These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Player Features and Ideas Discussion

 
  • Topic is locked indefinitely.
 

Dear CCP, get rid of your cache of old passwords.

First post
Author
Previous Topic Next Topic
Degren
The Scope
Gallente Federation
#21 - 2012-04-27 03:22:44 UTC
Barakach wrote:
MMOs aren't being hacked, computers are getting infected from people clicking "yes" on everything that pops-up.


Quote:
clicking "yes" on everything


Quote:
"yes"


WHY CAN'T I CLICK THIS YES?!

Hello, hello again.
Voith
Republic Military School
Minmatar Republic
#22 - 2012-04-27 03:38:58 UTC
Barakach wrote:
Voith wrote:
Tinnin Sylph wrote:
Dear CCP

Please remove the security feature you put in place to ensure I don't do something to compromise my account.

Many Thanks

Some Dumb Pubbie

Given the rate at which MMOs are being hacked I wouldn't call them storing anything a security feature.


MMOs aren't being hacked, computers are getting infected from people clicking "yes" on everything that pops-up.

Storing an old hash isn't really a security issue, but I don't agree with forcing the end user to not use an old password. That should be up to the user.

Personally, I like to use SHA512(Password+Salt), where and password is the byte array of the password string and the salt is a 16byte crypto strength random value. Maybe I should use a 32byte salt?... hmmm... So much CPU power these days.

You're wrong.

Trion, Blizzard, Cryptic and Sony have all had their Core DBs hacked.

Not the client infected with a Trojan, but their databases have been hacked and dumped.
Scrapyard Bob
EVE University
Ivy League
#23 - 2012-04-27 04:49:03 UTC
Zed Jackelope wrote:

So do us a favor and get rid of your weird desire to save our passwords after we are no longer using them.. AFAIC, that's a security risk.


If they store them with unique salts and in hashed forum, it's not any more of a security risk then storing the current password.
Ai Shun
#24 - 2012-04-27 05:06:12 UTC
Barakach wrote:
Storing an old hash isn't really a security issue, but I don't agree with forcing the end user to not use an old password. That should be up to the user.


Agreed, up to the user. If the user agrees to not claim reimbursement should their re-used password be used without their authorisation.
Hannott Thanos
Squadron 15
#25 - 2012-04-27 08:06:13 UTC
l2F¤siQa = bad password (because you have to write it down, and it's too few characters)
MyHorseIsActuallyAPony = retardedly good password (Long and makes no sense, so not in a dictionary, and you already remembered it for at least a few days just by reading it now)

Changing passwords often = bad (because you make short ones to remember them, and after a while you start writing them down)

while (CurrentSelectedTarget.Status == ShipStatus.Alive) {

     _myShip.FireAllGuns(CurrentSelectedTarget);

}
Akirei Scytale
Okami Syndicate
#26 - 2012-04-27 08:08:01 UTC
Zed Jackelope wrote:
It would be nice to re-use old passwords


That's a bigger security risk. Roll
supersexysucker
Uber Awesome Fantastico Awesomeness Group
#27 - 2012-04-27 08:08:55 UTC
Really you KNOW ccp is salting the pws and all?

Cause I seem to remember sony you know a HUGE co... had the pws in PLAIN TEXT lol
Hannott Thanos
Squadron 15
#28 - 2012-04-27 08:15:14 UTC
To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 × 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that

while (CurrentSelectedTarget.Status == ShipStatus.Alive) {

     _myShip.FireAllGuns(CurrentSelectedTarget);

}
Akirei Scytale
Okami Syndicate
#29 - 2012-04-27 08:16:02 UTC  |  Edited by: Akirei Scytale
Hannott Thanos wrote:
To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 × 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that


Or one human being who knows your sense of humour decently with a couple hours to burn.

