Your password has expired

[The_Piper]

Why not let the server check, how old a password is, and if its older than 4 weeks (28 days), force the player to change it?

 

Meaning, the server detects the password is older than 28 days at login, it sends a message to #change_pass old new and sets a flag. 5 mins later, it checks again and if the password is still older than 28 days, another message is send and the client gets disconnected.

 

That would maybe ppl "help" to take more care about their password.

 

Piper

[ttlanhil]

so if they don't change it in 5 min they'll need to contact entropy? probably more like repeat sending the "your password is too old" every few minutes until they change

 

people having to change passwords regularly, though, makes them more likely to use easy to remember ones, which are easier to break (yes, a generalisation. but i don't think it's innacurate)

[The_Piper]

so if they don't change it in 5 min they'll need to contact entropy? probably more like repeat sending the "your password is too old" every few minutes until they change

 

lol, no. They can log on again and have again 5 minutes to do #change_pass. Should become boring sooner or later to relog every 5 mins

 

Piper

[Entris]

i think ppl would forget what pasword they used if they have 2 change it that often.

[Vanyel]

lol, no. They can log on again and have again 5 minutes to do #change_pass. Should become boring sooner or later to relog every 5 mins 

 

Piper

184526[/snapback]

 

You could think of combination of those two. For one hour it could send message: 'Your password needs being changed' after that keep kicking from game every 5 minutes.

[Daxon]

Just leave it how it is.. if someone isn't mentally capable of remembering to change their password regularly (or they just don't care to), it's their deal.

[Vanyel]

Just leave it how it is.. if someone isn't mentally capable of remembering to change their password regularly (or they just don't care to), it's their deal.

184577[/snapback]

 

 

Also true, but shouldn't we care about them... a bit at least. I don't like listening - someones hacked my account. And in asnwer if anybody knows password: 'Just my friend, and couple ppl in guild and I have same password for all my characters and some of them I share with my friends'. bleh

[Arnieman]

your great idea may backfire after awhile, in several scenarios:

 

1.) good ol' forgetful who can't remember anything finally remembers his password, and doesn't want to change. computer prompts for it, he changes, and can't remember what it is.

2.) person that comes up with crafty passwords finally gives up trying, uses something simple, and hacked.

*possible others, but no time left from me for now*

 

Ultimately, everyone needs to be responsible for their own char security, except in the case of server hacking. Even the best laid scheme of password security can be undone by lax thinking on the part of one person. Making the game remind them of this responsibility is nice, but making the game punish them for not taking it is inviting other problems, IMO.

[ttlanhil]

at the other end of the scale is people who have something totally random they've memorised, but wouldn't be able to memorise a new one each month, so they have sometihng easier to remember... hence easier to crack

[Nintenduh]

Could blowfish be used to encrypt passwods?

[The_Piper]

at the other end of the scale is people who have something totally random they've memorised, but wouldn't be able to memorise a new one each month, so they have sometihng easier to remember... hence easier to crack

184583[/snapback]

 

Erm, to be honest all commercial computer installations i know, from PC's up to big irons force you to change your password every month. And i think, that is not without a reason.

 

Which big help would it be to have an unsecure password for, lets say, a year? So lets better have 12 unsecure passwords for a year, that cuts down the chance of getting hacked from 1/1 to 1/12.

 

Piper

[freeone3000]

I found something for windows users, PasswordSafe, single password opens it, all your other passwords are in there... Has a random password generator, too. Very nice.

[The_Piper]

Could blowfish be used to encrypt passwods?

184588[/snapback]

 

Sure, but that wouldnt help. Blowfish can encrypt the password, so if someone hacks the server, cant read them. But if someone runs a brute force attack with a word list against the server, blowfish wouldnt help anything.

 

Its about the quality of the password, and if ppl choose a password like "myelchar" for a char named "myelchar", well, who can help?

 

Piper

[Nintenduh]

Sure, but that wouldnt help. Blowfish can encrypt the password, so if someone hacks the server, cant read them. But if someone runs a brute force attack with a word list against the server, blowfish wouldnt help anything.

 

Its about the quality of the password, and if ppl choose a password like "myelchar" for a char named "myelchar", well, who can help?

 

Piper

184614[/snapback]

 

Are there any safeguards against the same user attempting to log in with 800k different pasword variations? Maybe a filter suggesting alpha-numeric multi-case password would help?

[ttlanhil]

Are there any safeguards against the same user attempting to log in with 800k different pasword variations? Maybe a filter suggesting alpha-numeric multi-case password would help?

