These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Assembly Hall

 
  • Topic is locked indefinitely.
 

[Proposal]Character transfer security improvement
Author
Previous Topic Next Topic
Zirator
Aliastra
Gallente Federation
#1 - 2011-11-13 07:20:42 UTC
I've brought this up a long while ago in a blog relating account security and I'm bringing it up again here.

I'm currently looking around for a new character and I've allready spend some time in the character bazaar. However there is one thing that still holds me back from buying. And that is the fact that I have to give up my login name to the seller. To me my login is just as secret as my password and I think it's not smart to hand out one piece of the puzzle to someone that I don't know.

My proposal that under account management an option is created for the buyer to generate a unique code, or as an alternative an unique code that is not your login can be found there. This code will then be passed on to the seller and instead of using the login he will use this unique code to send the character to the buyers account.

I hope that CCP can implement this and that the CSM can put this on their agenda.

With all the fixes CCP is pushing out this is one could use some attention as well.
uglybass
Spatial Idiocity Inc.
#2 - 2011-11-15 13:58:58 UTC  |  Edited by: uglybass
Yup,
Also emails are broken cos other people can see my email address when i send stuff.
my router ip is shown when I browse the net.
and my Linux admin is called 'root'

thats why you need enough complexity in passwords...
Lykouleon
Noble Sentiments
Second Empire.
#3 - 2011-11-15 20:47:55 UTC
If you're using an industy-standard password, giving out your login name shouldn't be an issue at all.

Now, if your password is "12345678", you may have a reason to be worried.

Lykouleon > CYNO ME CLOSER so I can hit them with my sword
Feligast
Brutor Tribe
Minmatar Republic
#4 - 2011-11-15 20:59:54 UTC
Lykouleon wrote:
If you're using an industy-standard password, giving out your login name shouldn't be an issue at all.

Now, if your password is "12345678", you may have a reason to be worried.


Dammit, now I need to change it. THANKS A LOT ****.
Velicitia
XS Tech
#5 - 2011-11-15 21:01:51 UTC
Lykouleon wrote:
If you're using an industy-standard password, giving out your login name shouldn't be an issue at all.

Now, if your password is "12345678", you may have a reason to be worried.



hey ... that's the same combination as my luggage...

One of the bitter points of a good bittervet is the realisation that all those SP don't really do much, and that the newbie is having much more fun with what little he has. - Tippia
Drake Draconis
Brutor Tribe
Minmatar Republic
#6 - 2011-11-15 21:18:22 UTC
Velicitia wrote:
Lykouleon wrote:
If you're using an industy-standard password, giving out your login name shouldn't be an issue at all.

Now, if your password is "12345678", you may have a reason to be worried.



hey ... that's the same combination as my luggage...


The Schwartz is weak in this one.....

but agreed.... security for account buying/selling should be buffed.

================ STOP THE EVEMAIL SPAM! https://forums.eveonline.com/default.aspx?g=posts&t=78152
FloppieTheBanjoClown
Arcana Imperii Ltd.
#7 - 2011-11-15 23:24:21 UTC
I can get behind this. I see no reason to compromise security if it can be avoided.

Founding member of the Belligerent Undesirables movement.
Mara Rinn
Cosmic Goo Convertor
#8 - 2011-11-16 22:24:47 UTC
uglybass wrote:
Also emails are broken cos other people can see my email address when i send stuff.


Security is like an onion. No, not because it smells or looks like an ogre, but because it involves layers. One simple layer of security is to ensure that people's email addresses are not the same as their account name.

One principle of security is, "least privilege". That is, don't give people privileges or information they don't need. Since you don't really need the account name to sell someone a character, that information is excess to requirements.

Here's an example of how it could work:

  1. I want to sell a character, to I start a character sale ticket (or "charter" for short).
  2. You want to buy my character, so you bid on the charter and nominate an account for the character to be transferred to (this information is held in the charter system, not revealed to the seller)
  3. I accept your bid (or your bid is the highest above reserve price at the conclusion of the auction period)
  4. The system transfers the character based on you winning the charter auction


Thus the only information revealed by the system relates exclusively to the character for sale.

At present the risk is minimal, assuming the people involved have decently strong passwords. In the future the risk will be slightly lower due to the use of the token generators. A charter system as described will help smooth out the process though.

Day 0 Advice for New Players
Shaidar Hussan
HelloKittyFanclub
#9 - 2011-11-17 08:32:47 UTC
Lykouleon wrote:
If you're using an industy-standard password.

Industry standard? I sure am, my password is "password" and it's stuck to my screen on a post-it.
Katarina Reid
Deep Core Mining Inc.
Caldari State
#10 - 2011-11-17 12:33:38 UTC
what about using account api id's? or generate a unique key.