These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
 

Login security, is a username and password enough

First post
Author
Previous Topic Next Topic
Barakkus
#41 - 2012-01-11 13:22:45 UTC
They can also use software RSA tokens, Harris bank and some others use them for corporate banking clients. It's basically some software you install that emulate the fobs.

http://youtu.be/yytbDZrw1jc
Jaroslav Unwanted
Brutor Tribe
Minmatar Republic
#42 - 2012-01-11 13:23:45 UTC  |  Edited by: Jaroslav Unwanted
Mangua Desnart wrote:
Indalecia wrote:
I use GNU/Linux, so an USB 3rd-party device would very likely be unsupported for my OS.



We werent talking about a USB device, this is purely a key fob type affair that generates random numbers that is linked to your account


Tokens .. number generator sync with login server..

The usual thing for people working in network industry / backbone engineers etc. But at that industry there is "real" threat. In the game .. well you maybe lose your account/character/stuff .. but it will get investigated and you eventually get it back.

Time to time they desync.. and you call an support to get it synchronized again. It happens once per month .. approximately
Mangua Desnart
Mangua Desnart Corporation
#43 - 2012-01-11 13:26:49 UTC
Woot Page 3, I have never started a discussion that has gone on this far - thank you to everyone that has taken part Big smile Keep it going guys, we have have some good solid points here I feel
Mr Kidd
Center for Advanced Studies
Gallente Federation
#44 - 2012-01-11 13:32:51 UTC
Abdiel Kavash wrote:
Username/password is enough as long as the users are not idiots.

I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine.


While your ideas are sound, they're sound for 1994. Placed in today's world, allow me to rephrase this for you.

Username/password is enough as long as you disconnect your computer from the internet.

Idiocy is not a requisite anymore. The lone act of having your system connected to a world wide network with modern computing capabilities is enough to render username/password inadequate. One can't insure that browsing even reputable webtsites is safe since those websites generally have advertising which is dependent upon several providers for that content some of which are further dependent on networks of contributors. The end result is that one's system can be compromised at any time. The sum effect is a lottery fashioned chance of being compromised that no amount of foresight, planning and implementation on client's side alone can overcome other than to pull the plug. If you believe this to be incorrect then you will be sorely disappointed.

Don't ban me, bro!
Deviana Sevidon
Jades Falcon Guards
#45 - 2012-01-11 13:33:15 UTC
Mangua Desnart wrote:
Deviana Sevidon wrote:


And that seems quite naive to me. There are lot of possible options to attack a system, 'questionable' websites and software are the least of the worries, since there are a lot of security holes in widely used and legit softwares. Never sharing account access with anyone else is an excellent advise, but that will also not guarantee the security of the account.

Edit:

There is also an additional benefit. With less cases of accounts being hacked, the CCP customer support staff has more time to deal with other petitions on their ticket queues.


Deviana, You seem quite knowledgeable about computer security, can I ask are you just an enthusiast in the subject or do you participate in the field in some professional capacity?


I assure you, I don't work for CCP. Big smile

But I have some experience with the digipass tokens and I would like to have one to protect my accounts.

....as if 10,058 Goon voices cried out and were suddenly silenced.
Mangua Desnart
Mangua Desnart Corporation
#46 - 2012-01-11 13:38:15 UTC
Deviana Sevidon wrote:


I assure you, I don't work for CCP. Big smile


Sorry thats not what I meant to infer lol ShockedLol

Deviana Sevidon wrote:


But I have some experience with the digipass tokens and I would like to have one to protect my accounts.


Me too - I still cant believe we havent had a contribution from a dev / GM on this subject yet...
Jenshae Chiroptera
#47 - 2012-01-11 13:41:40 UTC
Mangua Desnart wrote:
...
I work in computer security, and the only secure computer anywhere is one that is turned off in a box in a locked room with no windows, security should not be optional


... and you somehow think that your phone is more secure than a computer? People will never go to some third party site while travelling that they also browse with their computer?

