These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
 

Login security, is a username and password enough

First post
Author
Previous Topic Next Topic
Chribba
Otherworld Enterprises
Otherworld Empire
#81 - 2012-01-12 10:44:25 UTC
I for one would still love to see me being able to lock my accounts to IP's. I suggested this in like 2007 and am still waiting Cool

★★★ Secure 3rd party service ★★★

Visit my in-game channel 'Holy Veldspar'

Twitter @ChribbaVeldspar
Mangua Desnart
Mangua Desnart Corporation
#82 - 2012-01-12 10:49:31 UTC
Chribba wrote:
I for one would still love to see me being able to lock my accounts to IP's. I suggested this in like 2007 and am still waiting Cool


This would again be a good idea for some but I do access my Eve accounts when traveling so wouldn't work for me personally... not a bad idea though.
Othran
Route One
#83 - 2012-01-12 11:03:27 UTC
Chribba wrote:
I for one would still love to see me being able to lock my accounts to IP's. I suggested this in like 2007 and am still waiting Cool


The main problem with that is the static IP addresses are assigned to you, not allocated to you*. As such they can (and do) change when the LIR requires or when the RIR gets sufficiently pissed-off with a rogue LIR.

I'm in just such a process now and this machine will soon effectively have two IP addresses (switchover period) with the new address routed to the old address. My LIR (ISP in this case) cannot give me a precise switchover time, all I have is an 8 hour overnight "window".

I'm certain this wouldn't end well if CCP locked the accounts to IP addresses;

*I'm assuming you're not a LIR
RubyPorto
RubysRhymes
#84 - 2012-01-12 11:30:01 UTC
Ursula LeGuinn wrote:
Abdiel Kavash wrote:
Username/password is enough as long as the users are not idiots.


Incorrect. It is impossible to have too much account security. That's not debatable, sorry.

I'm not saying this is a NECESSARY FEATURE AND IT MUST BE IMPLEMENTED IMMEDIATELY, but it would be purely beneficial.

Edit: Authenticator codes are typically optional by the way, I doubt CCP would force cranky contrarians or forum warriors to use them.


Ok, so you're willing to Call CCP on a telephone and give them a detailed personal history every time you want to log in?

Security is about a Cost/Benefit analysis. My bank uses a username/password system on a secured server. That's certainly good enough when combined with basic common sense/virus protection.

Beyond Username/Password, the costs start outweighing the benefits when you're talking about Banking. WoW implemented the key fobs because Hacking is absurdly prevalent, to the point where the benefit began to outweigh the cost. EvE doesn't, to my knowledge, have that problem.

"It's easy to speak for the silent majority. They rarely object to what you put into their mouths." -Abrazzar "the risk of having your day ruined by other people is the cornerstone with which EVE was built" -CCP Solomon
Deviana Sevidon
Jades Falcon Guards
#85 - 2012-01-12 11:37:00 UTC
Then you missed the time when spammers posted links to websites containing keyloggers about 2 years ago. Despite what you might think about the intelligence level of an average eve player, a lot of people were clicking on these links. You also missed the threads that pop up every once in a while about a player having his/her account stolen and CCP taking weeks to investigate the issue.

....as if 10,058 Goon voices cried out and were suddenly silenced.
Mangua Desnart
Mangua Desnart Corporation
#86 - 2012-01-12 11:39:13 UTC
RubyPorto wrote:


EvE doesn't, to my knowledge, have that problem.


Two things spring to mind here; Why did SW:TOR implement the system from the outset then? Also would you really wait on getting a smoke detector until AFTER your house burns down? What I am trying to say is, from your example WoW bolted the door after the horse had ran, would you really leave it until after your account had been hacked before you demanded better security. As for the banks, mine requests characters from a chosen pass phrase on top of my user-name and password, its an extra step, sure - its hassle, I'm sure some customers see it as such - its more secure, most definitely.
Chribba
Otherworld Enterprises
Otherworld Empire
#87 - 2012-01-12 12:52:53 UTC
Othran wrote:
Chribba wrote:
I for one would still love to see me being able to lock my accounts to IP's. I suggested this in like 2007 and am still waiting Cool


The main problem with that is the static IP addresses are assigned to you, not allocated to you*. As such they can (and do) change when the LIR requires or when the RIR gets sufficiently pissed-off with a rogue LIR.

