Right last night, i was on Horus id just had a friend download the game, so i went to Initiation summit to meet him. So i gave him some gold, some items then i said if you get bored grinding and questing you can have my pass to have a play with my hunter. Right now the scary bit, as i typed in my password this big scary red writing came up..blah blah PERMANENTLY BANNED !!!!! EEEEKKK. Ok so NGD im sorry i really didnt know that i shouldnt have done that, seeing as i havent played in many months.

Therefore i have 2 questions :-

1. Are you going to ban me (cause i like this game loads) ?
2. Can other players not use your account anymore, even if they've been given permission by the account holder ?

Cheers
Meco

I know your not blind Emily, everytime you log in you'll see the message dont give out your password. Right ontop of the chat log..Take it from me, dont share your account. :p

Hello,

To be perfectly clear:

1) That you tried to, willingly or not, share a password does not necessarily mean that your account is going to be banned, but if something happens (like your characters being deleted. This might come as a surprise to some but this happens more often than you'd think) you could have a preemptibe account desactivation.

2) For a long list of reasons that conclude in privacy and account security, here it goes again: It's completely forbidden to give your password to anyone. There are no exceptions. And NGD Studios won't ever request your password, not inside the game and not by e-mail or any other medium.

Regards

Im not understanding this.

So, if i type my password in a chat, i receive a warning?

Edit: Hi Echelon! i just tested it, and yes. If you type your password, you get a red warning message, scary.
Well, it is not a very clever filter, and if you type "yourpassword." ended with a dot, it doesnt recognize it.

I dont like the idea of a function constantly looking our chats and comparing them with account password, which now i think, are stored unencripted. Or are you hashing every chunk of chat to compare?
Indeed, i dont like the idea of having such warning, as it's just a positive match, and does nothing but scare the user (what if my password is a common phrase used in common language?). This "security measure" is not raising the level of security in any form.

I dont like it at all.

Why dont you store passwords crypted? why dont you force the user to choose a strong password? why dont you salt hashes? why is all chat sent unencripted, even if you recognize a password in it? Why not just "hide" the password if recognized? (even if it's a bad solution too)

Im not here to tell anyone how to do his job, but im a customer. And i need some warranties about my privacy.

Regards.

I work in I.T and the flippant attitude some users have towards their accounts and passwords REALLY PISSES ME OFF :fury:

Everyone knows they shouldn't give their details to other users and pleading ignorance is no excuse.

What if you'd given your cash card details to a friend and they decided to take all your money our of your account? Would you then ask your bank to repay the money? NO!

If you are account has been disabled then you've learned a valuable lesson in Data Protection and computer security, so hopefully you'll think twice next time:harhar:

Well I see the reason for this, just in this month there have been more and more occurances of people getting their characters deleted, by accident, or from a friend, etc. I guess this breaks into that line,

I see nothing wrong with passing on your account to a friend after you don't want it, as long as you are positive you won't complain about it later. If you do, don't do it ingame.

Im not here to tell anyone how to do his job, but im a customer. And i need some warranties about my privacy.

Oh come on, this is just an excuse to rant an NDG for someone else's stupidity. Logging into the forum and the main page is via http and not https and that doesn't appear to have bothered enough people to kick up a fuss.

If anyone is stupid enough to type their password into a chat window, then it doesn't really matter how NGD stores it.

Apart from that, what makes you say its not stored encrypted? Its fairly trivial to compare a word against an encrypted password and then return a true or false if there's a positive match.

Oh come on, this is just an excuse to rant an NDG for someone else's stupidity. Logging into the forum and the main page is via http and not https and that doesn't appear to have bothered enough people to kick up a fuss.

If anyone is stupid enough to type their password into a chat window, then it doesn't really matter how NGD stores it.

Apart from that, what makes you say its not stored encrypted? Its fairly trivial to compare a word against an encrypted password and then return a true or false if there's a positive match.

Excuse? what have i to excuse?
I dont bother about https or http login, as they store passwords in a safe. I keep safe my own lan. Do they? I dont know. I bother about how they store my info. Do you?

It's trivial to compare ONE password, but it seems they are comparing every chatline, to see if it contains the valid password. Do they crypt all the chunks between spaces before to compare it to a hash of the password? i doubt it. And that's not trivial.

This is not about stupid persons, it's about stupid security implementations.

who needs a warning about "you typed you password"?. I can only think in a bruteforce attacker. I know i typed my password. Im not stupid.