CCP - Building ant hills and magnifying glasses for fat kids

Not even once

EVE is becoming shallow and puerile; it will satisfy neither the veteran nor the "WoW" type crowd in the transition.
Mangua Desnart
Mangua Desnart Corporation
#48 - 2012-01-11 13:48:09 UTC
Jenshae Chiroptera wrote:


... and you somehow think that your phone is more secure than a computer? People will never go to some third party site while travelling that they also browse with their computer?


No I dont think my smart phone is any more secure than my computer thats why I run anti virus on that too, the apps are an additional layer of security that are obtained through vetted means and have been checked for malcious payloads / viruses etc
Jaroslav Unwanted
Brutor Tribe
Minmatar Republic
#49 - 2012-01-11 13:48:20 UTC
Jenshae Chiroptera wrote:
Mangua Desnart wrote:
...
I work in computer security, and the only secure computer anywhere is one that is turned off in a box in a locked room with no windows, security should not be optional


... and you somehow think that your phone is more secure than a computer? People will never go to some third party site while travelling that they also browse with their computer?


Question is .. is security important..

WHO WANTS TO LIVE FOREVER ? Big smile
Mangua Desnart
Mangua Desnart Corporation
#50 - 2012-01-11 13:52:09 UTC
Jaroslav Unwanted wrote:


Question is .. is security important.. [/quote

Damn silly question....

[quote=Jaroslav Unwanted]

WHO WANTS TO LIVE FOREVER ? Big smile


Not such a silly question, the answer is of course me, but I digress.... Authenticators people pro or not?
Jaroslav Unwanted
Brutor Tribe
Minmatar Republic
#51 - 2012-01-11 13:52:50 UTC  |  Edited by: Jaroslav Unwanted
Mangua Desnart wrote:
Jaroslav Unwanted wrote:


Question is .. is security important..


Damn silly question....

Jaroslav Unwanted wrote:


WHO WANTS TO LIVE FOREVER ? Big smile


Not such a silly question, the answer is of course me, but I digress.... Authenticators people pro or not?


optional .. as it was "promised"
Barakkus
#52 - 2012-01-11 15:28:54 UTC
Mr Kidd wrote:
Abdiel Kavash wrote:
Username/password is enough as long as the users are not idiots.

I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine.


While your ideas are sound, they're sound for 1994. Placed in today's world, allow me to rephrase this for you.

Username/password is enough as long as you disconnect your computer from the internet.

Idiocy is not a requisite anymore. The lone act of having your system connected to a world wide network with modern computing capabilities is enough to render username/password inadequate. One can't insure that browsing even reputable webtsites is safe since those websites generally have advertising which is dependent upon several providers for that content some of which are further dependent on networks of contributors. The end result is that one's system can be compromised at any time. The sum effect is a lottery fashioned chance of being compromised that no amount of foresight, planning and implementation on client's side alone can overcome other than to pull the plug. If you believe this to be incorrect then you will be sorely disappointed.


Yup, there have been a few instances in the last couple years of google ads exploiting browser vulnerabilities and compromising systems.

http://youtu.be/yytbDZrw1jc
Morganta
The Greater Goon
#53 - 2012-01-11 15:33:48 UTC  |  Edited by: Morganta
I'm pretty sure I read that TOR players hate that system


and for the record, you have a very good chance of dieing a horrible death in a car crash every day
do you cover your car in protective equipment?
Roscada
We love Egg
#54 - 2012-01-11 15:40:23 UTC
Bleh. Too much extra work and **** to lose. How about generating a decent password and being responsible about what you download and the sites you visit?
Famble
Three's a Crowd
#55 - 2012-01-11 15:47:15 UTC
Mr Kidd wrote:
Abdiel Kavash wrote:
Username/password is enough as long as the users are not idiots.

I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine.


While your ideas are sound, they're sound for 1994. Placed in today's world, allow me to rephrase this for you.