I'm in just such a process now and this machine will soon effectively have two IP addresses (switchover period) with the new address routed to the old address. My LIR (ISP in this case) cannot give me a precise switchover time, all I have is an 8 hour overnight "window".

I'm certain this wouldn't end well if CCP locked the accounts to IP addresses;

*I'm assuming you're not a LIR
ofc IP locking would be OPTIONAL, you could just as easily add multiple IP's/ranges/masks for access or just allow all.

obviously it would be able to unlock it via petition like anything else should it come to you losing your IP's. And while static IP's do at times get changed, that's pretty rare and hardly anything I would worry about. Obviously someone with a dynamic IP might not want to use the option, same if you go travel - turn it off if you know you will need to log on from other places.

I personally would love to have it on as no matter where I go I always connect through my own VPN, so locking down everything for me would be a great value to the security - regardless if I am at home, work or the jungle Lol

★★★ Secure 3rd party service ★★★

Visit my in-game channel 'Holy Veldspar'

Twitter @ChribbaVeldspar
Othran
Route One
#88 - 2012-01-12 13:07:58 UTC  |  Edited by: Othran
If it was IPv6 addresses I'd agree with you.

The IPv4 address space is rapidly becoming more bloody in RIPE/ARIN regions and I can see RIPE making it a matter of policy to require LIRs to remove assignments greater than a /29 from individuals over the next 3-5 years. ISPs (UK anyway) are already noticeably less keen to hand out static addresses unless you have a real reason for needing one.

Hell I may get to use my IPv6 Essentials book again - haven't opened that in nearly ten years Lol
CCP Sreegs
CCP Retirement Home
#89 - 2012-01-12 13:34:39 UTC
Ok, let's see what we can do here...

1) Username/Password combinations as sole authenticating factors are basically yesterday's news. We need to catch up with the times on that.

2) I'm pushing to have us catch up with the times on that.

3) I will race to the forums with a dev blog and multiple joyous posts when I get to a point where I'm confident an additional factor is being delivered in some way.

The real problem here is that there are some dependencies which must be met first that are getting finalized right now. Once they're finalized we'll communicate them and I'll make certain you understand that they're a pre-requisite for additional authentication factors.

This is a topic that has rightfully come up continuously and while it may sound a bit droll I'm fairly confident on seeing some progress on it in some way fairly soon.

I apologize for some vagueness but I have to play a bit of a dance here with what can be communicated right this second without leaving you all completely in the dark.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012
Neo Agricola
Gallente Federation
#90 - 2012-01-12 14:12:25 UTC
CCP Sreegs wrote:
Ok, let's see what we can do here...

1) Username/Password combinations as sole authenticating factors are basically yesterday's news. We need to catch up with the times on that.

2) I'm pushing to have us catch up with the times on that.

3) I will race to the forums with a dev blog and multiple joyous posts when I get to a point where I'm confident an additional factor is being delivered in some way.

The real problem here is that there are some dependencies which must be met first that are getting finalized right now. Once they're finalized we'll communicate them and I'll make certain you understand that they're a pre-requisite for additional authentication factors.

This is a topic that has rightfully come up continuously and while it may sound a bit droll I'm fairly confident on seeing some progress on it in some way fairly soon.

I apologize for some vagueness but I have to play a bit of a dance here with what can be communicated right this second without leaving you all completely in the dark.

Thx for the info.

Just for your information: There are people out there, which have 3,4,5 or even 23 Accounts. And some of them are using different computers on a regular base. Please keep that in mind when you create a new "security" feature.

E.g. I dont want to run around with 4 dongles for each of my accounts every day. (ok, which dongle was for which Account)...
or have to connect a "dongle" to each computer I regular use for playing eve...


