• IRS
  • Agent
  • Offline

Topic: Account Security

Is the a limit to the # of failed login attempts a person can make to the Web Site, Game Client, etc? 

If not, what's to stop someone, say a SouthEast Asian "gold farming" company, from writing a routine that runs for hours, days, weeks cracks my password, logs into my account, spends all my money, puts everything they bought into a container, then gives the code to the container to their "gold farmer" team.  No record of who the stuff went to, only a broke, hacked player account.

Any feedback on existing security or plans to improve security before the "gold farmers" level their sights on Perpetuum and bring 100,000 free client applications to bear on cracking everyone's passwords?

  • M2S
  • Agent
  • Offline

Re: Account Security

How would they know what your email address is?

I am Perpetuum's Most Dangerous Agent and an equal opportunity troll.
-> You just lost The Game <-
"Perpetuum sounds like a something I would stick up my *** for enjoyement." -Kaito Kurusaki
  • IRS
  • Agent
  • Offline

Re: Account Security

If the error message for an Invalid email address differs from that of a Valid email address on any web page, forum, or client login, I could write an algoritm that determines valid email addresses over time.  That's what professional hackers would do.  A random email generator could bounce requests and monitor the replies until they determine the emails of all current accounts.  The more computers doing it, the faster they deremine the email addresses.

  • ECORP
  • Agent
  • Offline

Re: Account Security

Is there one?
No.
What's to stop this from happening?
Nothing.

Generally security measures like this one are made after a threat becomes apparent usually after it happens. This is also a small indie game at the moment so if you got hacked it wouldn't be the end of the world like your first post made it seem, you could easily just talk to a GM/Dev and they'd most likely help you out.

  • *
  • Agent
  • Offline

Re: Account Security

I'm agree with the OP.

A Wait of 15min after 4 or 5 bad passwords is a simple feature which protect our accounts against that kind of hacking.

  • M2S
  • Agent
  • Offline

Re: Account Security

Seeing as theres only 15000 accounts (supposedly), it would take *** ages to determine a valid email account and then use that email and find the password.

The amount of time needed to do this randomly would not be anywhere close to cost effective.  Especially when the chance of finding an account with any actual worth (not just some unused account or noob with nearly nothing to his name) would make it that much harder.


You, sir, are one paranoid motherf*cker.  I would guess that you once got your account hacked, and it probably happened because you did something to give away your account information.

I am Perpetuum's Most Dangerous Agent and an equal opportunity troll.
-> You just lost The Game <-
"Perpetuum sounds like a something I would stick up my *** for enjoyement." -Kaito Kurusaki
  • QD
  • Agent
  • Offline

Re: Account Security

Assuming up to 10 characters before the '@', up to 10 characters after the '@', 5 extensions ( .com/.org etc. ) and a password with length 10 made up out of 50 possible characters it would take up to 9.730.541.452.738.969.312.666.112.000.000.000.000.000.000.000 ( 26^10 * 26^10 * 5 * 50^10 ) tries to hack that account ( and any others with that length ). With about a minimum of 2.878.858.417.970.109.264.102.400.000.000.000.000.000 ( 26^9 * 26^9 * 5 * 50^9 ) tries.

Let's say we have 1.000 computers and an absurdly low lag of 10ms. It would take at least 91.288.001.584.541.770.170.674.784.373 ( divide by 1.000 for computers, divide by 100 to get to seconds, divide by 60 to get to minutes, divide by 60 to get to hours, divide by 24 to get to days, divide by 365 to get to years ) years to hack that account and any others with that length or below.

Now that number is so high that I'm pretty sure the sun will explode and consume the Perp servers before someone manages to hack all of Perp's accounts with a brute-force algorithm.

PS. somebody check my math, I just woke up and that number really is freakishly high. It would put a serious damper on my plans to achieve world domination besides the obvious rarity of beaver suits made from biodegradable materials......