The ideal is a lot more nonsensical than "MyHorseIsActuallyAPony"
Jafit
Caldari Provisions
Caldari State
#30 - 2012-04-27 08:18:03 UTC  |  Edited by: Jafit
Hannott Thanos wrote:
To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 × 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that


How about MyLittlePonyFriendshipIsMagicApplejackPinkiepieRarityFluttershyRainbowdashTwilightsparkle as a password?

I'm not saying that's my password...

...I'm saying that's my password.
Hannott Thanos
Squadron 15
#31 - 2012-04-27 08:23:57 UTC
Jafit wrote:
Hannott Thanos wrote:
To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 × 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that


How about MyLittlePonyFriendshipIsMagicApplejackPinkiepieRarityFluttershyRainbowdashTwilightsparkle as a password?

I'm not saying that's my password...

...I'm saying that's my password.


4.800.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.0000.000.000.000.000 years-ish. Should be doable, right?

while (CurrentSelectedTarget.Status == ShipStatus.Alive) {

     _myShip.FireAllGuns(CurrentSelectedTarget);

}
Zora'e
#32 - 2012-04-27 08:29:08 UTC
While it IS a minor inconvenience at times to have to change passwords, and make sure it isn't an older one you have used before I find it rather refreshing that they won't allow you to use a password you've used before. Of course, over 4 accounts keeping track of your passwords can be a minor pita but it's a small price to pay for the added security it brings to my account overall.

I am FOR not allowing you to sue a password you used before. But hen, I am also an extremely security conscious person as well.

~Z

I won't say you are stupid, but you're not exactly on the Zombie menu either.
Francisco Bizzaro
#33 - 2012-04-27 09:19:34 UTC
Hannott Thanos wrote:
Jafit wrote:
Hannott Thanos wrote:
To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 × 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that


How about MyLittlePonyFriendshipIsMagicApplejackPinkiepieRarityFluttershyRainbowdashTwilightsparkle as a password?

I'm not saying that's my password...

...I'm saying that's my password.


4.800.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.0000.000.000.000.000 years-ish. Should be doable, right?

No, you just have to apply a little AI.

Just look at him: square jaw, crew cut, air force shades, Test.

I would have guessed it on the third try.
Akirei Scytale
Okami Syndicate
#34 - 2012-04-27 09:23:12 UTC
Humans don't think like machines.

You have to beat both. If your long password is easy to remember, its easy for a human being who knows you to figure out through deduction and a few days of trial and error (if they care).

Its gotta be long, avoid any consistent capitalization scheme, have intentional typos, and be a completely nonsensical grouping of words, to be a truly strong password.
Entity
X-Factor Industries
Synthetic Existence
#35 - 2012-04-27 09:46:28 UTC
Barakach wrote:
Personally, I like to use SHA512(Password+Salt), where and password is the byte array of the password string and the salt is a 16byte crypto strength random value. Maybe I should use a 32byte salt?... hmmm... So much CPU power these days.


Tsk, just one round of SHA512?

╦......║...╔╗.║.║.╔╗.╦║.╔╗╔╦╗╔╗

║.╔╗╔╗╔╣.╔╗╠..╠ ╠╗╠╝.║╠ ╠╝║║║╚╗

╩═╚╝║.╚╝.╚╝║..╚╝║║╚╝.╩╚╝╚╝║.║╚╝

Got Item?
leviticus ander
The Scope
Gallente Federation
#36 - 2012-04-27 09:50:42 UTC
Barakach wrote:
Voith wrote:
Tinnin Sylph wrote:
Dear CCP

Please remove the security feature you put in place to ensure I don't do something to compromise my account.

Many Thanks

Some Dumb Pubbie

Given the rate at which MMOs are being hacked I wouldn't call them storing anything a security feature.


MMOs aren't being hacked, computers are getting infected from people clicking "yes" on everything that pops-up.

Storing an old hash isn't really a security issue, but I don't agree with forcing the end user to not use an old password. That should be up to the user.

Personally, I like to use SHA512(Password+Salt), where and password is the byte array of the password string and the salt is a 16byte crypto strength random value. Maybe I should use a 32byte salt?... hmmm... So much CPU power these days.