DISSONANCE is recruiting Members: https://forums.eveonline.com/default.aspx?g=posts&m=706442#post706442 Black-Mark Alliance Recruitment: https://forums.eveonline.com/default.aspx?g=posts&t=6710
Drew Solaert
Aliastra
Gallente Federation
#91 - 2012-01-12 14:15:47 UTC
Or instead of a Gadget have 6 security question and answer pairings and have a random one out of the six asked when you log on.

Or do like some banks do and have a another password but you only enter in 3 randomly generated letters of the password on a drop down menu each time you logged in.

There you go, beefed up security without having to buy a ****** plastic thingy.

I lied :o
Mr Kidd
Center for Advanced Studies
Gallente Federation
#92 - 2012-01-12 14:23:12 UTC  |  Edited by: Mr Kidd
RubyPorto wrote:
Ursula LeGuinn wrote:
Abdiel Kavash wrote:
Username/password is enough as long as the users are not idiots.


Incorrect. It is impossible to have too much account security. That's not debatable, sorry.

I'm not saying this is a NECESSARY FEATURE AND IT MUST BE IMPLEMENTED IMMEDIATELY, but it would be purely beneficial.

Edit: Authenticator codes are typically optional by the way, I doubt CCP would force cranky contrarians or forum warriors to use them.


Ok, so you're willing to Call CCP on a telephone and give them a detailed personal history every time you want to log in?

Security is about a Cost/Benefit analysis. My bank uses a username/password system on a secured server. That's certainly good enough when combined with basic common sense/virus protection.

Beyond Username/Password, the costs start outweighing the benefits when you're talking about Banking. WoW implemented the key fobs because Hacking is absurdly prevalent, to the point where the benefit began to outweigh the cost. EvE doesn't, to my knowledge, have that problem.


You're bank doesn't do this because it believes it to be sufficient. Your bank does this because they don't give a rats arse about you.

http://en.wikipedia.org/wiki/Online_banking#Security

Trust me on this. Your bank's cost/benefit analysis consists of this, "that costs us money so, we're not going to do it". They are more than happy if the theft costs you money and not them to continue on with inadequate authentication. Any losses experienced by banks are covered by insurance. In the US it's called the FDIC.

CCP Sreegs wrote:
Ok, let's see what we can do here...

...

I apologize for some vagueness but I have to play a bit of a dance here with what can be communicated right this second without leaving you all completely in the dark.


Sreegs, you guys are going to do it when you do it. You, I, a dozen others in this thread realize everything you're saying. But, we understand how CCP works, or doesn't and so noone here is holding their breath. But, good luck something better implemented.

Don't ban me, bro!
CCP Sreegs
CCP Retirement Home
#93 - 2012-01-12 14:54:09 UTC
Neo Agricola wrote:
CCP Sreegs wrote:
Ok, let's see what we can do here...

1) Username/Password combinations as sole authenticating factors are basically yesterday's news. We need to catch up with the times on that.

2) I'm pushing to have us catch up with the times on that.

3) I will race to the forums with a dev blog and multiple joyous posts when I get to a point where I'm confident an additional factor is being delivered in some way.

The real problem here is that there are some dependencies which must be met first that are getting finalized right now. Once they're finalized we'll communicate them and I'll make certain you understand that they're a pre-requisite for additional authentication factors.

This is a topic that has rightfully come up continuously and while it may sound a bit droll I'm fairly confident on seeing some progress on it in some way fairly soon.

I apologize for some vagueness but I have to play a bit of a dance here with what can be communicated right this second without leaving you all completely in the dark.

Thx for the info.

Just for your information: There are people out there, which have 3,4,5 or even 23 Accounts. And some of them are using different computers on a regular base. Please keep that in mind when you create a new "security" feature.

E.g. I dont want to run around with 4 dongles for each of my accounts every day. (ok, which dongle was for which Account)...
or have to connect a "dongle" to each computer I regular use for playing eve...




Yes, that is also a consideration. :) I'm pretty sure nobody thinks it would be a productive use of time for you to have to have 24 different dongles and that's been a part of the consideration in the design process.

