These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
 

IF log in have CAPTCHA (It won't)
Author
Previous Topic Next Topic
Terrorfrodo
Interbus Universal
#21 - 2012-07-17 08:01:09 UTC
I HATE captchas. Don't do this!

.
dexington
Caldari Provisions
Caldari State
#22 - 2012-07-17 08:08:33 UTC
Chokichi Ozuwara wrote:
Captcha does nothing to secure your account. Bots are designed to capture captchas and fire them off to third party solving services (manual and automated) which beat them easily.

Adding this would be stupid. It would be like 2008 all over again.


It protects you account against brute force attacks, or at least makes the process of brute force attacks slow and expensive if there is no way to decode the answer without human interaction.

I'm a relatively respectable citizen. Multiple felon perhaps, but certainly not dangerous.
Terrorfrodo
Interbus Universal
#23 - 2012-07-17 08:38:27 UTC
To protect against brute force attacks, they could just throttle login attempts: When you enter a wrong password twice, you can't attempt another login until three minutes have passed. Brute-forcing an account would take a looong time then.

.
Pak Narhoo
Splinter Foundation
#24 - 2012-07-17 09:26:02 UTC
Can't say I'm going to be happy with thisX but if it is a working deterrent to bots.... Straight
dexington
Caldari Provisions
Caldari State
#25 - 2012-07-17 09:33:17 UTC
Terrorfrodo wrote:
To protect against brute force attacks, they could just throttle login attempts: When you enter a wrong password twice, you can't attempt another login until three minutes have passed. Brute-forcing an account would take a looong time then.


That works well against brute force attacks that target a single account, but is very ineffective against other automated attacks that simultaneously attacks multiple accounts.

I'm a relatively respectable citizen. Multiple felon perhaps, but certainly not dangerous.
Terrorfrodo
Interbus Universal
#26 - 2012-07-17 09:40:35 UTC
If every account can have only a very limited number of unsuccessful login attempts per day, then the overall number of accounts hacked by brute force attacks will be very low. Only those choosing a really bad password will be vulnerable, but EVE does enforce the choosing of a reasonably complex password now.

Tbh I don't see how people still get hacked other than by keyloggers infecting their computers. Captchas won't protect us from that either.

.
Mara Rinn
Cosmic Goo Convertor
#27 - 2012-07-17 09:47:40 UTC
Why not just implement the two-factor authentication for which we already have the damned key fobs?

How is CAPTCHA supposed to prevent brute-force attacks anyway? CCP surely know that there are sweat shops dedicated to people solving CAPTCHAS for fifty cents an hour, don't they? (just check out Amazon's Mechanical Turk)

Day 0 Advice for New Players
Anya Ohaya
School of Applied Knowledge
Caldari State
#28 - 2012-07-17 10:07:36 UTC
Terrorfrodo wrote:
To protect against brute force attacks, they could just throttle login attempts: When you enter a wrong password twice, you can't attempt another login until three minutes have passed. Brute-forcing an account would take a looong time then.


3 minutes is overkill. 3 seconds should be enough to make brute force attacks impractical on all but the weakest passwords (it would take eight hours go through a dictionary of common words)).
Random Celestial
Viziam
Amarr Empire
#29 - 2012-07-17 13:04:41 UTC
dexington wrote:
Chokichi Ozuwara wrote:
Captcha does nothing to secure your account. Bots are designed to capture captchas and fire them off to third party solving services (manual and automated) which beat them easily.

Adding this would be stupid. It would be like 2008 all over again.


It protects you account against brute force attacks, or at least makes the process of brute force attacks slow and expensive if there is no way to decode the answer without human interaction.


You can buy 1000 captcha solves for $1.37 USD.

<- Runs craigslist bots for car dealers, CL dropped captchas now though.
Roc Wieler
Brutor Tribe
Minmatar Republic
#30 - 2012-07-17 13:16:22 UTC
There are many good forms of captcha other than scrambled letters.

http://www.jquery4u.com/security/10-jquery-captcha-plugins/

Of course, as mentioned, none of these is 100% foolproof, but many serve as a deterrent, and that makes a difference.

Never start a fight you can win.
dexington
Caldari Provisions
Caldari State
#31 - 2012-07-17 13:42:28 UTC
Random Celestial wrote:
dexington wrote:
Chokichi Ozuwara wrote:
Captcha does nothing to secure your account. Bots are designed to capture captchas and fire them off to third party solving services (manual and automated) which beat them easily.

Adding this would be stupid. It would be like 2008 all over again.


It protects you account against brute force attacks, or at least makes the process of brute force attacks slow and expensive if there is no way to decode the answer without human interaction.