184616[/snapback]

suggestion 1: definantly should be. any system not securing against brute-force attacks like this is asking to be broken

2: back to my first point. the harder it is to crack, the harder it is to remember, and the more likely the user will try to find a way to make it easier to remember

 

as for regularly changing passwords, I'll give an example from when I had some classes at college (they were outsourcing a few classes at uni...) it wasn't a set amount of time, but a certain number of logins before you had to change pass.

similar enough for the example though.

our lecturer there said to just use the same password and put an increasing number at the end. 'password1' 'password2' 'password3' etc... and people will do this if they have to change their password regularly

when you weigh up the chances of them forgetting which number they're up to Vs the slightly more difficult task of a dictionary attack... is it worth it?

 

when it comes right down to it, the technology of security we have or can have is very good. the person is the problem. tightening the technology is just strengthening the strongest link in a chain, it's going to break just as easily at the weak point

 

and for those password safe type things... with the way EL is designed, not using standardised widgets for username/password login as far as I've seen (though I didn't really go looking), they wouldn't be able to automate the process... the best you could do would be to have it display your password...

on a single user computer or a real multi-user system (windows with more than one user is neither), you have almost no more security than having a (possibly quite complex) password saved in el.ini

in the case of a windows computer with multiple users (or a multi-user system where you don't trust your admin, possibly), this is where encrypted passwords could be used... here and on the server

but you're still missing the problem point; the user

 

you can have manuals and such on creating good passwords and practicing good security, and these work quite well in business situations, but the casual gamer will ignore them. no matter what you do, either you don't force them to do it, in which case they ignore it, or you do force them, and they go elsewhere

 

yes, I'm pretty negative about this, and this should not be seen as a slight against any people making suggestions here... if anyone, it's against the random user who refuses to learn good security practices yet expects the security to work

 

so what would I suggest?

the server automatically blocks IPs if there's too many failed login attempts on any account from that IP (possibly based on speed too) (EL may have this already)

any char that gets too many bad login attempts could be locked, pending forum PM to admin (yes, this would be a pain, and may be used for a DOS attack on an account) (again, EL may already do this)

the regular soft reminders about passwords (I've seen these #bc-ed now and then. having it in the `connected' message is also possible)

in an obvious place, pointers on how to make a good password that's easy to remember (the acronym one* is great). this is one of the key parts

more difficult to do, but allow users to set IPs their char can be used from. this would be based on ISP, most likely... a country check could also be done(there's free software about that can be used to check the country of an IP). lotsa work for server devs, and the users have to use it (at the simplest level, the user puts in one command to limit access to their account from their curent ISP/country), but it would be a serious lock against people cracking others' accounts

 

note that this is about making it easy for the user to be secure, and to make themselves more secure. make it hard, and they won't

 

*acronym passwords: have a phrase that's easy to remember, and take the first letter, last letter, every third, whatever. as long as you remember the phrase, you can get your password... but without the phrase, the password looks random

I'll give an example that uses a name instead of a phrase, in fact, the name of a great game from a while back.

ToTaL ANniHILation... note what the capitalised letters spell? (okay, so it's a username and not a password. but until I made it, it was no doubt unused)

 

 

ed: woah, I wrote a novel. I get kinda worked up about security at times <_<

[The_Piper]

so what would I suggest?

the server automatically blocks IPs if there's too many failed login attempts on any account from that IP (possibly based on speed too) (EL may have this already)

any char that gets too many bad login attempts could be locked, pending forum PM to admin (yes, this would be a pain, and may be used for a DOS attack on an account) (again, EL may already do this)

Agreed, and i am pretty sure, that the server has a DOS attack protection already.

 

the regular soft reminders about passwords (I've seen these #bc-ed now and then. having it in the `connected' message is also possible)

Doesnt work. Only a few players will change their password after #bc'ing such a message. I am still waiting for PM's like "Hey, on which channel are hints?????" after #bc'ing that... People dont read, thats it.

 

Displaying at login time, the same. No one will read, understand or even do it. Sad but true. That ppl can read and understand textes is an urban legend!!

 

in an obvious place, pointers on how to make a good password that's easy to remember (the acronym one* is great). this is one of the key parts

more difficult to do, but allow users to set IPs their char can be used from. this would be based on ISP, most likely... a country check could also be done(there's free software about that can be used to check the country of an IP). lotsa work for server devs, and the users have to use it (at the simplest level, the user puts in one command to limit access to their account from their curent ISP/country), but it would be a serious lock against people cracking others' accounts

 

note that this is about making it easy for the user to be secure, and to make themselves more secure. make it hard, and they won't

 

No, make it a must and they must do it. Make it optional like you suggested, no one will do it. That is a fact, believe me!