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012
Darwin Duck
Caldari Provisions
Caldari State
#94 - 2012-01-12 15:02:17 UTC  |  Edited by: Darwin Duck
SW:tor is a drag on security.
Username, password, security questions, autenticator generator, and when that little cheapo plastic generator breaks or is lost you're probably without game access for 2-3 weeks until you get a replacement.
(it often ask me security questions just for logging in, I could understand it if it was only asked when doing account changes).

If people use their brains on the web, username and password is enough. A large scale DB hacking like SOE had is hard to protect yourself against anyway.
Mar Drakar
LDK
#95 - 2012-01-12 15:13:06 UTC
Darwin Duck wrote:
SW:tor is a drag on security.
Username, password, security questions, autenticator generator, and when that little cheapo plastic generator breaks or is lost you're probably without game access for 2-3 weeks until you get a replacement.
(it often ask me security questions just for logging in, I could understand it if it was only asked when doing account changes).

If people use their brains on the web, username and password is enough. A large scale DB hacking like SOE had is hard to protect yourself against anyway.


If you keep your paswords heavy salted and hashed, they do not rot like fish, and even after hack you are still only a username out in the wild.
This is general rule of thumb, and having in mind.... sophisticated playerbase that eve has it's probably a must for current authentication system.
Othran
Route One
#96 - 2012-01-12 15:26:15 UTC  |  Edited by: Othran
Darwin Duck wrote:
SW:tor is a drag on security.
Username, password, security questions, autenticator generator, and when that little cheapo plastic generator breaks or is lost you're probably without game access for 2-3 weeks until you get a replacement.
(it often ask me security questions just for logging in, I could understand it if it was only asked when doing account changes).

If people use their brains on the web, username and password is enough. A large scale DB hacking like SOE had is hard to protect yourself against anyway.


You'll probably find that the security questions are triggered by an IP address change at your end.

Its a very common (if not all that useful) method of reducing risk. Companies like it because its cheap, company insurers like it because by and large they are clueless.

Its largely worthless and will remain so until we all have personal IPv6 address allocations - which I believe will eventually happen as then we can all be easily (and cheaply) tracked and profiled by govt/companies. Edit for those of you wondering about IPv6, then the policy in Europe (RIPE) is to give each ISP subscriber 65,536 IPv6 subnets, each of those subnets having 18,446,744,073,709,551,616 addresses so its unlikely you'd run out soon Blink
Neo Agricola
Gallente Federation
#97 - 2012-01-12 15:34:34 UTC
CCP Sreegs wrote:

Yes, that is also a consideration. :) I'm pretty sure nobody thinks it would be a productive use of time for you to have to have 24 different dongles and that's been a part of the consideration in the design process.


Yeah. I need that time to fuel posses since shipping Fuel from A to B and shipping Fuel Blocks to Posses is so much fun...


DISSONANCE is recruiting Members: https://forums.eveonline.com/default.aspx?g=posts&m=706442#post706442 Black-Mark Alliance Recruitment: https://forums.eveonline.com/default.aspx?g=posts&t=6710
Zag'mar Jurkar
Republic Military School
Minmatar Republic
#98 - 2012-01-12 15:35:57 UTC
I'd like to use my job's SecurID to log on EVE. Would it be safe ?
Neo Agricola
Gallente Federation
#99 - 2012-01-12 15:42:05 UTC
Zag'mar Jurkar wrote:
I'd like to use my job's SecurID to log on EVE. Would it be safe ?

LOL

not sure if you are serious....

DISSONANCE is recruiting Members: https://forums.eveonline.com/default.aspx?g=posts&m=706442#post706442 Black-Mark Alliance Recruitment: https://forums.eveonline.com/default.aspx?g=posts&t=6710
Fearless M0F0
Incursion PWNAGE Asc
#100 - 2012-01-12 15:54:55 UTC
Doggy Dogwoofwoof wrote:
ENOUGH, XKCD explained this alreadyhttp://xkcd.com/936/ . now STOP arguing. Roll


This. It would be great if password requirements for numbers and capital letters where waived if you password exceeds some length. It's pretty annoying coming up with 15+ character passwords and then having to add a digit Roll

Anyways, no matter how long and safe your password is, there is always the risk of keyloggers... for windows users that is Bear