Pages: 1 2 :: [one page] |
|
Author |
Thread Statistics | Show CCP posts - 1 post(s) |
Cypher V
Minmatar Critical Mass Technologies
|
Posted - 2011.03.10 21:13:00 -
[1]
wtf... This is so ANNOYING. I NEVER put a capital letter in there, and being forced to means I have to press the shift key and EBERTING!
Hate it.
Remove it.
Get it done.
|
Nina Mercedez
|
Posted - 2011.03.10 21:15:00 -
[2]
Just change it to whatever you want then.
|
Patient 2428190
DEGRREE'Fo'FREE Internet Business School
|
Posted - 2011.03.10 21:15:00 -
[3]
Yes, lets reduce the security of our accounts. That sounds like a smart idea. ...Then when you stopped to think about it. All you really said was Lalala. |
Aessoroz
Nohbdy.
|
Posted - 2011.03.10 21:20:00 -
[4]
Edited by: Aessoroz on 10/03/2011 21:20:04
Originally by: Patient 2428190 Yes, lets reduce the security of our accounts. That sounds like a smart idea.
Five bucks that 90% of users are making the first letter capital or the last one,thus negating any potential security gains and just ****ing off users.
|
Parah Salin McCain
|
Posted - 2011.03.10 21:20:00 -
[5]
SO ANNOYING THAT CCP WANT TO INCREASE SECURITY AND HELP TO PROTECT OUR ACCOUNTS THOSE BASTARDS. ITS SO DIFFICULT TO INPUT AN UPPER CASE LETTER GOD DAMN YOU CROWD CONTROL PRODUCTIONS HIGH FIVE.
|
Zhim'Fufu
|
Posted - 2011.03.10 21:23:00 -
[6]
Originally by: Cypher V wtf... This is so ANNOYING. I NEVER put a capital letter in there, and being forced to means I have to press the shift key and EBERTING!
Hate it.
Remove it.
Get it done.
I wonder if the op would develop an aneurysm if they made you use a number too?
Originally by: Response to bitter carebear tears in local [19:44:46] CCP Incognito > sorry i can't talk about game mechanics. you need to use your brains and figure it out.
|
Marchocias
Snatch Victory
|
Posted - 2011.03.10 21:23:00 -
[7]
Edited by: Marchocias on 10/03/2011 21:23:27
Originally by: Patient 2428190 Yes, lets reduce the security of our accounts. That sounds like a smart idea.
Actually, forcing there to be at least one capital slightly reduces security because any attacker now knows that the password has at least one capital in it.
The only benefit to it is so that people creating passwords are made aware that they can use capitals, so that more do, and guessing becomes generally more difficult.
However, this is only increasing security for those people who don't already use capitals, and who will probably, for simplicities sake, only use a capital on the first available letter, thereby leaving us back where we started (because anyone who was going to guess a password with all lowercase letters, will now do exactly the same just with the first one capitalised).
Therefore, on average, it slightly decreases security. ---- I belong to Silent Ninja (Hopefully that should cover it). |
De'Veldrin
Minmatar Self Preservation Society the 2nd Dead Terrorists
|
Posted - 2011.03.10 21:26:00 -
[8]
Originally by: Marchocias Edited by: Marchocias on 10/03/2011 21:23:27
Originally by: Patient 2428190 Yes, lets reduce the security of our accounts. That sounds like a smart idea.
Actually, forcing there to be at least one capital slightly reduces security because any attacker now knows that the password has at least one capital in it.
The only benefit to it is so that people creating passwords are made aware that they can use capitals, so that more do, and guessing becomes generally more difficult.
However, this is only increasing security for those people who don't already use capitals, and who will probably, for simplicities sake, only use a capital on the first available letter, thereby leaving us back where we started (because anyone who was going to guess a password with all lowercase letters, will now do exactly the same just with the first one capitalised).
Therefore, on average, it slightly decreases security.
And the "really clever" ones turn on caps lock to "make it harder to guess" their passwords.
--Vel
Originally by: Blacksquirrel
This is EVE. PVE can happen anywhere at anytime. Be prepared.
|
Parah Salin McCain
|
Posted - 2011.03.10 21:29:00 -
[9]
Originally by: Marchocias
Therefore, on average, it slightly decreases security.
