These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Player Features and Ideas Discussion

 
  • Topic is locked indefinitely.
 

Dear CCP, get rid of your cache of old passwords.

First post
Author
Previous Topic Next Topic
Don Knots
Bacon Diplomacy Project
#61 - 2012-04-30 03:46:00 UTC
You mean people are still using passwords that they have to remember?

One Winning Word: KeePass.

FTW.
leviticus ander
The Scope
Gallente Federation
#62 - 2012-04-30 03:52:23 UTC
Don Knots wrote:
You mean people are still using passwords that they have to remember?

One Winning Word: KeePass.

FTW.

no matter how good their repute are, I would never use a program like that.
Ayame Tao
#63 - 2012-05-01 09:19:47 UTC
leviticus ander wrote:
Don Knots wrote:
You mean people are still using passwords that they have to remember?

One Winning Word: KeePass.

FTW.

no matter how good their repute are, I would never use a program like that.


*boggle*

What? Why?

Well, okay, I suppose it is your perogative, but honestly, free security programs like Keepass are the saving grace for the extremely insecure constraints of usernames and passwords.

You could use a passphrase like Correct Horse Battery Staple as xkcd points out, or use Caha's method (which is similar to what I used before KeePass) but with modern methods, anything based on dictionary words (in any language) or without enough bits (128+) is going to take a dedicated attacker less time to break than it take to train a level 4 skill.

Passwords are like suicide ganking. It's only a matter of how much resources the attacker has to throw at it to kill you.

Using a dictionary word with some leetspeek added to it is the equivalent of taking an totally untanked Hulk with a shipname of 'Hulkageddonists Are W*nkers' and going AFK in the Perimeter asteroid belts.

Using a generated strong password in KeePass is more like using a fully tanked mining Rokh - they can still get you eventually, but it's so much harder that hopefully they won't bother.
Sarina Berghil
New Zion Judge Advocate
#64 - 2012-05-01 11:59:24 UTC
When people use unsafe password practices they have a reason for doing so, most often because the safe practices are too inconvenient.

Creating arbitrary limitations only force those people into using even more unsafe practices, as Vaerah Vahrokha's story illustrates.

How many of us can remember 20 safe passwords?
Wodensun
Caldari Provisions
Caldari State
#65 - 2012-05-01 15:52:10 UTC
rainbow tables.

Cloud computing.

You know you can just rent a stack of servers right and run your malicious stuff on that... kinda like amazon does....

Do not give me likes them 101 likes arent a accident...
Alain Kinsella
#66 - 2012-05-01 19:29:33 UTC  |  Edited by: Alain Kinsella
Sarina Berghil wrote:
When people use unsafe password practices they have a reason for doing so, most often because the safe practices are too inconvenient.

Creating arbitrary limitations only force those people into using even more unsafe practices, as Vaerah Vahrokha's story illustrates.

How many of us can remember 20 safe passwords?


Yeah, that story was nuts. At that point you may as well implement an OTP strategy (like SecurID) and be done with it. [For the record, I've had two SID at one point - the second one to access a client's network so I could update our monitoring software. While it got tedious at times, I understood the reasons and lived with it.]

Remembering new passwords can be a pain, yes, but you just need to be a bit creative in generating new ones. I've been doing that since my first UNIX account in 1991. Annoying? You bet. But worth the peace of mind.

@ Caha Evano - thanks for that link, good to see his site is still alive and kicking.

@ CCP Sreegs - If you're contemplating OTP apps, please do not forget those of us still on Blackberries. Thanks. Cool (This is fine for a game, but I do prefer having physical tokens for work.)

"The Meta Game does not stop at the game. Ever."

Currently Retired / Semi-Casual (pending changes to RL concerns).
leviticus ander
The Scope
Gallente Federation
#67 - 2012-05-02 00:13:28 UTC
Wodensun wrote:
rainbow tables.

Cloud computing.

You know you can just rent a stack of servers right and run your malicious stuff on that... kinda like amazon does....

I think you guys are basing this off of the old authentication methods. rainbow tables are alright, but are pretty much hopeless for anything bigger than 7-8 characters.
this is a video I made for a class project.
Password Cracking for dummies
I did actually download the 400GB rainbow table, it's for 7 characters made of any legal password character. I also have an alphanumeric 8 character rainbow table.
as for manually cracking passwords, while it's reasonable, it's not as easy as you guys seem to be implying. to do an 80k word hybrid dictionary attack, it would take my 4.8GHz quad core about 2-3 weeks to process. also, all those words are single words, meaning that putting 2 words together won't be cracked. with windows 7 at least, if you have a 12-14 character password with a good mix of types of characters, it'll be effectively unbreakable for the next few years. and by the time it is reasonably breakable, they will have probably made a better authentication system.
cloud computing is usable, but it's about as bad as my computer since they are generally sitting at about 2-2.5GHz. if you are really up for cracking passwords, renting a botnet for computing is probably your best bet.
Shian Yang
#68 - 2012-05-02 00:39:49 UTC
leviticus ander wrote:
Wodensun wrote:
rainbow tables.

Cloud computing.

You know you can just rent a stack of servers right and run your malicious stuff on that... kinda like amazon does....

