18 replies to this topic

[ToBe998]

And another thing not directly related to the mechs. The login screen. Many people start to use more complex passwords because of the many many hacks on popular online services and games. This is a good thing and should be encouraged, but in MWO, you simply can't use them.

You can't "remember" passwords on the login screen. I can understand that as it is a possible security issue, but most people use a private PC in a secure environment ( A PC sitting at home ). So "remembering" would be a nice help for users of very long and/or complex passwords. Show a hint to warn about security if you really need to.

The other thing, and that one is even more important, is the lack of any "Cut&Paste" feature on that login screen. Many people store their passwords in some save and secure software. They use many different passowrds to ward against security breaches of single sites. And this is even more important that using long passwords. But you just can't remember all of them, so Cut&Paste is the usual way to go.

The lack of Cut&Paste or at least a "remember password" feature results in people using very short and very easy to remember passwords. And this is exactly what you really dont want.

tl&dr:

- Add Cut&Paste abilities to login form to allow complex passwords (Very Important)
- Add "remember password" maybe with a fat warning box (Arguable)

[Deadoon]

I actually have something to add to this, IP and email confirmation on ip for logins. Use a similar system/ idea as steam guard and a less secure password would be much less of an issue, unless you use the same password for your email ofcourse, then you practically deserve your account to be hacked.

[Vincent Lynch]

A "remembered" password is NOT a "secure" password.
It's not very difficult to hack that.

Pro tip: if you can't remember a password of the secure type, then take one long sentence that is easy to remember and let your password be the letters with which the words begin (or end, or both), including the commas and stuff.

Example: From "I got 99 problems, but a b**** ain't one." you can make "Ig99p,baba1."
(Took that example because it contains numbers, not for any other reason.)
Of course you should take a less well-known sentence, preferably one which does make sense only to you and no one else.

[ToBe998]

As I said, "remember" is arguable. I still think it should be secure enough if Im the only ever person to use my system. I still can live without it.

But why is Cut&Paste not implemented? one can easily argue that passwords based on easy to remember sentences are insecure too. And they too are much hassle to type. And anything that is not easy to type is not used -> people use easy 5 letter passwords. And we know how secure those are...

[Deadoon]

I just thought is it possible to have the hash that is sent through for a password be Ip verified, like if that remembered password(password hash) uses a derived code from your IP added onto your password, it would make a hash dictionary attack nearly impossible.

[Seravos]

Most hacks occur from phishing downloads or websites, friends whom you told your password to, or the service itself being hacked. Use a different e-mail for your accounts than your socializing and there shouldn't be a problem.

[ToBe998]

I dont think the typical player has many different email adresses. And it still wouldnt solve the problem that you are forced to use short and easy to remember passwords.

[Vincent Lynch]

ToBe998, on 19 November 2012 - 08:54 AM, said:

one can easily argue that passwords based on easy to remember sentences are insecure too.

No. Real pro hackers don't hack online games, they hack banks and airlines and stuff. Online game hacking is script kiddie turf, and those scripts often work by simply brute force attacks by trying out everything from the most common languages' dictionaries.
Sentences are not in dictionaries, except if they are real famous quotes. That's why I meant, use sentences which only have meaning for you, and not some famous stuff Einstein or Ben Franklin said.

Alternatively use words from pretty rare or dead languages, or put a deliberate spelling error in your run-of-the-mill password so it won't show up in any dictionary.

[Captain Midnight]

God forbid someone hack my account and use the PGI backdoor into the pentagon mainframe to fire nuclear missiles at the chinese; that almost happened before I changed my password to some ancient greek bullshot.

Edited by Captain Midnight, 20 November 2012 - 04:53 AM.

[nigtig]

Agreed with OP. It is simply moronic that you can't save your password or paste it.

This practically forces the user to do one of the following (all of which are bad):

• use an insecure password that's easy to remember
  
• reuse a secure password that he uses for other services (email, bank etc)
  
• reuse a secure password that he uses for other services (email, bank etc), but with a variation, such as suffixing with "_mwo" or "1"
  
• use a secure password but type it in every time by reading it off paper or a text file

If the user doesn't choose one of the above, the only other choice is to create a new secure password, which is a pain in the *** to remember.




Moreover, this is very annoying for me, because every time I play, I have to type my ******** password in, this is simply a waste of time.

Perhaps one could use a program that emulates the user typing in the password so he doesn't need to paste it, this would still be a huge pain in the *** for me.

Also, I don't care if my account gets stolen, I just want to play the game, and tons of other people think the same.

I'm sure there is some stupid reason why there's no remember password button. Perhaps devs think a virus will get on the PC and steal the password from the disk. But that is not an issue. If you have a virus, you're already owned. Since the password is not saved, the virus will just capture the password as the user types it in.

Worried about a user going on your computer and stealing your password from disk? If he could do that, he can install a keylogger too.

There's no ******* reason for this stupid ****.