32 BYTE salt? or 32 bit salt? 32 bytes would probably chock a lot of computers out there, and would cause the authentication server to hang itself. 32 bit, while decent is a little weaker than I'd expect for anything decently modern, I would probably go with 56 or 64 bit, light enough for mass authentication, but strong enough to seriously deter most malicious users.
and yeah, people clicking through warning boxes and generally being totally ignorant of the basic function of a computer is what's causing most issues today.
coolzero
Garoun Investment Bank
Gallente Federation
#37 - 2012-04-27 10:32:10 UTC
when do we get the authenticator $!$#!

have it for WoW
have it for SWTOR

now i want it for EVE please

(using a android authenticator app for that btw.)
Vaerah Vahrokha
Vahrokh Consulting
#38 - 2012-04-27 10:54:57 UTC
When I worked for a para-military company, we quickly learned that reusing password was good only in the programmers' heads.

People would do the IMPOSSIBLE to circumvent it.

1) In the beginning they would just add a "1" after the password.
2) Requiring certain characters, they just added their birth year at the end of the password.
3) Requiring a minimum length, they just copy pasted their own name twice.
4) Reusing the passwords they just added incremental numbers or a combo of the above or the month of the changed password.


When we made filters to screw them up on the above, they started writing the passwords on Post It attached to their monitors.

When we involved their bosses to force them stop doing that, all went suddenly quiet for 2-3 months.


We could not believe we had won against the End Users.
We could not be fartest from the truth, in fact.

A parent company team of inspectors came for a routine control and guess what did they find?

The end users ALL opened the same Excel sheet one of them originally created. That Excel sheet had the full user names and passwords of the 1200 employees, all in clear of course.


So, instead of better security, we achieve an huge piece of sh!t.


Heads fell, reprimands were made, everything settled down.


2 more months of utter silence and guess what, one morning I randomly pass close to an End User and my eyes and my testicles fell to the floor together.

They - the End Users - somehow created an MS Access forms "application" including the passwords (in clear of course!!!) of every employee, for multiple applications AND with search engine to make it easier to find and copy / paste them!


The fight against the End Users is something beyond programmers' logic.

EvE Online portal | EvE markets tutorials
Scrapyard Bob
EVE University
Ivy League
#39 - 2012-04-27 12:09:47 UTC
Hannott Thanos wrote:
To emphasize. "MyHorseIsActuallyAPony" takes 9.1804 × 10^41 Years to solve with a dictionary attack. that's over 900.000.000.000.000.000.000.000.000.000.000.000.000.000 years. Good luck with that


Using whole words, especially common ones means they can use a reduced dictionary of about 15,000 words and just try different combinations. Most english speakers know and use about 10k-15k common words, the full list of english words is generally around 300-350k words. Capitalizing or not capitalizing the first letter in each word gains you about 1 bit of complexity. So putting together 6 words could be a search space as small as:

15,000 ^ 6 = 11,390,625,000,000,000,000,000,000

If you add in some uncommon words, you can increase the search space to around 300,000 per word.

300,000 ^ 6 = 7.29e+32

Just because your password is N characters long, doesn't mean that it automatically has 90^N complexity. Not unless each position uses a randomly chosen character from the list of about 80 easily typed characters. (A-Z, a-z, 0-9 is 62 characters, plus another 28 symbols which are on most keyboards.)

And if someone knows the common patterns like "word number word" or "word symbol word", then they can reduce the search space dramatically.
Scrapyard Bob
EVE University
Ivy League
#40 - 2012-04-27 12:11:00 UTC
coolzero wrote:
when do we get the authenticator $!$#!

have it for WoW
have it for SWTOR

now i want it for EVE please

(using a android authenticator app for that btw.)


If you read between the lines - when CCP talks about "two-factor authentication" it means that they are going to add authenticators.

ETA is July 2012 - but that date could slip.