*Insert really awesome sig here*

8 Reply by GLiMPSE (edited by GLiMPSE 2010-12-28 19:03:43)

  • CIR
  • Agent
  • Offline

Re: Account Security

It'd be much easier to try and exploit a hole in the forums to get the password hashes through that avenue then run em up against some rainbow tables...

Just my .02.

Hope PunBB is air tight.

GLiMPSE™'s CoolPoints™ Leaderboard
  • IRS
  • Agent
  • Offline

Re: Account Security

If the chances were as remote as 'calculated' then why would online banks lock accounts after  "X" failed attempts?

Just sayin, you probably shouldn't flame someone that's looking out for your well being.  I mean, you're saying all companies that lock domain accounts (Bascially every company on the planet) after X failed attemps are "paranoid motherf*cker."?  Seriously?

Give me a break man.

10 Reply by Neoxx (edited by Neoxx 2010-12-28 22:08:38)

  • M2S
  • Agent
  • Offline

Re: Account Security

GLiMPSE wrote:

It'd be much easier to try and exploit a hole in the forums to get the password hashes through that avenue then run em up against some rainbow tables...

Just my .02.

Hope PunBB is air tight.

I dont think we login through PunBB, anyway.  The data that is transferred through it is just going to be the post data and avatar names.  I highly doubt PunBB ever sees our account info.

Edit:  Nope.  Any time you go to login to the website it takes you to https://secure.perpetuum-online.com/login/ so its not the PunBB portal or anything, its running from their secure server.

I am Perpetuum's Most Dangerous Agent and an equal opportunity troll.
-> You just lost The Game <-
"Perpetuum sounds like a something I would stick up my *** for enjoyement." -Kaito Kurusaki

11 Reply by GLiMPSE (edited by GLiMPSE 2010-12-28 21:56:59)

  • CIR
  • Agent
  • Offline

Re: Account Security

Glimmers wrote:

If the chances were as remote as 'calculated' then why would online banks lock accounts after  "X" failed attempts?

Just sayin, you probably shouldn't flame someone that's looking out for your well being.  I mean, you're saying all companies that lock domain accounts (Bascially every company on the planet) after X failed attemps are "paranoid motherf*cker."?  Seriously?

Give me a break man.

You're talking about 2 different types of attacks.

A targeted attack would mean you know your target and likely know their username or email. These are what banks and corporations are trying to protect you from... and mostly as an internal countermeasure. IE: Jimmy in Accounting want's to try and brute force the CEO's email to give himself a promotion.

What your talking about is a broad ranging brute force attack that, to accomplish in a quick manner, would imitate the traffic of a large scale DDoS -- these things typically trip traffic alarms on any enterprise class firewall.

Also, your perceived security =/= your actual security. Just because they put a little message on the website that says you're locked out for X minutes and perpetuum doesn't does not mean that this excessive brute force cracking isn't being logged and acted upon behind the scenes.

Either way, both of these can be mitigated by using a strong account password 10+ characters with as many character groups as possible. Every character you add adds a significant amount of permutations and brute forcing becomes longer and more noticeable.

GLiMPSE™'s CoolPoints™ Leaderboard
  • IRS
  • Agent
  • Offline

Re: Account Security

GLiMPSE wrote:
Glimmers wrote:

If the chances were as remote as 'calculated' then why would online banks lock accounts after  "X" failed attempts?

Just sayin, you probably shouldn't flame someone that's looking out for your well being.  I mean, you're saying all companies that lock domain accounts (Bascially every company on the planet) after X failed attemps are "paranoid motherf*cker."?  Seriously?

Give me a break man.

You're talking about 2 different types of attacks.

A targeted attack would mean you know your target and likely know their username or email. These are what banks and corporations are trying to protect you from... and mostly as an internal countermeasure. IE: Jimmy in Accounting want's to try and brute force the CEO's email to give himself a promotion.

What your talking about is a broad ranging brute force attack that, to accomplish in a quick manner, would imitate the traffic of a large scale DDoS -- these things typically trip traffic alarms on any enterprise class firewall.

