55 replies to this topic

[Exilyth]

All the computer security in the world is useless when someone drives a truck through your wall and steals the servers.
So, we need reinforced walls on the server farm and dragon teeth tank traps all around it.


Joke aside, most problems with phished passwords and hacked accounts can be traced back to layer 8 problems, e.g.
- someone has a weak password, like their birthdate, the name of their loved one or similar terms which can be easily known by others
- someone wrote down their password and lost the sticky note/page/piece of paper they wrote it on
- someone gives their password away to a "friend"
- someone goes to a gold/cheat/hack website and doesn't take the necessary precautions (such as, not visiting suspicious websites in the first place)

... and only a minority is really a fault on part of the company, and thoose are often resolved easily with a little help from support.


The best way to protect your account is to pick a strong password. Also, you should run an anti virus programm at all times.
Wikipedia has a list of antivirus programs which also contains many free to use solutions.

[Deathz Jester]

Mota Prefect, on 06 August 2012 - 03:23 PM, said:

If people were just a bit smarter or actually used some common sense when making their passwords there would be no need for any type of special authenticator. So with that being said, make sure you're passwords are secure using numbers, letters, and upper/lower case with at least 12 characters. Using that simple pretext will make 99% or your passwords secure from hackers and protect your accounts and computers.

I thought I could just post the ABC's and my birthday?

[McHallen]

FoXabre, on 03 August 2012 - 07:32 AM, said:

Unless your credit info is saved I don't think there is a reason to have an authenticator. The most a hacker could do is sell your 'Mechs on you, Or if he/she were a nice hacker, they'd grind some C-Bills or XP for you. Maybe make some improvements on your 'Mechs.

Everything is now Flamer boats >:V

[Reported for Inappropriate Name]

lol authenticators. if there was good security in the first place you wouldn't need one.

[Renaissance]

Authenticators are an illusion of security, and ultimately just make playing the game inconvenient. Instead of just putting in your name and password, now you have to use an authenticator and type in some 20 digit number combination in addition. And no, taking the time to type in 20 random numbers in addition to your password isn't that big of a deal in the grand scheme of things, but it's just easier to safeguard your computer by using a very strong password that isn't written down anywhere but memorized. Is typing in a 20 digit number every time you want to log in really that important? Considering your account is unlikely to be hacked to begin with, what's the purpose? That typing in that 20 digit number your authenticator gives you is going to protect you just ONCE and it will be worth having done it each and every time you have ever played the game?

I've never been hacked, because my passwords are extremely strong but also extremely memorable despite consisting of nonsensical words (with memorable capitalizations where necessary) and random numbers that have some random signifigance to me (the last 4 digits of my best friend's phone number in elementary school for example). It generally would take anywhere from 50,000 to 60,000 years (with something like 4 attempts a second 24/7/365) using the fastest military-grade processor available, to brute-force my passwords on any account I have on the interwebs. And I change that password several times a year. I don't use any 'master password' programs. I make sure my computer is free of keyloggers every day. I don't visit suspicious websites. I don't write my passwords down and stick them in a place I intend go into public with -- whether IRL or on my computer. When I do surf the web, I swear by NoScript, AVG, and a few other programs. Any random number generator I use for password purposes (that requires really long numbers) consists of a single 20-sided die I had in High School -- I don't use computer random number generators. The numbers I generate from my 20-sided die get written down on a piece of paper and tucked into a safe place that's easily accessible but hidden, and never has writing on it to identify what the numbers are for. I generally identify what is needed by the first 5 or 6 digits to familiarize myself.

The only times my online game accounts have ever been compromised? Is when it's the game companies themselves have gotten hacked. It has 100% always been on their end, and never mine.

Sony Network? Rift? Cryptic Studios?

And honestly, when they've been compromised, any data that might have been mined from my specific account? Has likely been out of date and ultimately worthless to whoever compromised their infrastructure.

And yet the companies still try to sell authenticators to their customers. Why? The illusion of safety. The illusion of security. Your authenticator isn't going to do anything if the cyber-criminals hack the company's server database infrastructure. It's just another 6 or 8 bucks they can make off of their customers. Let their customers pretend they're going to be even more safe than before, give them that piece of mind. When in actuality the biggest threat is either that customer's own stupidity regarding password protection -- or their company's database security or lack thereof.

I've never used an authenticator, and I never will. If I'm going to protect my online accounts, I want to be the person responsible -- all the tools I have are the ones I've learned and picked up on. An authenticator is a placebo. It's snake oil.

[Genghis Black Death Khan]

If you don't want to use it, don't use it, plain and simple. It would, however, benefit others who do want the additional security. As for the security being an "illusion", why would companies waste so much money and resources utilizing these tools to ensure their data is secured? I'm no expert in computers or anything for sure, but there's obviously something beneficial.

