Mar 11, 2008, 05:25 PM // 17:25
|
#61
|
Grotto Attendant
|
Quote:
Originally Posted by Shanaeri Rynale
This has been an issue for years now, with zero sign of improvement. Tbh it's pretty shameful it's not been resolved since it requires such simple changes.
- Cannot change Username(as mentioned above).
- You might be able to use symbols for your GW password, but you cant if you link it to PLAYNC.
- The max password length is limited to 13 chars, which is too low. 15 should be minimum
- No wrong password lockout
- Use of email as a user ID
These are BASIC security measures.
Other features people have been crying out for would be very simple to put in, and yet save people so much frustration and headache if they are hacked.
Things like
- Being able to lock a character to prevent deletion
- Marking some items in game as undroppable/untrashable/untradeable.
Computer security is TWO sided. We might have all the anti virus, firewalls, right behavour all we want, but if the server side security is weak then it does us no good at all.
I realise the PlayNC side is NCSoft and not Anet, but it should not take two years for such a basic system to be put into place. It's almost bordering on the negligent to have such things outstanding for so long.
As the game gets older and peoples time investment in their chars gets more and more, this issue becomes ever more serious for them.
Come on Anet/NCSoft, Sort it..
|
I could not agree more.
|
|
|
Mar 11, 2008, 09:02 PM // 21:02
|
#63
|
Grotto Attendant
Join Date: May 2005
Location: At an Insit.. Intis... a house.
Guild: Live Forever Or Die Trying [GLHF]
Profession: W/Me
|
That is IMO over the top for pretty much every account except perhaps credit card/bank access. It's bad enough having to remember 70+ passwords, having to remember 70+ random emails is even worse, and just results in people writing their PW and username on a post-it next to the computer screen - and where's your security then?
As long as you don't use an easily guessable password (username: MCHammer, password: MCHammer for example) and you don't give out your password to other people or other sites, you're extremely unlikely to get hacked, even if you've got a pretty normal password.
The exception is if you get infected with a keylogger, and then you're equally screwed no matter how complex your password is, and how secret your email.
Keyloggers, on the other hand, rarely materialize by themselves on your computer, they're pretty much always the result of downloading and running dodgy software (e.g. hacks is a classic when it comes to games).
My suggestion is instead to have a layered approach:
* a low security set with junk account and junk password for places like forums and Fileplanet. You use this everywhere where it doesn't really matter.
* a moderate security set with moderate security password for places where you care if people can access your account, e.g. Guild Wars account.
* a high-security set-up with unique and very random password for each site, for use where there's money on the line, e.g. banking, credit cards, paypal...
|
|
|
Mar 11, 2008, 09:15 PM // 21:15
|
#64
|
Underworld Spelunker
|
[QUOTE]
Quote:
Originally Posted by Numa Pompilius
That is IMO over the top for pretty much every account except perhaps credit card/bank access. It's bad enough having to remember 70+ passwords, having to remember 70+ random emails is even worse, and just results in people writing their PW and username on a post-it next to the computer screen - and where's your security then?
|
my bad on that.
every GW account has that.
and i have a use everywhere email with only 12-15 character random pass on the rest.
and i dont do the dodgie
bank and bill pay by phone with people i know at my local branch.
do that for everything and i might have it easier death leveling
|
|
|
Mar 11, 2008, 09:17 PM // 21:17
|
#65
|
Lion's Arch Merchant
Join Date: Jan 2008
Location: inside a tanning bed
Guild: It's Raining Fame Hallelujah 【傘回傘】
Profession: Me/
|
Using Brute Force on a GW account would be stupid, the longer your password is, and the mor numbers in it, makes it 100x harder to crack. If I remember correctly, a password of 8 characters could take millions/billions of years to figure it out.
|
|
|
Mar 11, 2008, 09:50 PM // 21:50
|
#66
|
Desert Nomad
Join Date: Feb 2005
Location: Ascalon
Profession: E/
|
Quote:
Originally Posted by Numa Pompilius
My suggestion is instead to have a layered approach:
* a low security set with junk account and junk password for places like forums and Fileplanet. You use this everywhere where it doesn't really matter.
* a moderate security set with moderate security password for places where you care if people can access your account, e.g. Guild Wars account.
* a high-security set-up with unique and very random password for each site, for use where there's money on the line, e.g. banking, credit cards, paypal...
|
Well, you did pay for GW and most of us have spent an inordinate amount of time in game, so in that sense there is money on the line. But I do agree with the layered approach.
*Low security spam account for anything you have to sign-up for but is of little importance, like forums, surveys, websites, etc.
*Medium security for your personal email with friends, family, co-workers, etc.
*High security for your game accounts, banking, important work stuff, etc. And no, you don't have to create a new email for each of the things mentioned, but be sure to not give it out or use it for anything that presents a security risk.
|
|
|
Mar 11, 2008, 11:13 PM // 23:13
|
#67
|
Krytan Explorer
Join Date: Mar 2006
Guild: EOA
Profession: P/W
|
Quote:
Originally Posted by Ctb
Steal the list of encrypted passwords and you've defeated every one of those "protections". Very few systems are so insecure anymore that you can just hit them repeatedly with passwords and not get noticed, so dictionary attacks are mostly limited to files in the possession of the attacker (an especially dangerous risk is your own employees).
There are plenty of other options as well, yes, but that one in particular would be dangerous.
First it requires you to have write access to the code, and one would hope that the GWG account, the webserver, and the db server are running as sufficiently unprivileged users that this would be prevented. Failing that basic security step, it would still require obviously funny looking SMTP calls that should be picked up in basic daily log monitoring. Simply stealing the DB outright could be covered up effectively for days, weeks, or even forver on a typical website security setup, and you don't have to worry about creating new footprints later.
It all depends on the sophistication of the attacker and particulars of the victim, in the end.
|
Very true but your circumventing protection by finding another flaw. The point is: a standard brute force attack on the Guild Wars login prompt isn't going to be effective(unless your passwords: abba or aardvark). The video by the OP is probably just a trojan.
Last edited by FeroxC; Mar 11, 2008 at 11:16 PM // 23:16..
|
|
|
Mar 12, 2008, 12:57 AM // 00:57
|
#68
|
Krytan Explorer
Join Date: Sep 2007
Profession: Mo/N
|
Quote:
Originally Posted by FeroxC
Very true but your circumventing protection by finding another flaw. The point is: a standard brute force attack on the Guild Wars login prompt isn't going to be effective(unless your passwords: abba or aardvark). The video by the OP is probably just a trojan.
|
Haha the person whose password is aardvark is probably thinking no one would guess that. Unfortunately it's one of the first words in the dictionary lol.
|
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT. The time now is 04:55 AM // 04:55.
|