Username/password is enough as long as you disconnect your computer from the internet.

Idiocy is not a requisite anymore. The lone act of having your system connected to a world wide network with modern computing capabilities is enough to render username/password inadequate. One can't insure that browsing even reputable webtsites is safe since those websites generally have advertising which is dependent upon several providers for that content some of which are further dependent on networks of contributors. The end result is that one's system can be compromised at any time. The sum effect is a lottery fashioned chance of being compromised that no amount of foresight, planning and implementation on client's side alone can overcome other than to pull the plug. If you believe this to be incorrect then you will be sorely disappointed.


You should be thankful for idiocy! If there weren't so many idiots out there then a sound username/password policy truly wouldn't be enough. The fact that there are means that they are the targets. In other words, malware authors and the like always target low-hanging fruit. It's much easier and as a result more effective.

You can attack keyfob solutions with man-in-the-middle attacks but it doesn't happen much because the bad guys aren't going to waste their time with those folks when they could simply hack Joe's simple username/password they obtained with their little phishing site or other much, much easier means.

Sure, any computer on the web is by definition vulnerable, of that there's no doubt. But the level of sophistication necessary to get in gets exponentially harder (think FBI, NSA type stuff) as you take basic security measures (e.g. username/password complexity).

There's a reason that still, to this day the vast majority of security leaks are the result of social engineering. For example:

Bank receptionist's phone rings.
Receptionist: Hello, Awesome Bank, this is Cindy how can I help you?
Bad guy: "Hi Cindy, this is Todd down in IT. Our diagnostics show that your computer is acting up and causing problems for the network. I'm afraid it could crash and we really need to run a few tests. I can do it remotely right now and it'll only take a moment if you have the time.
Receptionist: Ok, sure.
Bad guy: Excellent, open of Internet Explorer and go to our internal IT testing site, w w w.it.awesomebank1.c o m
Receptionist: Ok, I'm here. Now what?
Bad guy: Type in your username and password into the fields there to authenticate your PC and I'll start the tests. It'll take 10 minutes or so so feel free to grab a cup of coffee. We all need coffee this early am I right!?
Receptionist: Hehe, you got that right! Ok, I entered it, I'm gonna get that coffee, good luck!
...

If anyone ever looks at you and says,_ "Hold my beer, watch this,"_  you're probably going to want to pay attention.
Grateler
People's Front of Offugen
#56 - 2012-01-11 16:14:37 UTC
Happy with username/password.

People use a decent password and it doesnt get hacked theres no issue.

Personally dont have CC details on account which is even better,

If every site/game I used started using tokens and other tools it would literally be a nightmare.
Mangua Desnart
Mangua Desnart Corporation
#57 - 2012-01-11 16:58:52 UTC
I think it would be a real bonus for Eve to have this two factor authentication - and no it wouldnt be suitable for every game - I am talking about Eve and only Eve
T'Laar Bok
#58 - 2012-01-11 17:05:36 UTC
Othran wrote:
chocolate teapot. Straight



I prefer white chocolate. Will these be available?

Amphetimines are your friend.

http://eveboard.com/pilot/T'Laar_Bok
Maxpie
MUSE LLP
#59 - 2012-01-11 18:53:58 UTC
Yes, I think user id/password is sufficient. I've been playing for around 6 years, have never had a problem. I guess I'd have no problem with an optional authenticator since some people are not so careful/lucky, but for me I'd prefer not to have an extra step in the process of logging on. The problem is an authenticator would start out as optional but eventually become mandatory.

Also, I'm generally against anything in Eve that protects people from their own stupidity.

No good deed goes unpunished
Serge Bastana
GWA Corp
#60 - 2012-01-11 18:55:54 UTC
Remember kids, we aren't allowed to debate this anymore, Ursula said so Sad

WoW holds your hand until end game, and gives you a cookie whether you win or lose. EVE not only takes your cookie, but laughs at you for bringing one in the first place...