Announcements - The 0.10.1d account changes - Forum

Sorry I did not read the whole thread, and this might have been asked before. But if someone manages to steal a password, (malware/leak from other games/...), isn't it likely/easy to know where that person lives or at least loggs in from? Who would prevent anyone from using a proxy to bypass that "city" security measure? " srnkrkgrd wrote: " exploder wrote: Just an example: Password: pathofexile Password with replacement: p4th0f3x1l3 Password with Replacement and Transposition: 3x1l3f0p4th Password with Replacement, Transposition and Signs: 3x1l3f0!p4th Password with Replacement, Transposition, Signs and Caps: 3X1l3F0!p4Th Password that is harder to hack than any of those: pathofexileismyauntsfavoritegamebecausesheistotallyeliteandawesomeeventhoughshedold .. because size matters! In regards to security of password on complexity vs size: Size will win hands down everytime. - I won't even make argumentation for that - just google it. If you can teach only one thing to people about password security it should be 'size matters', then you can go on with all the complexity crap that usually just tend to make the forgotten password service busy. :) I am sorry, but your argument is invalid, a dictionary attack would reduce the complexity of a "4 unaltered random words password" far below being secure.	Posted by Taipion#0839 on Feb 25, 2013, 8:40:25 AM Quote this Post
" Taipion wrote: " srnkrkgrd wrote: Password that is harder to hack than any of those: pathofexileismyauntsfavoritegamebecausesheistotallyeliteandawesomeeventhoughshedold I am sorry, but your argument is invalid, a dictionary attack would reduce the complexity of a "4 unaltered random words password" far below being secure. 171,476 different words ^ 4 = 864.596.308.417.753.067.776 posibilities http://oxforddictionaries.com/words/how-many-words-are-there-in-the-english-language Character set is roughly 52 alpha characters + 10 digits + ~12 symbols 8 random characters that each can be 74 different things 8 ^ 74 = 899.194.740.203.776 posibilities I can now clearly see how my argument is invalid.. And thats the last I'll say about that. If you want to learn about the subject then please google it and look at the top 1000 links.. Last edited by srnkrkgrd#2614 on Feb 25, 2013, 9:15:48 AM	Posted by srnkrkgrd#2614 on Feb 25, 2013, 9:12:12 AM Quote this Post
There are simply so many ways to properly protect people, so many trustworthy methods and mechanisms, which are hard to mention here, without getting too much into the mechanics. For me, a good approach would be a C++ corresponding method of OpenAuth 2.0, added the extra (optional) security of adding multiple devices to your account, before being able to login from this device (using MAC address + host-name as a unique device identifier). Also using a tap-click-swipe login mechanism, instead of plain password and an external mobile app, for account overview and device authentication, for locking/unlocking and reclaiming the account (in case hacked). All these (or any other similar methods) would take quite some time to be implemented, and, to the point of having to be realistic, and seeing it one step at a time, I am sure Grinding Gears is listening to the complaints and suggestions of people and will make the security even better, tighter and user friendly, in short time's notice. From there on, it is utterly frustrating to have one's account hacked and the items stolen, but, I am sure that, if the company's policy is "no returns", this is not because they don't care about the player base or trying to evade, but because it serves a general purpose which has (sadly for many people, yes) been planned and accounted for before the Open Beta, meaning that they already expected such problems and already had such policy laid out, aiming to secure the long-term quality of the game and not the compensation and satisfaction of a few players, the accounts of which were compromised; no matter how harsh this may sound. Consequently, I will agree that an application CAN and MUST enforce the tightest and hardest security measures possible and that the only excuse or reason not to do so is the time and effort required, as well as the balance between playability and security and the balance between a very satisfied player base versus a very secure player base. On the other hand, however, having one's account hacked, WHEN THE APPLICATION IS NOT RESPONSIBLE FOR THE ACCOUNT COMPROMISATION (and sorry for the caps) is the player's fault, for not applying hardest security measures to his account or computer. And yes, I would still say that even if my own account got hacked tomorrow. Since, however, this is a very special case (which also makes it very SUSPICIOUS), I don't know how and if there could be an exclusion to the general policy of the company, at least for some special cases. As well as an immediate security patch, to remedy the issues of the current one, until better security is implemented. Last edited by aryosgr#3381 on Feb 25, 2013, 9:21:59 AM	Posted by aryosgr#3381 on Feb 25, 2013, 9:15:17 AM Quote this Post
