These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
Previous page12
 

Why is login and character info stored in plain text?

First post
Author
Previous Topic Next Topic
Phice Anxu
Genetix Research Corporation
#21 - 2012-11-20 12:35:50 UTC  |  Edited by: Phice Anxu
CCP Stillman wrote:
The only login information that is stored is your username. We removed the functionality for the client to remember your password many years ago, because there's no safe way of doing it.

And yes, we cache character data on your drive, together with other semi-static data.


Removing this functionality motivate players to have a easy-to-guess password or to store them in a file if it is too complex to be remembered, so I seriously doubt that it is safer.

I use an encrypted file to store a « |°7?'eIxfP [+ 10 others]»-like password but I am sure that one day I will get rid of it as I am tired to launch the software, decrypt it, each time I need to change character...
Scrapyard Bob
EVE University
Ivy League
#22 - 2012-11-20 13:25:44 UTC  |  Edited by: Scrapyard Bob
Wodensun wrote:
just clear the cache? aint rocket science...


Clearing the cache won't do it. It gets stored in the core_user__.dat file under your settings. But I can't recall off-hand what happens if you delete that file (I think you mostly lose the screen resolution and display settings).

The bigger question in my mind is: When are we getting the long promised authenticators?
CCP Stillman
C C P
C C P Alliance
#23 - 2012-11-20 14:00:51 UTC
Phice Anxu wrote:
CCP Stillman wrote:
The only login information that is stored is your username. We removed the functionality for the client to remember your password many years ago, because there's no safe way of doing it.

And yes, we cache character data on your drive, together with other semi-static data.


Removing this functionality motivate players to have a easy-to-guess password or to store them in a file if it is too complex to be remembered, so I seriously doubt that it is safer.

I use an encrypted file to store a « |°7?'eIxfP [+ 10 others]»-like password but I am sure that one day I will get rid of it as I am tired to launch the software, decrypt it, each time I need to change character...

While you are right that this may encourage people to lower their overall security by not following password best practices, it's not something I really think giving people the option to insecurely store their password on their local machine. And inherently, any method we'd implement for encrypting the password *would* be insecure. It's just not something that can be done safely.

Having only one factor of authentication is the inherent problem in this case. Rather than shift the insecurity from the user to the local machine, like storing a password would, we can improve the overall security by giving an option for two factors. I greatly prefer that option. And it's something we're still working on supporting.

Just a random dude in Team Security.
Terrorfrodo
Interbus Universal
#24 - 2012-11-20 14:03:47 UTC
Phice Anxu wrote:

Removing this functionality motivate players to have a easy-to-guess password

EVE enforces complex passwords. You also cannot change to a password you have had before.

People who are too senile to remember a reasonably complex password without writing it down will always be at increased risk. Nothing to be done about it.

.
CCP Stillman
C C P
C C P Alliance
#25 - 2012-11-20 14:07:27 UTC
Scrapyard Bob wrote:
Wodensun wrote:
just clear the cache? aint rocket science...


The bigger question in my mind is: When are we getting the long promised authenticators?

We're still waiting for some backend changes to fall in place before we can make a move on this. While I'd love for it to be out already, 2-factor authentication relies inherently on our new authentication solution, which is being rolled out at the best speed we can. But there's a lot of different factors that plays into that, such as regulatory requirements we need to ensure we follow.

Trust me, it's something I want to see in ASAP. I talked to several people about it as recently as just last week. It's coming, trust me Smile

Just a random dude in Team Security.
Pinky Denmark
The Cursed Navy
#26 - 2012-11-20 14:23:58 UTC
I really like the current ways client handles things... Some of us rely heavily on certain "hints" to be stored so we can easily jolt our lacking memory filled with way more important stuff. I feel very secure with CCP and I'd be happy if security can be increased without having logins taking longer time or having to remember or do more to login.

Pinky
Ranger 1
Ranger Corp
Vae. Victis.
#27 - 2012-11-20 20:30:18 UTC  |  Edited by: Ranger 1
If you find yourself in danger of using a simple to remember and easy to crack password, just remember that phrases are much easier to remember and harder to crack than just about anything else.

thequickbrownfox (for example) is infinitely harder to crack than god2012.