Also, your perceived security =/= your actual security. Just because they put a little message on the website that says you're locked out for X minutes and perpetuum doesn't does not mean that this excessive brute force cracking isn't being logged and acted upon behind the scenes.

Either way, both of these can be mitigated by using a strong account password 10+ characters with as many character groups as possible. Every character you add adds a significant amount of permutations and brute forcing becomes longer and more noticeable.

Well, maybe that's also a requirement they could change, because the account creation page requires 6 character (alphanumeric) only.  I can hear you thinking it so I'll say it.  The ownus should be on the registrant to use a highly secure password, but the 6 character requirement is what originally made me concerned about the security implimentations protecting our login information.

Since the same information is used to access forums, it's also another area they could hack info from.

Look, this doesn't need to drag into a debate.  I'm entitled to my concerns and it's not entirely unreasonable to ask for a little more insurance on security than just a "you should create a complex password".

  • M2S
  • Agent
  • Offline

Re: Account Security

They want to keep your account information secure, yes, but its up to you if you respond to every "South African Prince needs your help!" email and use 123abc as your password.

I am Perpetuum's Most Dangerous Agent and an equal opportunity troll.
-> You just lost The Game <-
"Perpetuum sounds like a something I would stick up my *** for enjoyement." -Kaito Kurusaki

14 Reply by GLiMPSE (edited by GLiMPSE 2010-12-28 22:14:52)

  • CIR
  • Agent
  • Offline

Re: Account Security

Glimmers wrote:
GLiMPSE wrote:
Glimmers wrote:

If the chances were as remote as 'calculated' then why would online banks lock accounts after  "X" failed attempts?

Just sayin, you probably shouldn't flame someone that's looking out for your well being.  I mean, you're saying all companies that lock domain accounts (Bascially every company on the planet) after X failed attemps are "paranoid motherf*cker."?  Seriously?

Give me a break man.

You're talking about 2 different types of attacks.

A targeted attack would mean you know your target and likely know their username or email. These are what banks and corporations are trying to protect you from... and mostly as an internal countermeasure. IE: Jimmy in Accounting want's to try and brute force the CEO's email to give himself a promotion.

What your talking about is a broad ranging brute force attack that, to accomplish in a quick manner, would imitate the traffic of a large scale DDoS -- these things typically trip traffic alarms on any enterprise class firewall.

Also, your perceived security =/= your actual security. Just because they put a little message on the website that says you're locked out for X minutes and perpetuum doesn't does not mean that this excessive brute force cracking isn't being logged and acted upon behind the scenes.

Either way, both of these can be mitigated by using a strong account password 10+ characters with as many character groups as possible. Every character you add adds a significant amount of permutations and brute forcing becomes longer and more noticeable.

Well, maybe that's also a requirement they could change, because the account creation page requires 6 character (alphanumeric) only.  I can hear you thinking it so I'll say it.  The ownus should be on the registrant to use a highly secure password, but the 6 character requirement is what originally made me concerned about the security implimentations protecting our login information.

Since the same information is used to access forums, it's also another area they could hack info from.

Look, this doesn't need to drag into a debate.  I'm entitled to my concerns and it's not entirely unreasonable to ask for a little more insurance on security than just a "you should create a complex password".

You are within your right to express your concerns. But do the developers of a sandbox game really need to be expected to handhold you through protecting yourself in and out of game?

To carry this over to an in-game parallel... does the game check your cargo and say wowoowowow you're about to enter beta islands with lots of stuff in your sequer! You should consider dumping some stuff off to mitigate your losses and keep yourself more secure because we don't respect your ability to make a sound decision.

Again though, you're within your right to have an opinion. But it's my opinion that your opinion is the wrong opinion.

<3

GLiMPSE™'s CoolPoints™ Leaderboard
  • IRS
  • Agent
  • Offline

Re: Account Security

It's all good.  In the end I'm the one that will be right.  You'll be the one complaining that some Korean company brute force hacked account and put all your stuff into a container and handed the code to an anonymous NIC farmer.  Oh, how proud you'll be. smile

16 Reply by GLiMPSE (edited by GLiMPSE 2010-12-28 22:27:50)

  • CIR
  • Agent
  • Offline

Re: Account Security

Glimmers wrote:

It's all good.  In the end I'm the one that will be right.  You'll be the one complaining that some Korean company brute force hacked account and put all your stuff into a container and handed the code to an anonymous NIC farmer.  Oh, how proud you'll be. smile

You're right. We should require 2 factor logins with key fobs that present a unique secondary factor changing every 30 minutes.

Because anything else wouldn't protect you from that trojan that you got from peeking at that free celebrity porn site (that's the korean way to get some leet haxed accountz)

GLiMPSE™'s CoolPoints™ Leaderboard
  • IRS
  • Agent
  • Offline

Re: Account Security

I'm pretty sure you're bipolar dude.  You post a reply then edit it like 4 times after you post each version becoming more and more less psycho.  You might need to see a Dr. for real if you have to edit a post 4 times before it becomes civil.

18 Reply by GLiMPSE (edited by GLiMPSE 2010-12-28 22:42:29)

  • CIR
  • Agent
  • Offline

Re: Account Security

Glimmers wrote:

I'm pretty sure you're bipolar dude.  You post a reply then edit it like 4 times after you post each version becoming more and more less psycho.  You might need to see a Dr. for real if you have to edit a post 4 times before it becomes civil.

Sup.

Who were you before the respec?

GLiMPSE™'s CoolPoints™ Leaderboard
  • IRS
  • Agent
  • Offline

Re: Account Security

I've never respec'd.  I thought asking for a respec because I assigned my points like a complete newb was like asking to restart a triathlon because I bumped into someone and got off to a slow start.

I spent my 20k points like an idiot and I'm ok with it.

  • CIR
  • Agent
  • Offline

Re: Account Security

Glimmers wrote:

I've never respec'd.  I thought asking for a respec because I assigned my points like a complete newb was like asking to restart a triathlon because I bumped into someone and got off to a slow start.

I spent my 20k points like an idiot and I'm ok with it.

And respecing would be like starting an argument, realizing your wrong, and trying to save face by changing the subject.

GLiMPSE™'s CoolPoints™ Leaderboard
  • IRS
  • Agent
  • Offline

Re: Account Security

I have better things to do with my time than argue with a neophyte in computer security.  The proof will be in the next few years and I believe it will be to err on the side of security, not on the side of stupidity.

Have a good day Sir.

  • CIR
  • Agent
  • Offline

Re: Account Security

Glimmers wrote:

I have better things to do with my time than argue with a neophyte in computer security.  The proof will be in the next few years and I believe it will be to err on the side of security, not on the side of stupidity.

Have a good day Sir.

Your propositions are not constructive and are useless in securing computers infected with trojans (most accounts are compromised in this manner). Your fairytale dreamland about computer security where *** is brute forced all day long is wrong, misguided, and ignorant.

Feel free to walk away from the conversation -- it's a normal human reaction to want to move away and turn your back on things that make you uncomfortable.

The only thing that would protect the accounts in this game more then using a strong password is physical second factor authentication -- which isn't realistic.

So in review -- don't look at porn on the internet, don't open emails about free NIC in your gmail, don't try and download hacks for perpetuum, don't download bots, and use a strong password.

Or.

Give everyone a local token to walk around with on their keychain.

Have a good day.

GLiMPSE™'s CoolPoints™ Leaderboard
  • *
  • Agent
  • Offline

Re: Account Security

Neoxx wrote:

They want to keep your account information secure, yes, but its up to you if you respond to every "South African Prince needs your help!" email and use 123abc as your password.

Not only is that my password, it's also the combination to my luggage sad