... IN YOUR OPINION
|
Kraal Jarik
|
Posted - 2011.03.10 21:34:00 -
[10]
None of mine contain capital letters, so OP = fail.
|
|
Barakkus
|
Posted - 2011.03.10 21:35:00 -
[11]
Dear CCP, please fix the search function so we don't have to see the same threads repeatedly.
Thanks. - - [SERVICE] Corp Standings For POS anchoring
|
Patient 2428190
DEGRREE'Fo'FREE Internet Business School
|
Posted - 2011.03.10 21:35:00 -
[12]
Originally by: Marchocias Edited by: Marchocias on 10/03/2011 21:23:27
Originally by: Patient 2428190 Yes, lets reduce the security of our accounts. That sounds like a smart idea.
Actually, forcing there to be at least one capital slightly reduces security because any attacker now knows that the password has at least one capital in it.
The only benefit to it is so that people creating passwords are made aware that they can use capitals, so that more do, and guessing becomes generally more difficult.
However, this is only increasing security for those people who don't already use capitals, and who will probably, for simplicities sake, only use a capital on the first available letter, thereby leaving us back where we started (because anyone who was going to guess a password with all lowercase letters, will now do exactly the same just with the first one capitalised).
Therefore, on average, it slightly decreases security.
Even in the case of worst case of PW strength, first letter capitalized and the rest lowercase changes nothing for brute force hacking
The second you get somebody with the faint shred of intelligence (weird I know, but sometimes I'm optimistic about people) and they move their required capital letter to a different letter in PW, the strength of the password is improved.
TBH, they should require a really secure PW (Unique characters, Capitals and numbers, the whole works) and giant prompt saying "DO NOT USE THIS PASSWORD FOR ANYTHING BUT YOUR EVE ONLINE ACCOUNT". If you going to try to save people from stupid, don't do it half assed. ...Then when you stopped to think about it. All you really said was Lalala. |
Kieron VonDeux
|
Posted - 2011.03.10 21:36:00 -
[13]
Edited by: Kieron VonDeux on 10/03/2011 21:36:31
Originally by: Zhim'Fufu I wonder if the op would develop an aneurysm if they made you use a number too?
Or, God forbid, a "special" character.
|
Azureite
Amarr Special Forces Operation Detachment Delta The 0rphanage
|
Posted - 2011.03.10 21:38:00 -
[14]
Originally by: Aessoroz Edited by: Aessoroz on 10/03/2011 21:20:04
Originally by: Patient 2428190 Yes, lets reduce the security of our accounts. That sounds like a smart idea.
Five bucks that 90% of users are making the first letter capital or the last one,thus negating any potential security gains and just ****ing off users.
^this
|
|
CCP Adida
C C P C C P Alliance
|
Posted - 2011.03.10 22:00:00 -
[15]
It helps with your account security. We could allow people have their password at 12345 but wouldn't that be easy to guess?
Adida Community Rep CCP Hf, EVE Online
|
|
Katsumoto
Caldari Quam Singulari Session Changes
|
Posted - 2011.03.10 22:06:00 -
[16]
I have that combination on my luggage! .
|
Wen Illiad
Gallente GoonWaffe Goonswarm Federation
|
Posted - 2011.03.10 22:12:00 -
[17]
Originally by: Katsumoto I have that combination on my luggage!
You too?!?
|
Tippia
Sunshine and Lollipops
|
Posted - 2011.03.10 22:26:00 -
[18]
Also, see this. ùùù ôIf you're not willing to fight for what you have in ≡v≡à you don't deserve it, and you will lose it.ö ù Karath Piki |
sableye
principle of motion
|
Posted - 2011.03.10 22:50:00 -
[19]
Edited by: sableye on 10/03/2011 22:53:13 nevermind
----------------------------------------- View The North Star! In All Its Glory!! |
Ban Doga
|
Posted - 2011.03.10 22:50:00 -
[20]
Originally by: Marchocias Edited by: Marchocias on 10/03/2011 21:23:27
Originally by: Patient 2428190 Yes, lets reduce the security of our accounts. That sounds like a smart idea.
Actually, forcing there to be at least one capital slightly reduces security because any attacker now knows that the password has at least one capital in it.