[Davion5150]

***** Proof, on 05 August 2012 - 10:05 PM, said:

and avoid password like 1234

Hmm. Time to change the password on my luggage.

[Renaissance]

Genghis Black Death Khan, on 06 August 2012 - 08:23 PM, said:

If you don't want to use it, don't use it, plain and simple. It would, however, benefit others who do want the additional security. As for the security being an "illusion", why would companies waste so much money and resources utilizing these tools to ensure their data is secured? I'm no expert in computers or anything for sure, but there's obviously something beneficial.

You're right to a point -- an authenticator does have some benefit. But it's only going to benefit a very limited amount of people. I'm talking about calculated risk. Being hacked is unlikely to begin with. So it's not going to benefit the people who just aren't going to be hacked to begin with, and just wastes their time typing in 20 random numbers the authenticator gives them each time they want to play. It's really only going to benefit the person or people who do not have good password protection and/or make stupid mistakes and take risky internet behaviors that make them a target. They're either really bad at creating a strong password, or they're really bad at keeping that password a secret or difficult to brute-force. If they create a really bad password or make it easy enough to guess or brute force, then yes... the authenticator is going to help.

But why would companies spend so much money on an authenticator system? Because they want to make more money than what they spent on the security system (the software and developer labor hours), and the cheap chinese piece of plastic and circuitry (the actual physical authenticator). That's where the illusion of safety comes in, and why authenticators have become popular. Rift was compromised and although the company (Trion Worlds) went to great lengths to play damage control, Rift had already had an authenticator system hooked up. That authenticator system did not stop a cyber criminal (or more than likely someone's bot who got lucky) from getting the passwords and confidential information (and limited amounts of credit card information, not whole numbers, but the last 4 digits and expiration dates) from a large number of subscribers. That in itself was more damaging than any singular hacking attempt on an individual.

And that's where the illusion comes from. The real threat is the company themselves getting hacked. And the real threat isn't some unscrupulous skript kiddie or professional computer hacker... the real threat is the individual customer who makes themselves a target or makes themselves a victim in the making.

So while there is some benefit, it's a limited benefit and it isn't fool-proof. A password consisting of nonsensical words and numbers (with capitalizations) is not only going to be stronger, but it'll even make it memorable. You won't have to look at an authenticator display. It'll be in your head.

For example (this isn't a real password I have, and I encourage anyone reading this to not use it):

LampelousTarantulip95328. This could be a very strong password (again, please don't use this same exact example whatever you do). Why? It has 24 characters. It has 2 letters that are capitalized. And it has 5 digits thrown in. That means that in order to brute force that password, someone is going to have to accurately put in all 24 characters -- and accurately guess which 2 letters are capitalized and in what order, along with accurately guessing these 5 numbers. Not to mention none of the 'words' are actually words found in a dictionary (where brute-forcing really comes into play - yes, you aren't being a very good James Bond by picking aardvark as your password, either).

But is it memorable? If you can keep it to memory alone, it's even safer because it isn't written anywhere. But commit it to memory with a creative childish mind game. "It's a marvelous lamp! There's a tarantula on that tulip. 1995 was a great year, wasn't it? There were 3 of my friends who were 28 then."

By creating a password with that kind of thought process in mind -- you will do more for your internet account than any authenticator. Of course, all of that is null if you can't keep a keylogger off of your system. More importantly, it'll be in your head -- it'll be memorable and you can think back to it, and you won't have to waste time typing digits on a display screen.

[RG Notch]

Genghis Black Death Khan, on 06 August 2012 - 08:23 PM, said:

If you don't want to use it, don't use it, plain and simple. It would, however, benefit others who do want the additional security. As for the security being an "illusion", why would companies waste so much money and resources utilizing these tools to ensure their data is secured? I'm no expert in computers or anything for sure, but there's obviously something beneficial.

Yes people will pay you more money for the "authenticators" than they cost you to produce.

[Knight2pwn]

I find it stupid that its needed, but I gots mine for three games. Rather have it than not. So I would grab one for MWO in a second. Gotta keep my virtual stuff locked up from the theives ya know. Which would be funny if not true.

[ORIGINAL SteelWolf]

Davion5150, on 06 August 2012 - 08:46 PM, said:

Hmm. Time to change the password on my luggage.

