These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
 

IF log in have CAPTCHA (It won't)
Author
Previous Topic Next Topic
Marconus Orion
Imperial Academy
Amarr Empire
#61 - 2012-07-18 15:02:05 UTC
A phone ap as an authenticator works like a charm. I am surprised this game still does not support one.
Sentamon
Imperial Academy
Amarr Empire
#62 - 2012-07-18 15:24:42 UTC
Torneach wrote:
Is it really necessary?


Yes.

~ Professional Forum Alt  ~
MadMuppet
Critical Mass Inc
#63 - 2012-07-18 15:32:18 UTC
I wouldn't mind it if I didn't have to log in every time I change characters.

This message brought to you by Experience(tm). When common sense fails you, experience will come to the rescue. Experience(tm) from the makers of CONCORD.

"If you are part of the problem, you will be nerfed." -MadMuppet
Linda Shadowborn
Dark Steel Industries
#64 - 2012-07-18 16:21:31 UTC
Just Lilly wrote:
How about an mobile authenticator instead, like the one Blizzard use.
It's a free app for your smartphone.

Everyone use smartphones...


I dont :)
Haffsol
#65 - 2012-07-18 16:28:36 UTC
Quote:
Quote:

is https too easy to implement or what?



It's two different thing, https is applying a application layer cryptographic protocol to the http protocol, http + ssl. This is used to avoid eavesdropping and tampering of the data send between two computers.

so if you consider your pc secure from a physical point of view, and you don't store your passwords in a file called EVE-PASSWORDS-OF-ALL-MY-ACCOUNTS.DOC on your desktop than https should be just the way to go. I mean, it's a sort of tunneling between my pc and the CCP servers on a cryptographic layer. And has been proven to be quite solid in years since its introduction. What can go wrong?

I like logging into something using name & pwd and not loosing time trying to convince a computer that I'm human
Tarsus Zateki
Viziam
Amarr Empire
#66 - 2012-07-18 17:40:11 UTC  |  Edited by: Tarsus Zateki
The recent hilarity involving the huge number of people having their Diablo 3 accounts stolen shows our PCs are not secure and no amount of self-assurance will change that. Using two part authentication moves one factor out of the hands of account thieves and puts it somewhere they can't get it without outright mugging or robbing you. Both of which are real crimes in most nations.

Edit: Captcha is a ****** solution, physical authenticators you carry on you are a good solution. Heck CCP could use the same VASCO Digi-Pass authenticators that Blizzard uses and save a bunch of money.

You asked me once, what was in Room 101. I told you that you knew the answer already. Everyone knows it. The thing that is in Room 101 is the worst thing in the world.
Finde learth
Republic Military School
Minmatar Republic
#67 - 2012-07-31 09:34:49 UTC
Finally CCP won't add the stupid captcha on Tranquility.

When you input fail on Serenity, the stupid captcha will still appear.

http://i.imgur.com/VkUrw.png
dexington
Caldari Provisions
Caldari State
#68 - 2012-07-31 09:47:03 UTC
Haffsol wrote:
Quote:
Quote:
is https too easy to implement or what?

It's two different thing, https is applying a application layer cryptographic protocol to the http protocol, http + ssl. This is used to avoid eavesdropping and tampering of the data send between two computers.
so if you consider your pc secure from a physical point of view, and you don't store your passwords in a file called EVE-PASSWORDS-OF-ALL-MY-ACCOUNTS.DOC on your desktop than https should be just the way to go.


SSL/HTTPS does not protect you against automated attacks that are trying to guess you password, which is what CAPTCHA tries to do.

Besides i think user authentication is already done over a secure connection.

I'm a relatively respectable citizen. Multiple felon perhaps, but certainly not dangerous.
Vera Algaert
Republic University
Minmatar Republic
#69 - 2012-07-31 10:29:59 UTC  |  Edited by: Vera Algaert
Mr M wrote:
I hate it when I get a captcha like this.

that's because you don't understand how recaptcha works P

google uses recaptcha to outsource OCR work to you, so each captcha consists of one word that is known and one word that is unknown to google.

The second word has no influence on whether you pas the captcha or not, it's just a word that google's OCR systems have trouble identifying (they digitize newspapers, books or more recently street numbers for google maps) and that they want your help with.
So they take all submissions for the second word from users who had the first (known) word right and see if there is a consensus between users on what it is supposed to read - if there is they know what to digitize it as (and yes, this is of course exploitable and /b/tards are trying to exploit it hoping to insert racial slurs into the digitized texts as they go).

The font gives away that turntu is the "known" word in your example and that you have to get this one right to pass the captcha while apolole is unknown to Google and as such doesn't matter.

.
HyperZerg
Aliastra
Gallente Federation
#70 - 2012-07-31 11:14:25 UTC
As long as the hashs aren't stored in the local computer no need for capchas ...

Just add: per IP and per account 5 trys then wait 10 sec till another login is allowed.
Then, even if you try to "guess" the password "1234" you need up to 10k trys => ~27h
If you have to use non-numeric password with at least 7 characters, special characters and stuff you can forget to use a brute-force attack.

Captchas ONLY use is to block bots in automated request. IF they are already blocked after too many failed logins no need for them. Okay you could stop bots from automated login to you char but there are easy ways to avoid captchas.. You got 1 person online who get the captchas copyed as picture, solves it and send it back to the bot who needs it. The real botters won't cry and all the normal players will be pissed of badly.
Abel Merkabah
Caldari Provisions
Caldari State
#71 - 2012-07-31 13:36:55 UTC  |  Edited by: Abel Merkabah
This is all silly. The obvious solution is biometrics.

Every time you sign in, you need to submit a small blood sample (EvE is thirsty). EvE will verify your genetic code; problem solved.

Edit - I'd like to see a bot do that.

Seriously, authenticators rock though. I support key fab or smart phone authenticators.

James315 for CSM 8!