My suggestion for increased security of game accounts on FS.
#1
Posted 09 August 2010 - 15:52
to update a user's account to include a secret pin on login, and to have the ability to create one during new registrations. a third level input surely wouldn't hurt for security purposes.
It would go something like this.
Create a new table for the pin, add snippet of code that would add a pin input area (4 - 10 digits)
add another snippet of code that would force a user to create their own personal secret pin on their next login, add a snippet of code to forums to require the same pin from the table.
A snippet of code to retrieve the pin via email with a few security questions would also be wise since many will forget to write it down.
This will add a third layer of defense against current available brute force crackers.
I would also recommend a cool down time of 5 attempts in 3 minutes, or ban for 24 hours.
Also to all the noobs. Never ever give anyone your password. Not even your mother, and for heavens sake never ever place someone as co-founder of your guild unless you know them very personally and for a long time, no matter what they promise you.
That should clear up many issues, but of course the cows are probably working on all of this.
I personally don't think that FS itself was brute forced however and if it was the user was using a weak password comprised of dictionary words, and possibly a few numbers. Make your passwords long and random strings of letters numbers and symbols for security. If the password was easy to guess that's likely what happened. Otherwise I'd suggest the user's WinXP was brute forced, and a trojan installed that allowed the hacker to browse the hdd, desktop, files, folders, and probably cookies. A brute force attack uses dictionary files. Random strings can take years to crack.
#2
Posted 09 August 2010 - 16:38
#3
Posted 09 August 2010 - 17:07
Just as an example.. THIS is a secure password. Please no one use it.
m@Cq%~75$P
#4
Posted 09 August 2010 - 18:55
#5
fs_regnier7
Posted 09 August 2010 - 19:03
Well yes. Most people would be wise enough, or should be never to use the same passwords repeatedly for all their accounts.
Just as an example.. THIS is a secure password. Please no one use it.
m@Cq%~75$P
I have something like that.... but over 20 characters long....
#6
Posted 09 August 2010 - 19:07
Well yes. Most people would be wise enough, or should be never to use the same passwords repeatedly for all their accounts.
Just as an example.. THIS is a secure password. Please no one use it.
m@Cq%~75$P
I have something like that.... but over 20 characters long....
2 questions for you Reg
A: How long does it takes you to log in to the game?
B: Is it all in your head? :mrgreen:
#7
Posted 09 August 2010 - 19:17
[ ] I am stupid and have a pathetic password and am likely to be hacked.
Why should the people who have at least a bit of intellect be ruined by those who have none.
Or at the least bothered or bugged, constantly.
And the fact that nearly every time it happens HCS bends over backwards and spends hours of their time correcting it.
Seems they finally got fed up of doing that.
You don't even have to use all digits and such to have a secure password.
4aLlen$w()7D
would be perfectly fine, well probably not anymore....
#9
Posted 09 August 2010 - 19:50
Could we have a tickbox for this in preferences ?
[ ] I am stupid and have a pathetic password and am likely to be hacked.
Why should the people who have at least a bit of intellect be ruined by those who have none.
Or at the least bothered or bugged, constantly.
And the fact that nearly every time it happens HCS bends over backwards and spends hours of their time correcting it.
Seems they finally got fed up of doing that.
You don't even have to use all digits and such to have a secure password.
4aLlen$w()7D
would be perfectly fine, well probably not anymore....
Repeating how stupid some passwords are is not helping the basic problem. Few people read the forum, so there'll always be people out there who don't expect some idiots just like to upset other people's fun, out of boredom, spite or just plain 'because they can'. However much you might call it stupid, this does not change the fact that the hack involved no sites, so warning about those is getting tiresome.
Besides, in what way is it logical to restore PANIC, and leave other players out in the cold? Their founder's password was also presumably a silly one, and a big guild like that would have been able to work itself back a lot easier than some smaller guilds, but somehow there everything is restored to what it was before, yet now it concerns smaller guilds it's something that takes too much time??
Calling people pathetic, that's going far towards showing some mentality. Obviously, you've never been young, or a nub in anything, nor ever needed help with anything you were new at, but I fail to see how you are in anyway hassled by it? HCS is a business, like all businesses some customers aren't clued up, but it is all part of the income-generating everyday life to look after all customers.
#10
Posted 09 August 2010 - 20:00
Well yes. Most people would be wise enough, or should be never to use the same passwords repeatedly for all their accounts.