The only benefit to it is so that people creating passwords are made aware that they can use capitals, so that more do, and guessing becomes generally more difficult.
However, this is only increasing security for those people who don't already use capitals, and who will probably, for simplicities sake, only use a capital on the first available letter, thereby leaving us back where we started (because anyone who was going to guess a password with all lowercase letters, will now do exactly the same just with the first one capitalised).
Therefore, on average, it slightly decreases security.
That's why common sense fails at probability theory.
By your theory guessing a password must have been much easier in the past, because most people didn't use any capital letters at all and reducing the number of different letters used in a password (actually cutting it in half) makes it much easier to apply brute force or simple guessing successfully.
Unless of course you wanted to imply that passwords already contained capital letters in which case the security is not reduced AT ALL.
|
|
Rguy Amphal
|
Posted - 2011.03.10 23:03:00 -
[21]
Originally by: Marchocias
Actually, forcing there to be at least one capital slightly reduces security because any attacker now knows that the password has at least one capital in it.
I could start talking about password cracking permutations to point out how dumb was your comment, but I won't.
|
Julius Rigel
Sub-warp Racing Venture
|
Posted - 2011.03.11 01:21:00 -
[22]
Originally by: CCP Adida It helps with your account security. We could allow people have their password at 12345 but wouldn't that be easy to guess?
I've been using that joke for years when telling people about the combinations to the bookmark cans.
|
Awesome Possum
Original Sin. PURPLE HELMETED WARRIORS
|
Posted - 2011.03.11 01:25:00 -
[23]
Adida, account security should be the responsibility of the user. Measures like this make it sound like you are taking responsibility and accountability for people's account security. So when they do get "hacked", you are to blame, not the user.
On a related issue, I dislike the fact that CCP keeps a record of peoples' old passwords. What should happen if that fell into the hands of the "bad people"? Once I change my password, there should be no record or indication of what it was in your files. ♥
|
Imajitaaltofanalt ofanalt
|
Posted - 2011.03.11 01:27:00 -
[24]
hey, look at me, I'm a geek! I can haxxorz joo!
seriously... i use numberz for my pazzwordz
|
Lothris Andastar
|
Posted - 2011.03.11 01:38:00 -
[25]
Edited by: Lothris Andastar on 11/03/2011 01:39:30
Originally by: CCP Adida It helps with your account security. We could allow people have their password at 12345 but wouldn't that be easy to guess?
Actually, CCP Adida, it Weakens account security.
A Password that can POSSIBLY have an all lower case password is harder to crack than a Password where one letter is CERTAINLY a Capital Letter. By forcing at least 1 capital letter, you eliminate the billions of potential all lower case passwords, meaning less word for any attacker to try and find the password.
Add to the fact that a grand total of zero accounts are compromised by brute force attacks (they are comprimised via keyloggers because naughty people buy isk), this has zero impact on account security and just annoys people.
|
Barakkus
|
Posted - 2011.03.11 01:50:00 -
[26]
Originally by: Lothris Andastar Edited by: Lothris Andastar on 11/03/2011 01:39:30
Originally by: CCP Adida It helps with your account security. We could allow people have their password at 12345 but wouldn't that be easy to guess?
Actually, CCP Adida, it Weakens account security.
A Password that can POSSIBLY have an all lower case password is harder to crack than a Password where one letter is CERTAINLY a Capital Letter. By forcing at least 1 capital letter, you eliminate the billions of potential all lower case passwords, meaning less word for any attacker to try and find the password.
Add to the fact that a grand total of zero accounts are compromised by brute force attacks (they are comprimised via keyloggers because naughty people buy isk), this has zero impact on account security and just annoys people.
Not this again.
No it doesn't, you have no clue about what you are talking about. - - [SERVICE] Corp Standings For POS anchoring
|
Awesome Possum
Original Sin. PURPLE HELMETED WARRIORS
|
Posted - 2011.03.11 02:13:00 -
[27]
Originally by: Barakkus
Originally by: Lothris Andastar Edited by: Lothris Andastar on 11/03/2011 01:39:30
Originally by: CCP Adida It helps with your account security. We could allow people have their password at 12345 but wouldn't that be easy to guess?
Actually, CCP Adida, it Weakens account security.
