Jump to content

Photo

My suggestion for increased security of game accounts on FS.


  • Please log in to reply
33 replies to this topic

#21 Trailman

Trailman

    Member

  • Members
  • PipPip
  • 295 posts

Posted 10 August 2010 - 03:48

locking of account for incorrect password is already in place.


Only in the game both Support and the Forums do not have such protection and they need to as well. We are forced to use the same password for both Support and the Forums as the game so without that kind of protection we are still subject to a Bruit Force attack.

2320275.png


#22 webhosting

webhosting

    Member

  • New Members
  • PipPip
  • 189 posts

Posted 10 August 2010 - 04:11

Just to be clear cows, We're not claiming we know more than you or anything stupid like that, I'm sure those of us offering advice just love the game so much that we're not quite sure what we'd do without it, and we're just sharing things we know with expert knowledge, in case our suggestions make your job just a little easier, and the knowledge to know you're 100% secure.

That's all.

#23 Trailman

Trailman

    Member

  • Members
  • PipPip
  • 295 posts

Posted 10 August 2010 - 04:18

Just to be clear cows, We're not claiming we know more than you or anything stupid like that, I'm sure those of us offering advice just love the game so much that we're not quite sure what we'd do without it, and we're just sharing things we know with expert knowledge, in case our suggestions make your job just a little easier, and the knowledge to know you're 100% secure.

That's all.


Correct but as I have learned in real life take advice from professionals when it is offered. Here in this post is both a coder and someone that deals with physical security and passwords are a big part of my job as it is his. HCS does not at this time allow special characters or symbols to my knowledge but if they did most would not use them. The key is KISS but make it secure. Not hard to do if you are an adult but much harder if you are a child.

2320275.png


#24 evilbry

evilbry

    Veteran

  • Members
  • PipPipPip
  • 3,172 posts
  • New Zealand

Posted 10 August 2010 - 04:24

Just to be clear cows, We're not claiming we know more than you or anything stupid like that, I'm sure those of us offering advice just love the game so much that we're not quite sure what we'd do without it, and we're just sharing things we know with expert knowledge, in case our suggestions make your job just a little easier, and the knowledge to know you're 100% secure.

That's all.


Correct but as I have learned in real life take advice from professionals when it is offered. Here in this post is both a coder and someone that deals with physical security and passwords are a big part of my job as it is his. HCS does not at this time allow special characters or symbols to my knowledge but if they did most would not use them. The key is KISS but make it secure. Not hard to do if you are an adult but much harder if you are a child.

Special characters can be used.

#25 webhosting

webhosting

    Member

  • New Members
  • PipPip
  • 189 posts

Posted 10 August 2010 - 04:27

Force the special characters on them, and problem solved :) Heck default an un-removable character in the input box at both the start and the end, that cannot be removed. Go one step father and make it a random generated one, so their password requires a special character as the first symbol and the last. Give them a nice explanation note, and presto, done.
Make sure it regenerates two new ones when they change their passwords.

#26 Trailman

Trailman

    Member

  • Members
  • PipPip
  • 295 posts

Posted 10 August 2010 - 04:33

Force the special characters on them, and problem solved :) Heck default an un-removable character in the input box at both the start and the end, that cannot be removed. Go one step father and make it a random generated one, so their password requires a special character as the first symbol and the last. Give them a nice explanation note, and presto, done.
Make sure it regenerates two new ones when they change their passwords.


Great idea but the coding would be a nightmare and how do you make them remember the characters? Not all use a save password function in the browser.

It is never a good idea to force things but as most commercial password security requirements they must be at least 6 characters long. I must admit I cheat I don't change mine every 90 days but each and everyone now meets commercial requirements which are both Alpha and Numerical in composition.

The best idea I had tonight was to use parts of your windows OS key as they will guarantee that you have a random unique password

2320275.png


#27 evilbry

evilbry

    Veteran

  • Members
  • PipPipPip
  • 3,172 posts
  • New Zealand

Posted 10 August 2010 - 04:36

Force the special characters on them, and problem solved :) Heck default an un-removable character in the input box at both the start and the end, that cannot be removed. Go one step father and make it a random generated one, so their password requires a special character as the first symbol and the last. Give them a nice explanation note, and presto, done.
Make sure it regenerates two new ones when they change their passwords.

That would turn more people away than it would solve with 'hacking' problems.