Just as an example.. THIS is a secure password. Please no one use it.
m@Cq%~75$P
I have something like that.... but over 20 characters long....
2 questions for you Reg
A: How long does it takes you to log in to the game?
B: Is it all in your head? :mrgreen:
Create a Notepad file on your desktop with the password in it. C&P it into the password field when you log in.
#11
Posted 09 August 2010 - 20:06
While there are some measure they could introduce I know I would not want any such restrictions on me just to protect others.
So yeah going around and around in circles :/
I do agree that they should restore this guild as they have many others, mainly because while it wasn't their fault, they could have more security measures(Circles again).
Not a great idea there FusionJ, but not bad if you have good Firewall and Real Time Anti-Virus protection(I still wouldn't advise it).
#12
fs_bhellion
Posted 09 August 2010 - 23:56
4aLlen$w()7D
would be perfectly fine, well probably not anymore....
GREAT! Now I have to change my password... *grumble*
#13
fs_littlejom
Posted 10 August 2010 - 02:10
2 questions for you Reg
A: How long does it takes you to log in to the game?
B: Is it all in your head? :mrgreen:
A: 1 second
B: Remember password feature
C: Why do you need to log out anyways? :mrgreen:
#14
Posted 10 August 2010 - 02:21
Thanks to people giving out their user/pass, we're now limited to 1 session at a time. This means if you access FS from multiple PCs and/or browsers, you have to log back in each time you switch.2 questions for you Reg
A: How long does it takes you to log in to the game?
B: Is it all in your head? :mrgreen:
A: 1 second
B: Remember password feature
C: Why do you need to log out anyways? :mrgreen:
Also, the remember password feature should ONLY be used if YOU are the ONLY one to use that computer's user account.
#15
Posted 10 August 2010 - 02:25
<3 firefox portable with master password. In the event your computer is physically stolen it's a nice additional level of skurity.Thanks to people giving out their user/pass, we're now limited to 1 session at a time. This means if you access FS from multiple PCs and/or browsers, you have to log back in each time you switch.2 questions for you Reg
A: How long does it takes you to log in to the game?
B: Is it all in your head? :mrgreen:
A: 1 second
B: Remember password feature
C: Why do you need to log out anyways? :mrgreen:
Also, the remember password feature should ONLY be used if YOU are the ONLY one to use that computer's user account.
#16
Posted 10 August 2010 - 02:28
As a coder of php and mysql, I would recommend to the cows for recent happenings
to update a user's account to include a secret pin on login, and to have the ability to create one during new registrations. a third level input surely wouldn't hurt for security purposes.
It would go something like this.
Create a new table for the pin, add snippet of code that would add a pin input area (4 - 10 digits)
add another snippet of code that would force a user to create their own personal secret pin on their next login, add a snippet of code to forums to require the same pin from the table.
A snippet of code to retrieve the pin via email with a few security questions would also be wise since many will forget to write it down.
This will add a third layer of defense against current available brute force crackers.
I would also recommend a cool down time of 5 attempts in 3 minutes, or ban for 24 hours.
Also to all the noobs. Never ever give anyone your password. Not even your mother, and for heavens sake never ever place someone as co-founder of your guild unless you know them very personally and for a long time, no matter what they promise you.
That should clear up many issues, but of course the cows are probably working on all of this.
I personally don't think that FS itself was brute forced however and if it was the user was using a weak password comprised of dictionary words, and possibly a few numbers. Make your passwords long and random strings of letters numbers and symbols for security. If the password was easy to guess that's likely what happened. Otherwise I'd suggest the user's WinXP was brute forced, and a trojan installed that allowed the hacker to browse the hdd, desktop, files, folders, and probably cookies. A brute force attack uses dictionary files. Random strings can take years to crack.
I agree with everything said here. I would also suggest to HCS that we be able to use different passwords to both Support and here in the Forums. Attempt lock outs should also be implemented both here and for Support. 5 missed attempts should do 2 things, #1 lock you out from trying again for 10 Minutes, #2 It should send an email to the email associated with the game that you have been locked out for 5 failed attempts. If this happens a second time within 24 hours the account should be locked until Support is contacted or an email sent to one of the HCS crew to start a dialog about what happened. Yes I understand this will increase your work load HCS but you need to help us protect ourselves. Again I am a security consultant and deal with real time physical security of both plants and businesses. Secure passwords are a part of my life and all of my clients lives. Here are my suggestions on how to make a secure password and they do include a provision for using special characters as well as spaces and the tab key if allowed.