A Password that can POSSIBLY have an all lower case password is harder to crack than a Password where one letter is CERTAINLY a Capital Letter. By forcing at least 1 capital letter, you eliminate the billions of potential all lower case passwords, meaning less word for any attacker to try and find the password.
Add to the fact that a grand total of zero accounts are compromised by brute force attacks (they are comprimised via keyloggers because naughty people buy isk), this has zero impact on account security and just annoys people.
Not this again.
No it doesn't, you have no clue about what you are talking about.
Please provide proof that accounts are being compromised via brute force and not keylogging/social engineering. ♥
|
Barakkus
|
Posted - 2011.03.11 02:17:00 -
[28]
Originally by: Awesome Possum
Originally by: Barakkus
Originally by: Lothris Andastar Edited by: Lothris Andastar on 11/03/2011 01:39:30
Originally by: CCP Adida It helps with your account security. We could allow people have their password at 12345 but wouldn't that be easy to guess?
Actually, CCP Adida, it Weakens account security.
A Password that can POSSIBLY have an all lower case password is harder to crack than a Password where one letter is CERTAINLY a Capital Letter. By forcing at least 1 capital letter, you eliminate the billions of potential all lower case passwords, meaning less word for any attacker to try and find the password.
Add to the fact that a grand total of zero accounts are compromised by brute force attacks (they are comprimised via keyloggers because naughty people buy isk), this has zero impact on account security and just annoys people.
Not this again.
No it doesn't, you have no clue about what you are talking about.
Please provide proof that accounts are being compromised via brute force and not keylogging/social engineering.
I'm not suggesting that, I'm suggesting that the requirement of at least 1 uppercase character does not reduce the number of combinations that can be used for a brute force attack.
I agree, most account compromises happen due to stupid people, not brute force attacks. - - [SERVICE] Corp Standings For POS anchoring
|
Infinity Ziona
Minmatar Cloakers
|
Posted - 2011.03.11 02:43:00 -
[29]
Originally by: Barakkus I'm not suggesting that, I'm suggesting that the requirement of at least 1 uppercase character does not reduce the number of combinations that can be used for a brute force attack.
This is so wrong its ridiculous and can only be a troll.
Requiring a single capital letter reduces possible permutations because it eliminates every permutation that consists of only lowercase and every permutation that consists of lowercase and numeric characters.
--------------------------------------------- I AM BETTER THAN YOU. |
Barakkus
|
Posted - 2011.03.11 03:07:00 -
[30]
Originally by: Infinity Ziona
Originally by: Barakkus I'm not suggesting that, I'm suggesting that the requirement of at least 1 uppercase character does not reduce the number of combinations that can be used for a brute force attack.
This is so wrong its ridiculous and can only be a troll.
Requiring a single capital letter reduces possible permutations because it eliminates every permutation that consists of only lowercase and every permutation that consists of lowercase and numeric characters.
Please see page 53. http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
CCP should follow the guidelines listed in the previous link of requiring 3 of the 4 standard password requirements actually. Requiring just one isn't enough, but I don't think they suffer very many brute force attacks. - - [SERVICE] Corp Standings For POS anchoring
|
|
Matalino
|
Posted - 2011.03.11 03:14:00 -
[31]
Key points in this thread:
Originally by: Aessoroz Five bucks that 90% of users are making the first letter capital or the last one,thus negating any potential security gains and just ****ing off users.
+1
Originally by: Lothris Andastar A Password that can POSSIBLY have an all lower case password is harder to crack than a Password where one letter is CERTAINLY a Capital Letter. By forcing at least 1 capital letter, you eliminate the billions of potential all lower case passwords, meaning less word for any attacker to try and find the password.
Add to the fact that a grand total of zero accounts are compromised by brute force attacks (they are comprimised via keyloggers because naughty people buy isk), this has zero impact on account security and just annoys people.
+2
Given that the effect of requiring a mixed case password is to protect against a form of attack that doesn't work (if real preventions are put in place) and it even still doesn't help prevent against that, then why bother annoying your users.
Originally by: CCP Adida It helps with your account security.
No it doesn't! Because now those who have all lower case passwords and do not want a capital letter in their passwords are forced to choose between changing to a mixed case password or keeping their existing password. You have introduced strong incentive for many users to keep their current passwords indefinitely. This change is just an example of security theatre, it LOOKS like you are doing something to improve account security, when in fact you are just screwing around making changes that have no real effect other than annoying your users.