If you're so worried about this non-problem that remembering password is somehow insecure, there should at least be a hidden option to enable remembering password at your own risk (for super advanced experts) only.

There is a game commonly known as "crap game" (real name is combat arms), it's known to be one of the worse quality games in existence, and it also has this problem, and I can understand why, the game and company that makes it are both crap. But a Mechwarrior game having such a dumb bug? Come on! This is shameful.

This is a security vulnerability by the way. I should file a CVE.

Edited by nigtig, 02 December 2012 - 02:27 PM.

[Tempered]

Actually I think that most game account hacks are from key loggers, in which case, it is generally something you downloaded from a forum. Password complexity doesn't help here.

[Suicidal Idiot]

From the genius at XKCD:
http://xkcd.com/936/

[nigtig]

Tempered, on 02 December 2012 - 04:27 PM, said:

Actually I think that most game account hacks are from key loggers, in which case, it is generally something you downloaded from a forum. Password complexity doesn't help here.

I really have no clue which way is more common. Extracting from the disk is easier to automate so you can massively distribute a virus and get a nice batch. To automate with a keylogger, you'd have to do some heuristics to figure out which sequence of keys was the password - and if you're doing this, you're already writing custom code and probably know how to circumvent any system anyhow. However, keylogger is easier for someone who doesn't know what he's doing to just keylog everything and manually look through and find the password, and do that to a few people, just probably not more than thousands.

Anyways, I don't think there's any reason to try and quantify which way is more common, as designing a system under either assumption is bad.

[Tuku]

The 2 problems that the OP has with the login witch suposedly discourage secure passwords are also security threats....intresting.

[Socket7]

If your PC is in a secure enough location that you can leave the password cached in the program, you can write it down on a stickynote and paste it on your monitor.

Lets face it if someone robs your house, they aren't going to be stealing your MWO account.

[focuspark]

The big reason for not storing the password is because games like this tend to have third party software share among players for doing stuff like planning mech loadouts. If the password were stored locally it would be in a known location which would be easy to read and therefore steal. You say you wouldn't care if somebody stole your account but I'd wager once you have significant XP and CB built up or have some MC you'd be raving mad of your account were stolen.

Lacking paste functionality is just lame. No good excuse for that.

[WaddeHaddeDudeda]

nigtig, on 02 December 2012 - 02:15 PM, said:

Moreover, this is very annoying for me, because every time I play, I have to type my ******** password in, this is simply a waste of time.

Also, I don't care if my account gets stolen, I just want to play the game, and tons of other people think the same.

So who exactly is holding you off from choosing a PW like "123456" or something else along the lines? Something even YOU should be able to enter in no time.

[Oderint dum Metuant]

F2P Game = No benefit for account hacking.
No In game transfer = No benefit for account hacking.
Support Service that will restore account = No benefit for account hacking.

Paranoid super passwords = Not so super.
Stored Passwords on users PC = Priceless

I know which as a hacker i would target, and it would not be the F2P game i get nothing from.

Edited by DV McKenna, 04 December 2012 - 02:00 AM.

[nigtig]

focuspark, on 04 December 2012 - 01:02 AM, said:

The big reason for not storing the password is because games like this tend to have third party software share among players for doing stuff like planning mech loadouts. If the password were stored locally it would be in a known location which would be easy to read and therefore steal. You say you wouldn't care if somebody stole your account but I'd wager once you have significant XP and CB built up or have some MC you'd be raving mad of your account were stolen.

Lacking paste functionality is just lame. No good excuse for that.

You know keyloggers exist, right? You should also know that anyone can use a keylogger, it's not hard.

WaddeHaddeDudeda, on 04 December 2012 - 01:50 AM, said:

So who exactly is holding you off from choosing a PW like "123456" or something else along the lines? Something even YOU should be able to enter in no time.

"123456" takes too long to type. In retrospect, I should have chosen "asdasd". Either way it's still annoying and takes time, not to mention typos. For example when I'm stomping on the keyboard to skip the useless commercials at the start of the game, the password field ends up with some stuff in it initially, and I don't notice, or have to press backspace before typing my password. Multiply that wasted time by the amount of players in the game x how many times the log in, then add the overhead of typos and remembering a password, etc.



Even if keyloggers didn't exist or were somehow a non-threat, there would still be a large percentage of the people saving their email password, and email can be used to reset the password and take over the account.

Here's a good rule in designing software:
Don't try to justify something if you don't know a reason for it.

DV McKenna, on 04 December 2012 - 01:59 AM, said:

F2P Game = No benefit for account hacking.
No In game transfer = No benefit for account hacking.
Support Service that will restore account = No benefit for account hacking.

Paranoid super passwords = Not so super.
Stored Passwords on users PC = Priceless

I know which as a hacker i would target, and it would not be the F2P game i get nothing from.

It's a F2P/pay for extra crap game. Habbo Hotel/Runescape are the same, and there are thousands of people getting hacked in them every week. Nothing can prevent this except the user being "smart" and not installing malware.