" aryosgr wrote: There are simply so many ways to properly protect people, so many trustworthy methods and mechanisms, which are hard to mention here, without getting too much into the mechanics. For me, a good approach would be a C++ corresponding method of OpenAuth 2.0, added the extra (optional) security of adding multiple devices to your account, before being able to login from this device (using MAC address + host-name as a unique device identifier). Also using a tap-click-swipe login mechanism, instead of plain password and an external mobile app, for account overview and device authentication, for locking/unlocking and reclaiming the account (in case hacked). All these (or any other similar methods) would take quite some time to be implemented, and, to the point of having to be realistic, and seeing it one step at a time, I am sure Grinding Gears is listening to the complaints and suggestions of people and will make the security even better, tighter and user friendly, in short time's notice. From there on, it is utterly frustrating to have one's account hacked and the items stolen, but, I am sure that, if the company's policy is "no returns", this is not because they don't care about the player base or trying to evade, but because it serves a general purpose which has (sadly for many people, yes) been planned and accounted for before the Open Beta, meaning that they already expected such problems and already had such policy laid out, aiming to secure the long-term quality of the game and not the compensation and satisfaction of a few players, the accounts of which were compromised; no matter how harsh this may sound. Consequently, I will agree that an application CAN and MUST enforce the tightest and hardest security measures possible and that the only excuse or reason not to do so is the time and effort required, as well as the balance between playability and security and the balance between a very satisfied player base versus a very secure player base. On the other hand, however, having one's account hacked, WHEN THE APPLICATION IS NOT RESPONSIBLE FOR THE ACCOUNT COMPROMISATION (and sorry for the caps) is the player's fault, for not applying hardest security measures to his account or computer. And yes, I would still say that even if my own account got hacked tomorrow. Since, however, this is a very special case (which also makes it very SUSPICIOUS), I don't know how and if there could be an exclusion to the general policy of the company, at least for some special cases. As well as an immediate security patch, to remedy the issues of the current one, until better security is implemented. I know there are a lot of possibilities. And most of them are more of a hassle to the user, than they are beneficial. Therefore, I highly appreciate what Chris said about that stuff being optional, soon. A less beloved but much bigger game developer earned my personal disliking by ...repeatedly advertising some methods of account security, partly even forcing people to do so. All for the sole sake of saving cost with less support occupied with stolen passwords. -.- A friend of mine plays GW2, and every time he has to go to his email and unlock the account, I honestly don't know how can live with such a pain, I could not. I really appreciate that GGG is not going that way, but instead puts it in the users hands. I know there are a ton of users in all the games around the world, that are poorly protected and tend to "get hacked" every now and then. And I see that such protection is necessary for some. It might be plain luck, it might be me being overcautious to the edge of paranoia, but I never "lost" a password to some "hacker" in my 12 years of playing MMOs. Therefore I cant state it too often how much I like the way GGG is going to handle this! [edit:] " srnkrkgrd wrote: " Taipion wrote: " srnkrkgrd wrote: Password that is harder to hack than any of those: pathofexileismyauntsfavoritegamebecausesheistotallyeliteandawesomeeventhoughshedold I am sorry, but your argument is invalid, a dictionary attack would reduce the complexity of a "4 unaltered random words password" far below being secure. 171,476 different words ^ 4 = 864.596.308.417.753.067.776 posibilities http://oxforddictionaries.com/words/how-many-words-are-there-in-the-english-language Character set is roughly 52 alpha characters + 10 digits + ~12 symbols 8 random characters that each can be 74 different things 8 ^ 74 = 899.194.740.203.776 posibilities I can now clearly see how my argument is invalid.. And thats the last I'll say about that. If you want to learn about the subject then please google it and look at the top 1000 links.. I am sorry if I put it in harsh words, I did not mean to offend you. You said "common" words, and "common" words are those that are frequently used, therefore it cant be that many. At least not the whole dictionary. Some less educated people live with using a pool of words consisting of only a few hundred. :D Therefore, this is highly subjective, and however you put it, either of us might be right. Last edited by Taipion#0839 on Feb 25, 2013, 9:40:41 AM	Posted by Taipion#0839 on Feb 25, 2013, 9:35:29 AM Quote this Post