You can buy 1000 captcha solves for $1.37 USD.

<- Runs craigslist bots for car dealers, CL dropped captchas now though.


Having to spend 1.37$ to check the 1000 commonly used passwords, with a paper trail to the company doing the captcha solving, is really not a sweet deal.

You are right, captcha is not going to stop all attacks, but at some point attackers are going to look for easier targets. You can probably find a lot of corp website or 3. party forums with a decent amount of active users, if they have a login mechanic, there is a good chance you can find some combination of username/email/password that would enable you to access some/several eve accounts.

In the end it's probably going to be easier to find a security vulnerability in a 3. party web site, then trying to brute force accounts on a ccp owned site, with or without captcha, but each layer of security makes the target less attractive.

I'm a relatively respectable citizen. Multiple felon perhaps, but certainly not dangerous.
Lord Ryan
True Xero
#32 - 2012-07-17 13:58:44 UTC
capshit would be the straw.........................

Do not assume anything above this line was typed by me. Nerf the Truth, it's inconvenient.
Kisumii
Astral Acquisitions Inc.
#33 - 2012-07-17 14:34:19 UTC
This is bollocks, Just do what RIFT did, If you log in from unfamiliar IP you cannot spend or move any items until you check your email for the coin lock code and punch it in game. Simples.

Unless ofcourse you was dumb enough to get your game AND email hacked...
Blastcaps Madullier
Handsome Millionaire Playboys
Sedition.
#34 - 2012-07-17 14:37:07 UTC
no thank you, that systems a pain in the ass and frankly dont want to see it, authenticators for smart phones maybe, this crap persoanly want no part of, frequently you have to refresh the "phrase" several times just to get one thats barely readable, so with due respect **** THAT.
AureoBroker
Perkone
Caldari State
#35 - 2012-07-17 14:44:35 UTC
Captchas do not work in the slightest.

Email code would be much better, or authenticator after that.
Alayna Le'line
#36 - 2012-07-17 14:51:11 UTC  |  Edited by: Alayna Le'line
Tarsus Zateki wrote:
Either way as a user of an authenticator in my Blizzard games I'd happily support two part authentication in Eve Online, even if it was a just a simple E-Mail code sent to you when you try to log-in through an unfamiliar IP Address and such.


Rift did this e-mail thing and it was extremely annoying. E-mail is NOT an instant form of communication, something people tend to forget, and having to wait 10minutes or more before you can do anything on your account (it would disallow buying/selling/trashing of items until you had verified your account) gets rather old fast, especially since a big part of the world is still on lines with a dynamic IP address.

Also CAPTCHA's are a terrible terrible form of authentication: either they are too readable and can be broken by bots, or they are not readable, and can't be read by the humans supposed to be reading them either. In the worst case they mess around with various kinds of colors on top of the regular gibberish making things just impossible for people like me (that is, [partially] colorblind people). I HATE captchas with a fiery passion.

Now Blizzard (and a bunch of other companies, like Bioware I think) use an authenticator that spits out a semi-random number that you have to input together with your password, that I can get behind. It works wonders. Typing in a number takes just seconds and you can generally install an application on your phone as well as have a hardware authenticator (or multiple) attached to one single account (so you're not tied down when on the move or when you manage to lose on or the other).

Of course EVE being EVE it'd be nice if you could use one authenticator for multiple accounts, think of poor Chribba folks... ;)
Roc Wieler
Brutor Tribe
Minmatar Republic
#37 - 2012-07-17 16:16:00 UTC
Last year at Fanfest they actually handed out random code generators. I still have mine. I think they went down this path and abandoned it. I would be interested in finding out why.

Never start a fight you can win.
highonpop
KarmaFleet
Goonswarm Federation
#38 - 2012-07-17 16:16:24 UTC
1 simple step in a bigger war against bots.


doit

FC, what do?
Verfanny
Brave Empire Inc.
Brave United
#39 - 2012-07-17 17:03:41 UTC
I would personally prefer an authenticator rather than a CAPTCHA.

My 0.02 ISK
Vaerah Vahrokha
Vahrokh Consulting
#40 - 2012-07-17 17:21:05 UTC
Kisumii wrote:
This is bollocks, Just do what RIFT did, If you log in from unfamiliar IP you cannot spend or move any items until you check your email for the coin lock code and punch it in game. Simples.

Unless ofcourse you was dumb enough to get your game AND email hacked...


No, the majority of players is on dynamic IP and mails *by design* may arrive hours late.

Plus some folks (like me) since years have their accounts bound to an email that the server makes available only after 20 minutes or so. Imagine having to wait 20 mins per each log in.

EvE Online portal | EvE markets tutorials