By the way, if god2012 is your password, you should be shot. Blink

View the latest EVE Online developments and other game related news and gameplay by visiting Ranger 1 Presents: Virtual Realms.
Casirio
Aliastra
Gallente Federation
#28 - 2012-11-20 20:31:56 UTC
Danica Duan wrote:
SmilingVagrant wrote:
Mars Theran wrote:
Tippia wrote:
So encrypt your local folder?


Must have a means. Question: Will EVE be able to read it after? ..or will it just write another one?


Truecrypt.

True dat.


double true

hidden encrypted partition within a hidden encrypted partition FTW. inception sh!t
Sentient Blade
Crisis Atmosphere
Coalition of the Unfortunate
#29 - 2012-11-20 21:16:20 UTC
CCP Stillman wrote:
While you are right that this may encourage people to lower their overall security by not following password best practices, it's not something I really think giving people the option to insecurely store their password on their local machine.


Not relevant to this use case.

Any software capable of accessing and decoding a password encrypted using machine-specific encryption such as DPAPI is equally capable of recording keystrokes, filtered by such things as the foreground window class name.

Single initial login followed by caching a one-way machine + ip specific login token is preferable. But storing suitably encrypted reversable passwords is no more insecure than your friendly local web browser storing your password anyway to log into EVE Gate.
Lady Spank
Get Out Nasty Face
#30 - 2012-11-20 21:29:07 UTC
I just use my username as my password.

(ಠ_ృ) ~ It Takes a Million Years to Become Diamonds So Lets Just Burn Like Coal Until the Sky's Black ~ (ಠ_ృ)
SmilingVagrant
Doomheim
#31 - 2012-11-20 22:24:21 UTC
Lady Spank wrote:
I just use my username as my password.


Username, backwards.

So clever...
Unsuccessful At Everything
The Troll Bridge
#32 - 2012-11-20 22:36:20 UTC
It must be a slow day for complaining for this to be an issue. Go outside and see the sun instead of sifting through your evefiles in text format, open a window and let the stank out, and maybe spend the time to Febreze the place too after vacuuming.

Since the cessation of their usefulness is imminent, may I appropriate your belongings?
Gerald Taric
NEO DYNAMICS
#33 - 2012-11-20 22:46:10 UTC  |  Edited by: Gerald Taric
If you are concerned about your data stored on your computer, then i suggest using TrueCrypt for your computer and do a full system encryption - if you are the only one, who uses it.

After then no one will be able to decrypt your drive it nowadays ...
* without the knowledge of your TrueCrypt password
* without interface access to your up and running system (Hint for the advanced user: memory dump for key extraction)

Well, finally some virus on the local machine could read out your data, .. but if there's a virus on your computer, it can do anything, even read your typings on the keyboard.

Be carefull:
* never ever forget your TrueCrypt password. There is absolutely no recovery or backdoor to it.
* keep operation system boot data healthy, because reparing an not bootable encrypted system gets more elaborate than repairing an non-encrypted one. Even the build-in recovery console won't work anymore!
iskflakes
#34 - 2012-11-20 23:09:09 UTC
Terrorfrodo wrote:
Phice Anxu wrote:

Removing this functionality motivate players to have a easy-to-guess password

EVE enforces complex passwords. You also cannot change to a password you have had before.


I seriously hope this isn't true...

-
Spurty
#35 - 2012-11-21 00:13:16 UTC
You 'share' your windows machine with people you don't trust?

Think the problem is way bigger than you understand.

There are good ships,

And wood ships,

And ships that sail the sea

But the best ships are Spaceships

Built by CCP
March rabbit
Aliastra
Gallente Federation
#36 - 2012-11-21 09:03:48 UTC
Ranger 1 wrote:
If you find yourself in danger of using a simple to remember and easy to crack password, just remember that phrases are much easier to remember and harder to crack than just about anything else.

thequickbrownfox (for example) is infinitely harder to crack than god2012.

By the way, if god2012 is your password, you should be shot. Blink

this will only work for english-native people. Or for those who use latin letters in language.

Russian people have really bad time with these "smart" ideas because not many programs accept russian letters in password. And creating "simple to remember" long phrases in english is not an easy task. So these requirements lead mostly to passwords based on keyboard layout Lol

The Mittani: "the inappropriate drunked joke"
Luke Visteen
#37 - 2012-11-21 15:23:43 UTC
thanks for this post OP. I've clean up some stuff in the Settings folder :D

.
Previous page12