Something you need to remember, is that FS is not something you would only play on your home PC. Like web based email clients it is often used in multiple locations. With this in mind, users will go for a password that can be remembered easily. If they are faced with a situation where they can not easily remember a password they need to remeber in the biological vault, then they will be less inclined to use it.


This approach is not user friendly. There's a lot of people who log in from time to time with mobile devices or while out of town etc where they don't have their existing kit with them. This is only going to frustrate people further, and encourage bad practice such as writing the password down on paper and keeping it with them.

Improvements could be made, but this is not the correct way to do it.

A more logical solution is to have a feature the cows implement where it tests strength when it is entered and any that are below a certain value are not permitted. This allows the user to create one that is more 'friendly' to the biological vault, as well as educating people on what a "secure" password is.

#28 evilbry

evilbry

    Veteran

  • Members
  • PipPipPip
  • 3,172 posts
  • New Zealand

Posted 10 August 2010 - 04:43

Force the special characters on them, and problem solved :) Heck default an un-removable character in the input box at both the start and the end, that cannot be removed. Go one step father and make it a random generated one, so their password requires a special character as the first symbol and the last. Give them a nice explanation note, and presto, done.
Make sure it regenerates two new ones when they change their passwords.


Great idea but the coding would be a nightmare and how do you make them remember the characters? Not all use a save password function in the browser.

It is never a good idea to force things but as most commercial password security requirements they must be at least 6 characters long. I must admit I cheat I don't change mine every 90 days but each and everyone now meets commercial requirements which are both Alpha and Numerical in composition.

The best idea I had tonight was to use parts of your windows OS key as they will guarantee that you have a random unique password

Yeah that works well except for all the people who are not using legit keys. [the same key could be used historically on operating systems]. Also this is detrimental if you are physically burgled.

There's also a major flaw in the concept of being forced to change a password, which is down to the human element. When you create a password, say for something important you put time and effort in to make it secure. Being forced to change it, humans become lazy. The more they change a password for something the less complex it becomes. This then means that a password will become something like a pets name with a couple of sequential numbers on the end. We have a million + users of our services and I can see how lazy some people get. Fallensword is a game with a lot of teenagers playing. They will not understand the importance of skurity, so thus tend to make things simpler. Many will play multiple games, thus keeping a similar or the same password is common practice. having one that forces them to change will mean it will just become simpler to 'hack' because they don't want a huge list of passwords to remember. Human nature is it's own worst enemy.

#29 Trailman

Trailman

    Member

  • Members
  • PipPip
  • 295 posts

Posted 10 August 2010 - 04:51

Yeah that works well except for all the people who are not using legit keys. [the same key could be used historically on operating systems]. Also this is detrimental if you are physically burgled.

There's also a major flaw in the concept of being forced to change a password, which is down to the human element. When you create a password, say for something important you put time and effort in to make it secure. Being forced to change it, humans become lazy. The more they change a password for something the less complex it becomes. This then means that a password will become something like a pets name with a couple of sequential numbers on the end. We have a million + users of our services and I can see how lazy some people get. Fallensword is a game with a lot of teenagers playing. They will not understand the importance of skurity, so thus tend to make things simpler. Many will play multiple games, thus keeping a similar or the same password is common practice. having one that forces them to change will mean it will just become simpler to 'hack' because they don't want a huge list of passwords to remember. Human nature is it's own worst enemy.

Above is a quote from evilbry

If you have a key almost any key will work valid or not it is still a random set of letters and numbers

I agree with parts of this but if someone steals your computer are they really interested in the games you played? No one but a fool does not have a log in password so it is much easier to just replace the hard drive and then sell off the stolen goods that way.

Next I agree it is much harder to make children understand the requirements of password security and human nature is to be lazy with regard to things that they have to do. One of the reasons for the suggestions posted above. It make it very easy to remember the passwords but also creates very good ones that will take a great deal of time to hack but still keep them short.

2320275.png


#30 evilbry

evilbry

    Veteran

  • Members
  • PipPipPip
  • 3,172 posts
  • New Zealand

Posted 10 August 2010 - 05:02

you underestimate criminal activities and human nature.

By throwing out all the paranoia concepts with password security you are overlooking the simplist actions of human nature. humans are inquisitive by nature and they like to look around things. If you find a wallet, would you turn it in without looking inside? A common way of infecting computers is to drop a usb stick[in a bank, netcafe, wherever] with a trojan on it that runs when plugged into a device. The average person will see it on the ground, plug it in to see if they can help reunite it with their owner. Boom, Headshot, Trojaned.