Spaceballs the movie

[ORIGINAL SteelWolf]

As GM of a World of warcraft Guild my account there regularly recieves Emails from Blizzard asking me to change my password do to suspicious activity. I verify each email as authentic. WoW has a data base where guild can be looked up. Want to hack the guild bank and all its goodies? Hack the guild leader. So when authenticators came out i bought one. Push a button enter in 6 random digits based on a seed on the server side and my guilds assets are better supported. So for me and my WoW guild you bet its an added step in security. For MWO for me its another step to protecting any personal information i have stored on the server and my equipment/MC. Been waiting 10 years for MW to come back. I don't want some ***** with a " i do it for fun" attitude messing things up. I had my 6 digit ICQ number stolen. I had been using it since ICQ had been out. The numbering system started out at 10,000. I had 172,911. When AOL bought ICQ i still had my account. When a russian company bought it from AOL i lost it. Some ***1@***.ru now has it. And their customer support won't do shi.... And i have chat logs from years ago on backups prooving i used the number. So when something is important you bet i want an authenticator. And the password for that account was 7 alpha passphrase and a special character. 8 characters in all. I use 12+characters now and use a random 4 digit number on the end, middle or start. Hackers used to be good things/people back in the 70's/80's. Now they call them coders. and Hackers are [Redacted].

[Gaizokubanou]

Mota Prefect, on 06 August 2012 - 03:23 PM, said:

If people were just a bit smarter or actually used some common sense when making their passwords there would be no need for any type of special authenticator. So with that being said, make sure you're passwords are secure using numbers, letters, and upper/lower case with at least 12 characters. Using that simple pretext will make 99% or your passwords secure from hackers and protect your accounts and computers.

What is with this... naive view of account security?

You guys need to understand that password complexity only protects you from brute force attack (which has other more useful safeguard). Otherwise having the longest and most complicated password in the world doesn't add a thing to your account security.

[Derek Icelord]

Gaizokubanou, on 09 August 2012 - 09:58 PM, said:

What is with this... naive view of account security?

You guys need to understand that password complexity only protects you from brute force attack (which has other more useful safeguard). Otherwise having the longest and most complicated password in the world doesn't add a thing to your account security.

But by that same token an authenticator wouldn't help, either. If the security compromise is on the company's end and not the user, the authenticator would be compromised as well.

[Illuzian Pryde]

Derek Icelord, on 09 August 2012 - 10:15 PM, said:

But by that same token an authenticator wouldn't help, either. If the security compromise is on the company's end and not the user, the authenticator would be compromised as well.

Yes but why compromise an account instead of the table which stores the credit card details and slip away undetected?

So many people in this thread are posting uninformed opinions on 2 factor authentication.

While some people bring up some valid points around certain companies charging far more than keys are worth, some companies charge very reasonable prices. A great example is paypal. In addition there are many companies who offer 2 factor authentication to protect their customers and their assets. Perfect examples of these are banks and corporate entities(eg for VPN access)

If these technologies weren't tried and tested, large multinational companies wouldn't bother to invest in them. Some implement physical keys and others offer free apps for phones or text based token delivery.

There are various threats that can expose a password for example:

• Key loggers
  
• Same passwords across multiple sites where a compromised site stored a password in plaintext or even hashed and was reversed
  
• Scams
  
• Brute force attacks

While you can reduce the risks above by avoiding use of any password on any PC that is not your own(eg work PCs, public PCs etc) to avoid keylogggers, have unique passwords across sites and use complex 8+ char passwords, there is always only 1 layer of security.

2 factor auth generally requires another auth server that hashes a combination password eg a token + password then hashes it and compares it with the has the server believes is correct which the server generated by using an algorithm to generate a token using a unique key identifier and the current time(which would be the same on the key) and combining this with the md5 or other hash stored in the database.

Please also note the md5 or other similar complexity hashing is extremely hard to reverse.

This is not a con and adds a definite layer of security depending on the implementation the company uses.

If you, the users believe they can just exist on the internet for your entire existence without compromise, think again. A strong and unique password is just a single layer of defense - a token is by far, leagues ahead.

Don't be naive, and if you're going to be paranoid, be paranoid about security, not companies ripping you off for your protection.

[ORIGINAL SteelWolf]

Blizzard Says Battle.Net Has Been Hacked
[color=#4D4D4D]
Posted by samzenpus on Thursday August 09, @07:52PM
from the all-your-password-are-belong-to-us dept.[/color]
[color=#363636]

An anonymous reader writes"Blizzard announced today that its Battle.net service was compromised. The company is urging users to change their login information immediately. Blizzard is stressing that payment information was not compromised. 'The unauthorized access included email addresses associated with Battle.net accounts in all regions, outside of China. Additional information from accounts associated with the North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) was also accessed, including cryptographically scrambled versions of passwords (not actual passwords), the answer to a personal security question, and information relating to Mobile and Dial-In Authenticators. It's important to note that at this time, Blizzard does not believe this information alone is enough to gain access to Battle.net accounts.'"
[/color]

[color=#333333]http://www.blizzard.com/SecurityUpdate[/color]

100 of 296 comments loaded twitterfacebook

Edited by ORIGINAL SteelWolf, 10 August 2012 - 11:45 AM.