**1st Do not use the same password to the game as your guild website**
2nd Do not use common words or a string of numbers as your password to ether the game or your guild website
3rd Always use an alpha/numeric password that you can remember and the following is a suggestion that I give to my customers:
The last 2 digits of the year you were born you only need one if you combine it with the address
The first or last 2 letters of your first, middle or last name in any combination you want
The first or last 2 letters of your first or most loved pet's name
The first or last 2 numbers of your address you only need one if you combine it with birth year
Anything from the street name where you live as well will work.
Always use at least one of the Letters as a Capitol and another as a lower case. The above can be used in any order you like.
This gives you many combination's that can be used both for the website and the game and still is something you can easily remember. I would recommend at least 3 of the above and you can change which 3 depending one where you are logging in.
Some password programs allow special characters or spaces if it is allowed use it.
HCS does not to my knowledge :roll:
As an example here is what 2 of my passwords would look like using 3 of the above items.
59kwbW here is another
Lw90Ww
Both of these would take a great deal of time to bruit force in any attack.
I might add that I am now using 128 bit weep encryption keys for my passwords. These can be generated on any Windows 7 (Vista) computer using the network security area. You might also consider using parts of your windows OS key which I might add I just thought of and is a very good idea. It is always there so you can always look at it if you need.
As added security an excel spread sheet can be built using encryption and then placed on a Flash Drive (all of about 4 bucks) and used only when you need at one you have forgotten.
To fight the key loggers use the auto insert or remember password functions of the explorer program you use to go online with. I don't know anything about Chrome but both Fire Fox and IE have this ability. Both files are heavily encrypted but I do know IE has some problems. I use Fire Fox by the way. Keep your anti virus up to date and have it scan EVERY DAY when you first power up your computer. Never leave your computer online when you are not at it as this leaves a way for outside hackers to get at you. It is real easy in the lower right hand corner is a network icon (you may have to turn on show network connections) click on it and disconnect it when you are going to be away from your computer, when you come back reconnect and you are off and running takes all of about 30 seconds. For you hardwired folks just unplug the network cable when you leave and plug it in again when you come back.
As I said in my original password posting we are losing way too many guilds to the hackers and need to help HCS protect the game by doing our part.
P.S. In my opinion a hack is a hack easy password or not and gear should be replaced as well as members let back in and xp restored from when they were kicked.
I do not believe a password should be required to remove tags that will make it very cumbersome to do so. It is up to us as founders to see to it that only the most trusted members have that right. It is also up to us to make sure that all that have that right understand what it means and make sure of password security. Only 1 other here has that right and it gets removed when the hackers are really active then restored when things have calmed down again.
Note 1: I love the idea of a pin but apply it to changing founders this will stop the hacker cold in respects to placing themselves in control of the guild. He will have to stay with the hacked account unless they got the founders account.
HCS you know from which IP we as a rule log in from, give that IP a priority over all others so if we attempt to log in to our account it will automatically log the other IP out just as many of the messenger programs do.
I hope this will help both players and HCS in controlling the problem.
#17
Posted 10 August 2010 - 02:35
Thanks to people giving out their user/pass, we're now limited to 1 session at a time. This means if you access FS from multiple PCs and/or browsers, you have to log back in each time you switch.2 questions for you Reg
A: How long does it takes you to log in to the game?
B: Is it all in your head? :mrgreen:
A: 1 second
B: Remember password feature
C: Why do you need to log out anyways? :mrgreen:
Also, the remember password feature should ONLY be used if YOU are the ONLY one to use that computer's user account.
This is a good thing :mrgreen:
#18
Posted 10 August 2010 - 03:32
For example, PlayerA doesn't like PlayerB. PlayerA tries to login as PlayerB and got PlayerB's account locked for X hour. During that time, PlayerA can't do anything. PlayerA contacted HCS and resolved. Same abuse can happen again.
#19
Posted 10 August 2010 - 03:35
#20
Posted 10 August 2010 - 03:46
LOCKING account for incorrect password for X amount of time could lead to abuse.
For example, PlayerA doesn't like PlayerB. PlayerA tries to login as PlayerB and got PlayerB's account locked for X hour. During that time, PlayerA can't do anything. PlayerA contacted HCS and resolved. Same abuse can happen again.
I agree which is why the email should be sent at the time. This gives the player a way to get in contact with HCS and I believe the account should be frozen at the same time. The mail box gets stopped when the email is sent. Items can still be put there from the auction house from failed auctions.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users