Lets not forget, a criminal with a couple of tools can log into a computer and access many of the passwords without a prompt for security. Hell even firefox will just list them for you.

just because you think a game you play may have no value to someone else, there's nothing to say they might log in, have a poke around the game and for the hell of it, create some carnage.

#31 Trailman

Trailman

    Member

  • Members
  • PipPip
  • 295 posts

Posted 10 August 2010 - 05:20

you underestimate criminal activities and human nature.

By throwing out all the paranoia concepts with password security you are overlooking the simplist actions of human nature. humans are inquisitive by nature and they like to look around things. If you find a wallet, would you turn it in without looking inside? A common way of infecting computers is to drop a usb stick[in a bank, netcafe, wherever] with a trojan on it that runs when plugged into a device. The average person will see it on the ground, plug it in to see if they can help reunite it with their owner. Boom, Headshot, Trojaned.

Lets not forget, a criminal with a couple of tools can log into a computer and access many of the passwords without a prompt for security. Hell even firefox will just list them for you.

just because you think a game you play may have no value to someone else, there's nothing to say they might log in, have a poke around the game and for the hell of it, create some carnage.



I never underestimate that is my job. A good virus protection program will tell you if a usb is trying to install something as will your personal firewall. I fully understand if someone really wants in they can find a way but this is more to stop the casual hackers then the pro's. Fire Fox will do so if you have not protected them with a different password for the protection of the file. There is not much you can do if they get into your personal computer except scan every day and correct problems found. 90% of the people that play this game are not subject to the same security requirements I am and so I really have no fear for my account but try to help all the rest protect theirs.

People are lazy by nature and that is a fact only those of us that have things to lose are really careful.

To change what you can where you can is everyone's responsibility but those that will not listen and or do what is required we can not really help.

2320275.png


#32 evilbry

evilbry

    Veteran

  • Members
  • PipPipPip
  • 3,172 posts
  • New Zealand

Posted 10 August 2010 - 05:27

you underestimate criminal activities and human nature.

By throwing out all the paranoia concepts with password security you are overlooking the simplist actions of human nature. humans are inquisitive by nature and they like to look around things. If you find a wallet, would you turn it in without looking inside? A common way of infecting computers is to drop a usb stick[in a bank, netcafe, wherever] with a trojan on it that runs when plugged into a device. The average person will see it on the ground, plug it in to see if they can help reunite it with their owner. Boom, Headshot, Trojaned.

Lets not forget, a criminal with a couple of tools can log into a computer and access many of the passwords without a prompt for security. Hell even firefox will just list them for you.

just because you think a game you play may have no value to someone else, there's nothing to say they might log in, have a poke around the game and for the hell of it, create some carnage.



I never underestimate that is my job. A good virus protection program will tell you if a usb is trying to install something as will your personal firewall. I fully understand if someone really wants in they can find a way but this is more to stop the casual hackers then the pro's. Fire Fox will do so if you have not protected them with a different password for the protection of the file. There is not much you can do if they get into your personal computer except scan every day and correct problems found. 90% of the people that play this game are not subject to the same security requirements I am and so I really have no fear for my account but try to help all the rest protect theirs.

People are lazy be nature and that is a fact only those of us that have things to lose are really careful.

To change what you can where you can is everyone's responsibility but those that will not listen and or do what is required we can not really help.

You have too much faith in the software you run to protect you :) another flaw of human nature.

#33 Trailman

Trailman

    Member

  • Members
  • PipPip
  • 295 posts

Posted 10 August 2010 - 05:38

I have faith in what I run because it is the best I can do, no one can be 100% protected unless you don't go on the internet. Even the Government has problems they are just not published like they are here. I know as a member of that community.

As I have said many times it would take a Cray computer at least a month to hack one of my passwords and I have invited the hackers to try. I am not worth it they know that what I am and my security is way too tight for them to get at me but I am not a normal player of this game ether.

2320275.png


#34 webhosting

webhosting

    Member

  • New Members
  • PipPip
  • 189 posts

Posted 10 August 2010 - 05:49

I have faith in what I run because it is the best I can do, no one can be 100% protected unless you don't go on the internet. Even the Government has problems they are just not published like they are here. I know as a member of that community.


This I can attest to.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Font:
Arial | Calibri | Lucida Console | Verdana
 
Font Size:
9px | 10px | 11px | 12px | 10pt | 12pt
 
Color: