want more security?

Ok i have an idea about the storage system. My idea is that a password and username different form your login. Is put into place on your storage. So everytime you enter your storage you have to type in ur password and username. Due to all the recent hacks i think it would be quite safe as before you log out you ould put ur most exspensive things into ur storage then when u log in you get them back out. Although key-loggers would still get round this maby MA could 24hr watch on the storage system to see if there is any thrid party or someone watching that player if so they lock the players accoun down contact the player saying they change there password and they need to get rid of the keylogger then send an email back to MA stating you have gotten rid of the keylogger and ma can send you your new password. In my point of view i think it would be quite a good idea as it would prevent alot more people losing there best items.

Sumy

Recent hacks? No, I think they're bugs. You seen all the bugs in the recent VU? Really. Look around.

(Besides, my account password is uncrackable anyway. I dare anyone to try hacking my account. That's not part of MA, 'cuz god knows they probably don't use password hashing anyway; an MA employee could just "look up" my password and "hack" my account...)

No i havent beenin game as much as i usually do but take cyco kick (sorryif spelling is incorrect) Mayby a system like this could have saved his avatar and his items.

sorry i dont get it - how would MA know uve got a keylogger on board? do you mean that everyone has a chance of entering someone elses storage? or is it still only going to be the self storage. if it is the latter thats pointless, as keylogging they would already know the storage password, and if its everyones storage open for all but you need a password thats just outright suicidal, dangerous, *insert other remarks here*!! then other people could just run scripts to try hack into other peoples storage - totally unsafe, and theres no protaction from that unless MA get to sell another GC - no way!

i say just leave the system as it is, and go buy a GC - that ways its still safe!

wrong
...........

Yup you got gold card for protection, dont see the use of protecting your items but leaving your skills for the take... (or would we get a special storage for those , or chip them out every time you log off lol)

i know of such a system on another crappy noobgame, that is pretty hard to crack even with a keylogger (changing buttons etc), so it would be safer, but MA already got a goldcard, so if you dont trust your own password --> change it
otherwise, buy a goldcard

Good with new kinds of systems, but this will not be done by MA.

Perhaps the password-thing only since it wouldnt cost them so much to implement this.

A keylogger does not only get the password that you are using to login to PE. He gets every other keypress you do aswell. So if MA implemented this system it would only take more time and a lot of more "effort" to hack someones account.

It would be good if they implement this, but 200 ped for a GC? Go for that GC! It's worth way more than 200 ped. Ask thoose who loose thousands of peds for beeing so cheap not buying a GC for 200 ped. Their loss

Ma makes money from people buying their Gold Cards. We save money by never ever getting hacked.

Long live the GC! Saves you a lot of truble for hardly no money at all.

Falcon4 said:

Recent hacks? No, I think they're bugs. You seen all the bugs in the recent VU? Really. Look around.

Click to expand...

Actually, there have been 3 or 4 recently Hacked accounts reported here on EF. Search around

Falcon4 said:

(Besides, my account password is uncrackable anyway. I dare anyone to try hacking my account.

Click to expand...

That is just a silly thing to say

If you are in fear of your account being hacked, then you must have done something or had something happen to bring this fear about.

Just change your password 1 every month or every other month. That is the unhackable way. Or don't play! That is a sure fire way!

Lady Mercury said:

wrong
...........

Click to expand...

sorry, i dont get that either. who's wrong? me? someone else? please explain your comments, it kinda helps people understand

Falcon4 said:

Recent hacks? No, I think they're bugs. You seen all the bugs in the recent VU? Really. Look around.

(Besides, my account password is uncrackable anyway. I dare anyone to try hacking my account. That's not part of MA, 'cuz god knows they probably don't use password hashing anyway; an MA employee could just "look up" my password and "hack" my account...)

Click to expand...

LMFAO, Over confidence is your greatest weekness and will undoubtably be your downfall my freind. Theres no such thing as a secure password, its like saying your secure in your house becuase you have a deadbolt on the door. All they do is keep honest people honest.

@Topic: The password on the storage would be more of a burden to the user than protection against a hacker. 90% of the people would use the same password for storage that they would their login, and if someone already hacked into your account they would know your password. Also to note that in a few of these cases the account was worthless anyways. And who would be sure to ditch their high level gear into storage before they signed off. I know i wouldn't. I leave my gear on me so i don't have to mess about before i log off (usually in a hurry too)

Its a nice idea, but one that doesn't make alot of logical sence and I highly doubt that MA would ever implement something like this.

+rep for keeping the brain working though

What about the Gold Card? I think that's secure enough ... and they (MA) started shipping 'em again ...

andyzammy said:

sorry, i dont get that either. who's wrong? me? someone else? please explain your comments, it kinda helps people understand

Click to expand...

It was a double copy post. If you'd check this some more closely I put another answer (wich is the right one) two posts below - But here it is again, quoted.

Lady Mercury said:

Good with new kinds of systems, but this will not be done by MA.

Perhaps the password-thing only since it wouldnt cost them so much to implement this.

A keylogger does not only get the password that you are using to login to PE. He gets every other keypress you do aswell. So if MA implemented this system it would only take more time and a lot of more "effort" to hack someones account.

It would be good if they implement this, but 200 ped for a GC? Go for that GC! It's worth way more than 200 ped. Ask thoose who loose thousands of peds for beeing so cheap not buying a GC for 200 ped. Their loss

Ma makes money from people buying their Gold Cards. We save money by never ever getting hacked.

Long live the GC! Saves you a lot of truble for hardly no money at all.

Click to expand...

safara said:

That is just a silly thing to say

Click to expand...

Nono, it's just a ballsy thing to say. Silly, yes... stupid, no.

Unless MindArk themselves are the one doing the hacking, or MA stores passwords in plaintext format in the database*, there's no way you'll find my password without bruteforcing it.

And to get my password by bruteforcing it, it'll take about 98,169,152,742,448 attempts.

* - In case you don't know why this is a security risk... usually, in any WELL WRITTEN system, passwords are write-and-compare-only. You type in a password and it creates an MD5 encryption hash out of the password and stores that value in the database. MD5 hashes can only be compared - there's no (realistic) way to work backwards and produce your password out of your hash. However, if MA is using an insecure system that both allows hashes to be read out of the database via a hack, as WELL as being able to directly inject an MD5 hash into the password-check, they don't even need to know your password - just your hash.

And that's why.

Falcon4 said:

Nono, it's just a ballsy thing to say. Silly, yes... stupid, no.

Unless MindArk themselves are the one doing the hacking, or MA stores passwords in plaintext format in the database*, there's no way you'll find my password without bruteforcing it.

And to get my password by bruteforcing it, it'll take about 98,169,152,742,448 attempts.

* - In case you don't know why this is a security risk... usually, in any WELL WRITTEN system, passwords are write-and-compare-only. You type in a password and it creates an MD5 encryption hash out of the password and stores that value in the database. MD5 hashes can only be compared - there's no (realistic) way to work backwards and produce your password out of your hash. However, if MA is using an insecure system that both allows hashes to be read out of the database via a hack, as WELL as being able to directly inject an MD5 hash into the password-check, they don't even need to know your password - just your hash.

And that's why.

Click to expand...

Well I would say that its a wild assumption to say that MA doesn't encrypt their database. And would be very bad busniess practice if this were the case. Im not a fanboi or anything of the nature, but I couldn't think of a single programmer that would store passwords in plain text.

Also there is no such thing as Unbreakable encryption. Its just math that can be undone at anytime. The point of security and encryption isn't to make it unbreakable. Its to make the Ratio of Time and $$ spent out weigh the Money and information gained.

And i still think you falsly assume that your password is unbreakable lol. Which IMHO is a downfall. Most people that share your same view think that becuase they have included a special ascii charater (ie..¥₧ƒ) thats not well known, that brute force attmepts will fail. When the actual is very far from the truth. Also i highly doubt that these are brute forcing attempts (as your account freezes after X attempts and makes you wait 30 mins)

I think these hack attempts are more of a social engineering success than anything else. Or people lacking to take simple steps to help reduce the chances of thier own security being comprimised.

Why would a hacker need to brute force your password at all, when they could much more easy hack your email and then have the password just emailed there lol.

In summary, I think that MA protects their data fairly well (assuming, as i was not involved with any Pen. testing lol) And as long as you take some simple steps to protect yourself, the for mentioned Security Ratio will be more than sufficent (assuming its not a vendeta hack in which time and $$ are erased from the equation. which by egging people on to hack your system you are asking for lol)

Anyways this is my last post here as its going way off the original topic.

If it's just social engineering that gets my password, that makes me feel even the more secure. Nobody but me knows my password and that's what keeps it so secure. It's never been typed out in plaintext (except in dumbass email confirmations) either. But as far as Mindark not storing passwords in plaintext?

Well... just see my post here and see if it doesn't just change your mind completely about PE's security. I'm appalled at what I found...

Falcon4 said:

If it's just social engineering that gets my password, that makes me feel even the more secure. Nobody but me knows my password and that's what keeps it so secure. It's never been typed out in plaintext (except in dumbass email confirmations) either. But as far as Mindark not storing passwords in plaintext?

Well... just see my post here and see if it doesn't just change your mind completely about PE's security. I'm appalled at what I found...

Click to expand...

well , as you explain your self , you pasword is write in plain text bu MA in your computeur ....
have nice trojan hunt and go by a gold card ...

Falcon4 said:

It's never been typed out in plaintext

Click to expand...

no stop it please. really. you sort of people make life easy for hackers. you're so sure of yourself.

every time you type in your password its in plain text numpty. get a trojan, a keylogger, your owned. maybe you think your clever and copy/paste? too bad the trojan thought of that too.

Samantha Carter said:

Also there is no such thing as Unbreakable encryption. Its just math that can be undone at anytime. The point of security and encryption isn't to make it unbreakable. Its to make the Ratio of Time and $$ spent out weigh the Money and information gained.

Click to expand...

I must disagree there.
There are methods used for transfering data over the internet where you need to know a certain prime number (consisting of 100 numbers (0-9)) to decode the message. If you would search manually after those numbers it would take a few billion years.
If you dont believe me, i just learned last semester at university

So you should definately believe that there is something like an unbreakable code (in practice, off course you can crack it if you wait a few million years)

Nitrosomonas said:

I must disagree there.
There are methods used for transfering data over the internet where you need to know a certain prime number (consisting of 100 numbers (0-9)) to decode the message. If you would search manually after those numbers it would take a few billion years.
If you dont believe me, i just learned last semester at university

So you should definately believe that there is something like an unbreakable code (in practice, off course you can crack it if you wait a few million years)

Click to expand...

Yeah PGP is prime number based, there are plenty of them that are. They are still breakable and Time is relative to your computing power. Any encryption that involves Math is reversable. And not to put you down or anything but Semester at uni isn't same as RL expereince. If you pick up the book "Applied Cryptography" you can learn a great deal about encryption.

The only method thats still somewhat in the works, that if you mentioned i wouldn't have disagreed with, is Quantom Cryptography. However in order for this to work we need to be able to predict the precise location of an electron in its orbit around the core of an atom. As of right now we can not predict this movement as there are fluxuations in orbit at which point it seems the only logical explanation is hidden somewhere in the unknown of quantom mechanics.

Until then all encryption is breakable. This is why NSA has restriced exports of encryption above 512b outside the united states. above a 512 block cypher takes a long time but is still breakable its just the cost/time ratio per info recieved is not worth it. That doesn't mean its not breakable. Its just math!! Prime numbers or not (And there have been several known attacks against PGP FYI)

aridash said:

no stop it please. really. you sort of people make life easy for hackers. you're so sure of yourself.

every time you type in your password its in plain text numpty. get a trojan, a keylogger, your owned. maybe you think your clever and copy/paste? too bad the trojan thought of that too.

Click to expand...

There are two types of hacks. One is a client-side hack, where some idiot downloads a program and tries running it, and it ends up being a trojan (but they don't know). Then a hacker can get in and log that person's actions, get their passwords, whatever.

The other type of hack, which I'm more concerned about, is a server-side hack. Where a hacker gains access to the server's database, either via trojans on the company computers or using a security hole in the software that allows them to send and receive information. If the passwords in the database are hashes, they're pretty much useless even if the hacker COULD get into the system, because a hash's hash is not the same as the password hash, and usually there's no way to just "inject" the hash into the system and say "I'm logged in" either.

The first type I'm not concerned about, because I'm not like the common n00b that goes around like a moron clicking everything that says "free". I know what goes in and what goes out, as such there's not much that could be done to get my password that way. I'm just concerned about MA's security, because with the number of obvious holes and bugs in the software, god only knows how bad it is security-wise...

Falcon4 said:

The first type I'm not concerned about, because I'm not like the common n00b that goes around like a moron clicking everything that says "free".

Click to expand...

oh please stop, my sides are huting now. we need a rolling around on the floor smily for this.

you should be less concerned with MA security than your big mouth rattling off, you might as well just shout come and hack me if your good enough.

i do particularly like this one "a hash's hash is not the same as the password hash".

Laugh all you want... but we'll see who gets the last laugh when your account's hacked and not mine.

Big ego? Yes. Good reason? Yes.

aridash said:

i do particularly like this one "a hash's hash is not the same as the password hash".

Click to expand...

The hash for "rofl" is 7df9ad761904a6cd0dc1358949977da0.

The hash for "7df9ad761904a6cd0dc1358949977da0" is 11c56e3f4936d414552203d44816622b. Is that too hard to wrap your head around?

Use this quick 4-line script (including <?php and ?>) to play with hashes... http://www.falconfour.com/phpwork/hahahaha.php

P.S.:

i would have prefered to write this in a pm, but someones been naughty...

no you cant "inject the hash" thats sort of the point. hashing a hash is risible, since it offers no further protection from a brute force which is the primary method of attack. if someone were to access the password file and it contained hashed hash's you'd work it out and process the file iteratively.

In all your posts, you fail to mention salting the hash which was the correct answer. but im just a noob, oh mighty keyboard warrior.

Hackers sure do get into hard to read arguments

you could just encrypt the data with 2 secret prime numbers, then encrypt it another time with 2 other secret prime numbers
let them try to brute-crack that

ps: i like primes <-- and this smilie