#16 Добавлено Nixus 10 лет назад Доклад | Цитировать
Last edited by Nixus (10 лет назад)
#17 Добавлено Markanjio 10 лет назад Доклад | Цитировать
Damn, now I can't login to game. What a "smart" action to cause even more wreckage. Why can't you just allow me to enter and THEN ask to change password? Do you honestly think I remember mail I used to register few years ago? (not even sure if I will be able to remember password of this mailbox or that it exists).
On side note, if we speak about security! THIS FORUM does not even uses https. So what? Just some single connection over open wi-fi and it turns out you send your password over the air, well-visible to everyone. Don't you mind at least using HTTPS to make it a bit more secured?
Sure, HTTPS is crap but it is better than just shouting password in cleartext to open air, isn't it?!
And bittymacod, his screen shows password cracker which has successfully recovered password. You see, DES uses 56-bit key so it can be brute-forced on modern GPU in foreseeable time, no matter what. Using DES in 2014? Makes no sense at all - DES can't protect anyone from anything these days. On other hand its quite slow.
UPD: found way to change it w/o e-mail crap. On side note, you can't enter anyhow complex password: form only allows 8 chars and alphanumeric password. No even spaces. Ouch.
---
#18 Добавлено Mjollren 10 лет назад Доклад | Цитировать
#19 Добавлено Nixus 10 лет назад Доклад | Цитировать
You can still login to the billing account with your old password and change both your password and email there.
Yep, HTTPS should be used (and forced) for the forum, but also for the API, the game login-system (yes, it uses HTTP), etc.
No, HTTPS isn't crap. A properly configured HTTP server will protect the communication in a very effective way. The only "bad" thing about it is inherent to the X.509 certificates which have to be trusted by CAs (which is a problem);
That's a problem from crypt(3) with DES: it considers only the first 8 bytes of the password.
#20 Добавлено Markanjio 10 лет назад Доклад | Цитировать
So basically IMO you can't expect adequate security from SSL or TLS if you're average Joe or app dev who want "secure connection". And thinking you're secure when you're not is really bad.
IMO best thing you can try as password hashing these days is something like scrypt or Catena.
#21 Добавлено Mjollren 10 лет назад Доклад | Цитировать
#22 Добавлено Icus 10 лет назад Доклад | Цитировать
I still want an answer to my questions. Are you going to implement a different mechanism for password encryption? Are you going to allow us to have longer passwords? Did you notify inactive players via e-mail? In short, if another attack happens and is successful, will you be better prepared?
#23 Добавлено Gelaz 10 лет назад Доклад | Цитировать
Edited 2 times | Last edited by Gelaz (10 лет назад)
#24 Добавлено Bubbason 10 лет назад Доклад | Цитировать
#25 Добавлено Gilgameesh 10 лет назад Доклад | Цитировать
#26 Добавлено Bubbason 10 лет назад Доклад | Цитировать
#27 Добавлено Gilgameesh 10 лет назад Доклад | Цитировать
All a mter of how you see things I guess.Taking your point (and I don't mean to sound flippant) but if you 'genuinly' had concerns over the security of your account, and didn't feel that your concerns were being taken seriously, then why do you still log in and play a game which (in your mind) would present a risk to the care of your personal information?My point isn't aimed in particular, but sounds a lot like "we have a problem (but not a real one)" until something happens. At which point, Homins gets on the back of it and it becomes a burning issue.It would seem sensible to cancel subs until the issues were adressed and confidence restored, but in a weird way that would be the worst thing to do because cancelling subs would remove (already scarce) funds from the game hence less funds = less development resource/time/effort. To me that sounds like, I've been shot in my left foot, so I'm going to chop off my right one in protestFunny thing 'Homin Nature!' :-)
#28 Добавлено Bubbason 10 лет назад Доклад | Цитировать
Last edited by Bubbason (10 лет назад)
#29 Добавлено Petulka 10 лет назад Доклад | Цитировать
Edited 2 times | Last edited by Tiximei (10 лет назад) | Причина: Please avoid offensive language even when covering them with **
#30 Добавлено Tamarea 9 лет назад Доклад | Цитировать
Last edited by Tamarea (9 лет назад)
powered by ryzom-api