Originally by: Awesome Possum On a related issue, I dislike the fact that CCP keeps a record of peoples' old passwords. What should happen if that fell into the hands of the "bad people"? Once I change my password, there should be no record or indication of what it was in your files.
They probably don't store your password. They store a hash of your password. Getting the list of past password hashes will not give their past passwords.
|
Fondon
|
Posted - 2011.03.12 01:01:00 -
[32]
Originally by: Matalino No it doesn't! Because now those who have all lower case passwords and do not want a capital letter in their passwords are forced to choose between changing to a mixed case password or keeping their existing password. You have introduced strong incentive for many users to keep their current passwords indefinitely. This change is just an example of security theatre, it LOOKS like you are doing something to improve account security, when in fact you are just screwing around making changes that have no real effect other than annoying your users.
Time needed to crack a password:
8 characters, just lower case: 4 days. 8 characters mixing lower and capital letters: 4 years. Add some numbers and you'll need more than 100 years.
|
Alotta Baggage
Amarr Imperial Manufactorum Armada Assail
|
Posted - 2011.03.12 01:08:00 -
[33]
My password is 27 characters with capitals, numbers, and "special" characters
Originally by: Valkoinen Heteromies
I for one would love to be able to walk on stations and fly spaceships in the body of a little cute catgirl!
|
Ban Doga
|
Posted - 2011.03.12 01:18:00 -
[34]
Originally by: Lothris Andastar Actually, CCP Adida, it Weakens account security.
A Password that can POSSIBLY have an all lower case password is harder to crack than a Password where one letter is CERTAINLY a Capital Letter. By forcing at least 1 capital letter, you eliminate the billions of potential all lower case passwords, meaning less word for any attacker to try and find the password.
Add to the fact that a grand total of zero accounts are compromised by brute force attacks (they are comprimised via keyloggers because naughty people buy isk), this has zero impact on account security and just annoys people.
You only need 100 words to contradict yourself. That's what I call true skill...
|
Infinity Ziona
Minmatar Cloakers
|
Posted - 2011.03.12 01:29:00 -
[35]
Originally by: Fondon
Originally by: Matalino No it doesn't! Because now those who have all lower case passwords and do not want a capital letter in their passwords are forced to choose between changing to a mixed case password or keeping their existing password. You have introduced strong incentive for many users to keep their current passwords indefinitely. This change is just an example of security theatre, it LOOKS like you are doing something to improve account security, when in fact you are just screwing around making changes that have no real effect other than annoying your users.
Time needed to crack a password:
8 characters, just lower case: 4 days. 8 characters mixing lower and capital letters: 4 years. Add some numbers and you'll need more than 100 years.
Brute forcing is not necessarily attempting every permutation. Its more common to use lists you can subscribe to or hack into and then use those lists to run through an account, changing case, appending digits.
Linkage
Notice of those 3 sites, that around 800 people were using "password" as passwords.... people are lazy, they'll use easy to guess common words usually.
If you want to steal non specific accounts you don't want to steal the hardest to guess accounts, you want to steal the easy to guess accounts.
Basically all CCP's enforcing of capital letters will do is make the difficult to guess passwords difficult to guess (no change) and the easy to guess passwords (password) will become easy to guess (Password). No changes.
--------------------------------------------- I AM BETTER THAN YOU. |
Ban Doga
|
Posted - 2011.03.12 01:34:00 -
[36]
Originally by: Infinity Ziona Brute forcing is not necessarily attempting every permutation. Its more common to use lists you can subscribe to or hack into and then use those lists to run through an account, changing case, appending digits.
You might want to read http://en.wikipedia.org/wiki/Brute-force_attack and http://en.wikipedia.org/wiki/Dictionary_attack
|
Alotta Baggage
Amarr Imperial Manufactorum Armada Assail
|
Posted - 2011.03.12 02:11:00 -
[37]
Originally by: Infinity Ziona
Originally by: Fondon
Originally by: Matalino No it doesn't! Because now those who have all lower case passwords and do not want a capital letter in their passwords are forced to choose between changing to a mixed case password or keeping their existing password. You have introduced strong incentive for many users to keep their current passwords indefinitely. This change is just an example of security theatre, it LOOKS like you are doing something to improve account security, when in fact you are just screwing around making changes that have no real effect other than annoying your users.
