for every 5 passwords.
Yes, client-side security, (re keyloggers etc) are still a problem, but a good strong password is always the first line of defense, and solves the most common method of cracking passwords.
Seems like a whole lot of effort when people will still gladly put their password into whatever 'EVE cheat' they download.
Also, your proxy list shouldn't matter. Long before attempt 100, the account should only be unlockable by a randomly generated link mailed to the account owner. That's how I would do it.
Strong passwords are good, yes. Complexity rules don't make passwords stronger, though. People are predictable in how they will modify their standard password to pass complexity checks. - Paknac Queltel
|
Paknac Queltel
Swords Horses and Heavy Metal
|
Posted - 2010.10.14 07:08:00 -
[9]
Originally by: Terminal Insanity Also, you cant lock someone out of their account just because of the number of attempts, this would create a DOS Attack vulnerability, in where i could lock people out of their accounts simply by letting a brute force attack run for just 1 minute. The best option in this case would be to record the IP addresses used by that account, and then require email authentication if he has a new IP block or ISP. This is (sorta) how most banks secure their accounts. But in the case of videogames, this is far more work then most players would appreciate.
Meh, all details. Probably solvable in a user-friendly way, but that would require me to actually think about it more. But you're right. There's too many whiny players anyway.
How about this: they get to opt out if they forfeit whatever they get taken for if they get hacked? - Paknac Queltel
|
Paknac Queltel
Swords Horses and Heavy Metal
|
Posted - 2010.10.14 07:59:00 -
[10]
Originally by: Muul Udonii I use a non-english word, with some switching of numbers for letters. In fact it's a language spoken by exactly 0 people on this planet.
But all passwords are easy to crack if you have a keylogger trojan, which is why it's great that Eve saves my usernames, because people will never be able to keylog which one I'm selecting.
A lot of keyloggers can also capture screenshots. - Paknac Queltel
|
|
Paknac Queltel
Swords Horses and Heavy Metal
|
Posted - 2010.10.14 10:20:00 -
[11]
Originally by: Vaerah Vahrokha I wish they were so smart to hide it under the keyboard. They put a post-it on the monitor so it is WELL visible to everyone.
After all do you know what happens in any case?
- Dude you KNOW it's forbidden to leave the password there
Sharon: "By corporate policy 1116-A-ZT3-2010 (notice how policies ironically would make for decent passwords?) ONLY <enter here Joe's cryptic profession here> may access pages "ACCOUNTING-118BZ32" but Joe lately needs 2 days off every 2 weeks so I have to fill in the forms for him with the password he is so kind to leave here for me to see. THE UBERMEGA BOSS wants so. GTFO PLX.
Your pain. I feel it.
Originally by: Vaerah Vahrokha Also, more reasons why "secure passwords" is a stupid idea:
- They have never been secure enough. When they were, the hacker corrupts someone to give him the password.
- Brute force attack? The log in system should be removed, not the passwords made a PITA. A decent log in system will refuse brute force and impose increasing timeouts (and even lockdown) after NN failed attempts.
- Nowadays brute force is obsolete. Slam a keylogger inside a big titted slideshow and you achieve 1000 times as much and quicker. Or send some "Bank account suspended, enter your password here to enable" fake email.
- Nowadays you got 100 sites all demanding different and more complicate passwords that of course expire every some weeks and must be replaced with different ones. Result: everything well written down and in an easy to find location!
- Paypal aka real money at stake, is working since like 2 decades with weaker passwords than some "25 unique contacts a month" web sites / forums talking about trivial things.
Mate, your password must be this tall to ride. It's for your own security. We don't need your fancy 'logic'. - Paknac Queltel
|
|
|
|