I think you guys are basing this off of the old authentication methods. rainbow tables are alright, but are pretty much hopeless for anything bigger than 7-8 characters.
this is a video I made for a class project.
Password Cracking for dummies
I did actually download the 400GB rainbow table, it's for 7 characters made of any legal password character. I also have an alphanumeric 8 character rainbow table.
as for manually cracking passwords, while it's reasonable, it's not as easy as you guys seem to be implying. to do an 80k word hybrid dictionary attack, it would take my 4.8GHz quad core about 2-3 weeks to process. also, all those words are single words, meaning that putting 2 words together won't be cracked. with windows 7 at least, if you have a 12-14 character password with a good mix of types of characters, it'll be effectively unbreakable for the next few years. and by the time it is reasonably breakable, they will have probably made a better authentication system.
cloud computing is usable, but it's about as bad as my computer since they are generally sitting at about 2-2.5GHz. if you are really up for cracking passwords, renting a botnet for computing is probably your best bet.


Greetings capsuleer,

You may not be aware of this, but modern GPUs are more capable at this task than their CPU equivalents.

Regards,

Shian Yang
leviticus ander
The Scope
Gallente Federation
#69 - 2012-05-02 09:37:40 UTC
Shian Yang wrote:


Greetings capsuleer,

You may not be aware of this, but modern GPUs are more capable at this task than their CPU equivalents.

Regards,

Shian Yang

maybe for the hybrid dictionary attack. but like I said, as long as you use 12-14 characters, you're pretty much safe for the moment thanks to exponential increase in difficulty.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#70 - 2012-05-02 10:18:05 UTC
And rainbow tables become pretty much useless when you have a salted password.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
leviticus ander
The Scope
Gallente Federation
#71 - 2012-05-02 10:21:09 UTC
Steve Ronuken wrote:
And rainbow tables become pretty much useless when you have a salted password.

pretty much everything becomes useless with modern salted passwords. windows doesn't use it, so that still allows you to use rainbow tables on about 95%+ of the market share.
Ayame Tao
#72 - 2012-05-02 11:22:44 UTC
So why then is KeePass something you wouldn't use?

Considering it can generate passwords of mixed case alphanumeric + special characters of 256+ bits (1000 bits if you want) and have individual passwords for each site/game/account that are easily managed.

Using a composite master key mitigates the risk of compromise.

If somebody managed to compromise my machine to the level required where they could compromise my KeePass password and compromise my USB drive key, I've got bigger problems than password integrity.

Generated KeePass passwords of suitable length and complexity (herein is a bigger problem in the number of places you are restricted to 6 letters and no special characters etc) would take some serious brute forcing, beyond even retasked GPUs or application specific integrated circuits available to anyone who isn't a national level 3 letter agency.
Doctor Ungabungas
Doomheim
#73 - 2012-05-02 11:26:34 UTC
supersexysucker wrote:
CCP Sreegs wrote:
This will be reviewed when we institute the two factor option in the next couple of months.


Or you could just give us a ******* warning and let us do WHAT we want.


What you want makes extra work for CCP. Hiring extra GM's to deal with your hacked accounts costs them extra money.

If CCP are willing charge you a $5 a month 'I'm a ****** who is more likely to be hacked' surcharge that goes towards hiring more GM's, I think it's a fantastic idea.
Ave Kathrina
My Ass Is On Fire
#74 - 2012-05-02 12:23:50 UTC
supersexysucker wrote:
I do not change my pw BECAUSE of CCPs dumb **** can't put in an old one... need a cap letter now, etc bullshit.

I WILL PICK MY OWN FUCKIN PASSWORD.

Be nice if someone would steal all CCPs stored old passwords rofl...

The mail they would need to send out would be LOL...

"Every password you ever used in eve online has been stolen, please make sure to change any accounts using any of these passwords, we enjoy fuckin you"


Also for the retart tinnin... why not ask CCP for an onscreen in game keyboard to enter log in info... I mean if we need to make

PW's a *****... what about keyloggers PLEASE PROTECT ME FROM KEY LOGGERS CCP.

Sounds like a baby that needs someone to protect him... lul.


You know what hackers did when people thought on screen keyboards were secure? They just wrote a screen capture tool.
I've done some really stupid shit in this game.
Iamien
Deep Core Mining Inc.
Caldari State
#75 - 2012-07-10 17:02:02 UTC
Seriously, I want to use hunter2 again.
Micheal Dietrich
Kings Gambit Black
#76 - 2012-07-10 17:05:31 UTC
Seriously, again? Is this going to be your hobby for the day necro'ing threads that are about to be locked to time?

Out of Pod is getting In the Pod - Join in game channel **IG OOPE **
Jimmy Gunsmythe
Sebiestor Tribe
#77 - 2012-07-10 20:35:34 UTC
supersexysucker wrote:
CCP Sreegs wrote:
This will be reviewed when we institute the two factor option in the next couple of months.


Or you could just give us a ******* warning and let us do WHAT we want.


IB4 'Sandbox' comments?

I just hate having to capitalize letters. I understand it makes the password more secure but given that I make up words for passwords, I'm not too worried about getting hacked.

John Hancock