Time needed to crack a password:
8 characters, just lower case: 4 days. 8 characters mixing lower and capital letters: 4 years. Add some numbers and you'll need more than 100 years.
Brute forcing is not necessarily attempting every permutation. Its more common to use lists you can subscribe to or hack into and then use those lists to run through an account, changing case, appending digits.
Linkage
Notice of those 3 sites, that around 800 people were using "password" as passwords.... people are lazy, they'll use easy to guess common words usually.
If you want to steal non specific accounts you don't want to steal the hardest to guess accounts, you want to steal the easy to guess accounts.
Basically all CCP's enforcing of capital letters will do is make the difficult to guess passwords difficult to guess (no change) and the easy to guess passwords (password) will become easy to guess (Password). No changes.
Unless they throw 'passwoRd' at you
Originally by: Valkoinen Heteromies
I for one would love to be able to walk on stations and fly spaceships in the body of a little cute catgirl!
|
Infinity Ziona
Minmatar Cloakers
|
Posted - 2011.03.12 02:23:00 -
[38]
Originally by: Ban Doga
Originally by: Infinity Ziona Brute forcing is not necessarily attempting every permutation. Its more common to use lists you can subscribe to or hack into and then use those lists to run through an account, changing case, appending digits.
You might want to read http://en.wikipedia.org/wiki/Brute-force_attack and http://en.wikipedia.org/wiki/Dictionary_attack
In practice not a bit of difference. Spamming a server with lists or random characters has the exact same effect.
--------------------------------------------- I AM BETTER THAN YOU. |
Ban Doga
|
Posted - 2011.03.12 02:32:00 -
[39]
Edited by: Ban Doga on 12/03/2011 02:34:02
Originally by: Infinity Ziona
Originally by: Ban Doga
Originally by: Infinity Ziona Brute forcing is not necessarily attempting every permutation. Its more common to use lists you can subscribe to or hack into and then use those lists to run through an account, changing case, appending digits.
You might want to read http://en.wikipedia.org/wiki/Brute-force_attack and http://en.wikipedia.org/wiki/Dictionary_attack
In practice not a bit of difference. Spamming a server with lists or random characters has the exact same effect.
Except that "brute force" is exactly trying every possible combination. So if you don't try every possible combination and rather follow lists that's - by defintion - not using brute force.
That's like saying something is blue except that it's not blue.
|
Max Romeo
|
Posted - 2011.03.12 03:08:00 -
[40]
If you've ever bruted casual players/forums hashes, you generally know that you're going to try the simple strats before you go onto anything complex. Usually starting with doing a pass of 'numerals only' over the searchspace length of the locale(if you know)'s cellphone number length. This should pick up the tards that use dates/landline/mobile numbers.(12% of the compsci students at a uni I have worked with used full numerals... heh :/) Then you go for a list of common keyboard patterns followed by the traditional bulk wordlists + special permutations of each (concatenations, all caps, no caps, l33t etc). You'll seldom bother with crawling caps and stuff as the hit rate is pretty low. Finally you eliminate as much from the search-space as possible (and add in any rules, i.e 1+ caps) to come up with your optimal search-space and go brute it. Once you're here you'll most likely have hit 60-70% of your hashes in a matter of maybe 5-6 hours.
This however is not to say that bruting massive hash lists, but rather to show that you should not think of security policies as 'my account is strong' but rather of the whole population of accounts and how non-exact definitions(based on arb statistics) can lead to very large scale successes. Since eve passwords have for a long time(and may still) exclude a number of ascii characters already(unless the owners dont like to be able to log into the site?) you can exclude those pretty safely, adding in that you now have to have 1+ capital characters you can also exclude things like 'only numbers'. Since we're working with a slowish network resource and we want minimal abuse you can increase the bias of right handed starting/ending capitalized words, since the largest part of the population will most likely follow that slight trend. You'd be surprised how many places force 'two numbers' as a requirement, 55% of the time those are either going to be the first or last two characters, about 10% they'll be between two dictionary words and it increases the number of tards that use all numerals, which is effectively the smallest standard search space ;/
In short : if you're designing an authentication system give as few clues away as possible and rather do periodic strength testing (i.e not abusable instantly statistically rewarding) against good word lists and simple bruting methods. While people can cry that staff might then see the plaintext, staff could always just take the hash home with them... it's a moot point in my book and imposing a "no terrible passwords" policy is more than acceptable since it reduces support time. Even better is offering accounts that get repetitively hit an option to change username to avoid it, as well as lockout policies, after all it is their account.