 

So

 

o force ppl to change their passwords every 28 or, better, 35 days

o forbid the use of one of the last 6 used passwords

o passwods should not contain: the account name, solid runs like aaaa or 56789

o passwords should contain at least 2 letters and 2 numbers

 

Mistyped passwords: Simply ban the char temporary. First for 30 seconds, second for 1 minute, then 2, 4, 8, 16, 32, 64, 128 minutes and so on. Another way to stop a brute force hack.

 

Do this and you have a fine and mostly secure password system. And if its too hard to remember for players, they should write it down or use a password manager.

 

This is to protect their accounts and save us a lot of trouble and work. And if the PM's to Entropy about forgotten passwords will double or even triple, its still a win, if investigating deep in server logs to proof/not proof obscure "hacked accounts" will decrease to nearly zero.

 

Piper

Edited August 1, 2005 by The_Piper

[Daxon]

This is to protect their accounts and save us a lot of trouble and work. And if the PM's to Entropy about forgotten passwords will double or even triple, its still a win, if investigating deep in server logs to proof/not proof obscure "hacked accounts" will decrease to nearly zero.

184744[/snapback]

 

The number one reason an account gets hacked is because of shared passwords. The least likely (for this game atleast) is a genuine hacking.

 

If you want to cancel out one of the main causes for 'hacked' (isn't there a better term?) accounts, then make character sharing illegal.

[Nintenduh]

From what I understand, Protolifs exploit used a creative way of spoofing the auth server and reporting the results to an in-game channel. No matter how obscure the player makes their password, they would still have been at risk without some type of encryption.

[The_Piper]

From what I understand, Protolifs exploit used a creative way of spoofing the auth server and reporting the results to an in-game channel. No matter how obscure the player makes their password, they would still have been at risk without some type of encryption.

184763[/snapback]

 

This thread topic is "Your password is expired", not "Protolif's hack".

 

And if we had had such a password system, we could have let expired all passwords at once and are now sure, that everybody did #change_pass.

 

Except begging per #bc and still not knowing if he has other passwords and will empty some storages sooner or later...

 

Piper

[Nintenduh]

If there are ways to intercept PW's between the client and the server. Having passwords expire on a regular basis would only add to the problem. Wouldn't it?

[The_Piper]

If there are ways to intercept PW's between the client and the server. Having passwords expire on a regular basis would only add to the problem. Wouldn't it?

184789[/snapback]

 

This bug is fixed now, so it wouldnt.

 

Piper

[Arnieman]

You know, for people who forget passwords, writing them down isn't good either. After all, all you have to do is use a shared computer (I'm sure not everyone here is the only one playing EL where they play EL), pull out the password, use it, amd forget it at the computer. Then, all anyone has to do is get that slip of paper, and the account is now potentially to be used by someone else.

 

Idea: building on the IP-restricting for each username. How about a console/command/something that allows users to set whatever IPs they want to be able to access their character from, and an option that they either can deny access to any IP not on that list, or require authentication of the user.

 

Then, to authenticate, the user would have to give an email address to the system (these could be restricted to not allow some emails, but only if the admins can override that for some players who may not have ISP email addys.) The server would automatically log the original signed-up IP of the character to the "allow" list, and if the person tries to log in with an IP that isn't that one, they would be prompted to enter a key. At the same time, a random generated key would be sent to their email, and they'd have to check it. They would have approx. 5 minutes to check email, and enter the key (probably something like typing #key 1A4ghIs65), and if they do this right, that IP is logged on their allow list. If they fail to enter the right key (maybe limit 3 attempts, or just one), or don't attempt for 5 minutes, the char would be locked, and they'd have to contact an admin.

 

Now, as for the five minutes: make them spend it in a screen similar to the new char creation screens, where they really can't interact with the game that much, but just enough to allow them to authenticate themself.

[Entris]

It would be 2 much trouble, ppl would get sick of it and just leave the game after losing their password notes or forgetting it every now and then.

 

U create a new password use it 4 a while then something in RL happens wich makes it so u can't play 4 a while, when u get back u've 4got ur password what do u do then?

Bother an admin 2 get u access 2 ur acount again (if they can), i think alot of ppl would be hasseling the admin 4 their passwords and so on and thats not a good thing they have other things 2 think of and do then getting ppl their passwords back.

[freeone3000]

It's a lot better than admins having to go back and solve the damage from hacks.

[Daxon]

It's a lot better than admins having to go back and solve the damage from hacks.

184947[/snapback]

 

Already said it: the main reason for 'hacked' accounts is that people share their passwords with friends. Hell, a person has a higher chance of being totally scammed of their password than the original hacking. (Even if you triple the chance of a legitimate hack, it STILL isn't high <_< )