Taipion, yes, intuitive design wins in most cases. With a lot of depth (in security, content, options, or whatever) behind it, but using a nice layer of basic protection for those who don't care much or can't care much because they will never dig in in the details and methods of betterness of any kind, whether that being security or anything else. I like very much the way it is handled right now and my only "issue" so far is the constant activation / reactivation of the account; this is why I proposed a secured, multiple, device authentication. However, without an external mechanism to handle this (eg a mobile app --well, even email activation could be used) it could be more of a security issue than a feature. There are people with dynamic IPs, which have to activate their account, in order to log in. They receive their email, click on the activation and then try to log in, only to find out that their IP has changed once more and they need to re-activate their account again. In case of frequent, cross-city or cross-state ISP IP changes, this can stack up many times, making the user not able to play at all. Last edited by aryosgr#3381 on Feb 25, 2013, 9:53:29 AM	Posted by aryosgr#3381 on Feb 25, 2013, 9:50:32 AM Quote this Post
" Taipion wrote: I am sorry if I put it in harsh words, I did not mean to offend you. Accepted. " Taipion wrote: You said "common" words, and "common" words are those that are frequently used, therefore it cant be that many. At least not the whole dictionary. I didn't say common words. The brilliant carton that I stole from xkcd.com did " Taipion wrote: Therefore, this is highly subjective, and however you put it, either of us might be right. Short answer: No! (Think it over and if you don't reach the same conclusion after thinking then you need to eighter think more, google it or click here!! - thousand of people have explained this in tiny detail before, so I'm not about to do it!) - and please you don't have to quote everything, if you just want to comment a little part. :) Last edited by srnkrkgrd#2614 on Feb 25, 2013, 9:59:41 AM	Posted by srnkrkgrd#2614 on Feb 25, 2013, 9:56:22 AM Quote this Post
Alright so maybe someone could clear this up for me, maybe i am not thinking correctly but, If they changed From "city" to outside of country the account locks, doesn't that mean that anyone in your country could still log into your account if they had the password and it wouldn't get locked down?? this seems almost like a pointless countermeasure... Also i know people get hacked randomly and on accident sometimes but, chances are as long as you don't download anything suspicious or any type of hacks,multibox software etc, you aren't going to get key logged. Also, What about adding specific security questions? ---- Just wanted to say thanks to Chris and the team for all the hard work and dedication. You guys are doing a great job. its crazy to see how many people are using multiboxing/map hacking and key logging software already i hope you guys can stay on top of the ip banning.	Posted by Rnew1990#5171 on Feb 25, 2013, 10:20:19 AM Quote this Post
" srnkrkgrd wrote: " Taipion wrote: Therefore, this is highly subjective, and however you put it, either of us might be right. Short answer: No! (Think it over and if you don't reach the same conclusion after thinking then you need to eighter think more, google it or click here!! - thousand of people have explained this in tiny detail before, so I'm not about to do it!) I decide to keep my opinion! :D If you tell someone to use 4 unrelated words as a password, for a common person, this would mean several hundred, probably much less possible words. And 100^4 is 100,000,000 which equals just 30 bit of security, this is well possibly still sufficient, and an attack would have to be specifically build for this, but it is still far less secure than you stated! :p " Rnew1990 wrote: Just wanted to say thanks to Chris and the team for all the hard work and dedication. You guys are doing a great job. its crazy to see how many people are using multiboxing/map hacking and key logging software already i hope you guys can stay on top of the ip banning. What is wrong with multiboxing? I used to run at least 3 clients in EVE Online simultaneously, sometimes up to 10. " Rnew1990 wrote: If they changed From "city" to outside of country the account locks, doesn't that mean that anyone in your country could still log into your account if they had the password and it wouldn't get locked down?? As for the customization of security measures, everyone can decide this for himself, for bigger countrys though, province/local area might be more useful than simply the whole country.	Posted by Taipion#0839 on Feb 25, 2013, 11:19:40 AM Quote this Post
" Taipion wrote: I decide to keep my opinion! :D If you tell someone to use 4 unrelated words as a password, for a common person, this would mean several hundred, probably much less possible words. And 100^4 is 100,000,000 which equals just 30 bit of security, this is well possibly still sufficient, and an attack would have to be specifically build for this, but it is still far less secure than you stated! :p Fair enough. Keep 'Password1' as being more secure than 'kødbollermeanskjøttboller' - I'm sure your logic is in no way flawed! ;) " Taipion wrote: What is wrong with multiboxing? I used to run at least 3 clients in EVE Online simultaneously, sometimes up to 10. The real reason I'm adding to the thread is just to say. Respect on EVE Online. I'm also one of those that think spaceships are serious buisness. o/ ;)	Posted by srnkrkgrd#2614 on Feb 25, 2013, 11:28:50 AM Quote this Post
" srnkrkgrd wrote: Fair enough. Keep 'Password1' as being more secure than 'kødbollermeanskjøttboller' - I'm sure your logic is in no way flawed! ;) I did not say anything like that. From your way of argumentation, I conclude you would like to give up?! :D :D :D	Posted by Taipion#0839 on Feb 25, 2013, 12:09:58 PM Quote this Post