|
|
Barakkus
|
Posted - 2011.03.12 03:16:00 -
[41]
Originally by: Max Romeo If you've ever bruted casual players/forums hashes, you generally know that you're going to try the simple strats before you go onto anything complex. Usually starting with doing a pass of 'numerals only' over the searchspace length of the locale(if you know)'s cellphone number length. This should pick up the tards that use dates/landline/mobile numbers.(12% of the compsci students at a uni I have worked with used full numerals... heh :/) Then you go for a list of common keyboard patterns followed by the traditional bulk wordlists + special permutations of each (concatenations, all caps, no caps, l33t etc). You'll seldom bother with crawling caps and stuff as the hit rate is pretty low. Finally you eliminate as much from the search-space as possible (and add in any rules, i.e 1+ caps) to come up with your optimal search-space and go brute it. Once you're here you'll most likely have hit 60-70% of your hashes in a matter of maybe 5-6 hours.
This however is not to say that bruting massive hash lists, but rather to show that you should not think of security policies as 'my account is strong' but rather of the whole population of accounts and how non-exact definitions(based on arb statistics) can lead to very large scale successes. Since eve passwords have for a long time(and may still) exclude a number of ascii characters already(unless the owners dont like to be able to log into the site?) you can exclude those pretty safely, adding in that you now have to have 1+ capital characters you can also exclude things like 'only numbers'. Since we're working with a slowish network resource and we want minimal abuse you can increase the bias of right handed starting/ending capitalized words, since the largest part of the population will most likely follow that slight trend. You'd be surprised how many places force 'two numbers' as a requirement, 55% of the time those are either going to be the first or last two characters, about 10% they'll be between two dictionary words and it increases the number of tards that use all numerals, which is effectively the smallest standard search space ;/
In short : if you're designing an authentication system give as few clues away as possible and rather do periodic strength testing (i.e not abusable instantly statistically rewarding) against good word lists and simple bruting methods. While people can cry that staff might then see the plaintext, staff could always just take the hash home with them... it's a moot point in my book and imposing a "no terrible passwords" policy is more than acceptable since it reduces support time. Even better is offering accounts that get repetitively hit an option to change username to avoid it, as well as lockout policies, after all it is their account.
Fortunately the attackers in this case won't have password hashes to attempt to compare. None of that really matters when you can't actually get at the hashes to begin with. When you have to manually attempt to log in with tons of combinations regardless if they tell you you have to have at minimum (minimum being the operative word) it will not aid the attacker one iota in the case of EVE Online. It may be useful information in other circumstances, but not in this case. - - [SERVICE] Corp Standings For POS anchoring
|
Kazuo Ishiguro
House of Marbles
|
Posted - 2011.03.12 11:24:00 -
[42]
Originally by: Infinity Ziona
Originally by: Barakkus I'm not suggesting that, I'm suggesting that the requirement of at least 1 uppercase character does not reduce the number of combinations that can be used for a brute force attack.
This is so wrong its ridiculous and can only be a troll.
Requiring a single capital letter reduces possible permutations because it eliminates every permutation that consists of only lowercase and every permutation that consists of lowercase and numeric characters.
I think the point Barakkus is trying to make here is that without the requirement, the majority of people would stick to lowercase and numeric characters only. For these people, requiring 1 character to be uppercase increases the number of choices for that character, making their password significantly stronger.
If I'm required to set a password for a relatively unimportant system, I default to the shortest, simplest one that the system will allow. I expect a lot of other people do the same, through sheer password fatigue. --- 34.4:1 mineral compression |
The Old Chap
|
Posted - 2011.03.12 11:51:00 -
[43]
Originally by: Alotta Baggage My password is 27 characters with capitals, numbers, and "special" characters
ThAtS a LoT oF bAgGaGe.
|
|
|
|
Pages: 1 2 :: [one page] |