If, as is implied in you message, this is a feature only for stupid people, well, maybe they get scared, or they just have a nice confirmation, or they just ignore any RED WARNING MESSAGE.

But this system is not avoiding anything. And they can get this information privately, anyway.

It's trivial to compare ONE password, but it seems they are comparing every chatline, to see if it contains the valid password.

I would imagine they would only compare the text you type against your own password, not everyone's.

Do they crypt all the chunks between spaces before to compare it to a hash of the password? i doubt it. And that's not trivial.

That's assuming the password doesn't contain a space. As far as hashing it is concerned, it really is quite trivial. For example, I can generate a 150+character SSHA encrypted password in a fraction of a second (actually using the OpenLDAP password tool called slappasswd) and that's with pasting a password in at the console prompt or using an expect script. It would be even faster using something custom written that didn't wait for keyboard interaction. We're only talking about a few 100 bytes each time, so the overhead is miniscule.

who needs a warning about "you typed you password"?. I can only think in a bruteforce attacker. I know i typed my password. Im not stupid.

I'm not suggesting that you are, but clearly there are *some* people stupid enough to type their passwords into a chat window. What happens if they do it in public chat?

With regards to a brute force attack, even if the system is only checking your own password, I will agree that this might be possible, but only if the user is already logged in and is dumb enough to leave their terminal in a public place, without locking it. If that's the case then, quite frankly, they're asking for trouble. Its still more secure than web browsers offering to remember passwords.

But this system is not avoiding anything. And they can get this information privately, anyway.

Yes they can and that's completely out of NGD 's control. However, if someone is using NGD's system, then NGD have every right to implement any security feature they see fit. I scan everyone's email in work for executable attachments, viruses and inappropriate words - it doesn't mean I need to read everyone's email to do it, I have installed software and written scripts to take care of it for me. These spit out warnings, either to the I.T staff or to the user, depending on what's detected.

I can't see it being any different to that to be perfectly honest.

I scan everyone's email in work for executable attachments, viruses and inappropriate words


?? Huh... Againt inappropriate words too? This is frightening... :eek:

I don't want NGD to encrypt everything, since i guess everything would slow down then - and hell, it is slow enough!

Just do not give away your passwords - i think that is much more dangerous than unencrypted chats...

who needs a warning about "you typed you password"?. I can only think in a bruteforce attacker. I know i typed my password. Im not stupid.

As we can see by this thread (and some more on the other servers) it works by scaring the users that want to give away their password.

I would imagine they would only compare the text you type against your own password, not everyone's.
...



Yes, my tests say that they are comparing every chat word you type, against your password. I dont really know how they do it. But it's one of two:
1. they compare plain text with plain text password.
2. they hash every word (every string between spaces) and then compare every result with your hashed password.

And yes, i guess they asume that there are no spaces in the password, and that it's not finished but a dot (.)

In any case, i dont like it.

Regards!

1. they compare plain text with plain text password.
2. they hash every word (every string between spaces) and then compare every result with your hashed password.

1 and 2 are not important, because the comparation is made on client side, so they dont know about your password (you can't know it ever, you just have to believe it), and the server will not get worst doing comparations (so no lag consequences, etc).

1 and 2 are not importante, because the comparation is made on client side, so they dont know about your password (you can't know it ever, you just have to believe it), and the server will not get worst doing comparations (so no lag consequences, etc).

did you make tests to confirm that? I always asumed that the server was receiving the data, and giving the response, but i never really checked this.

did you make tests to confirm that? I always asumed that the server was receiving the data, and giving the response, but i never really checked this.

Well a friend had the problem with the red letters and i asked to kailer about it. I'm not sure but i think he said something similar :p . A mix of it a suppositions.

Well a friend had the problem with the red letters and i asked to kailer about it. I'm not sure but i think he said something similar :p . A mix of it a suppositions.
so, your friend was using a common word as password, and RO was warning him all the time? xD

i will make my own tests (mythbusters style)
wireshark al ataque!

did you make tests to confirm that? I always asumed that the server was receiving the data, and giving the response, but i never really checked this.

As arlick says, the password check is client-side only.

As arlick says, the password check is client-side only.
Confirmed.
Password is stored in memory while the game is running. I didnt see any network trace of the password check.

hint: scan your memory for text "Charactername:" (upper/lower case matters)

Forget everything i said before (in this thread only)

PD: Thanks Surak! Tell Kailer to answer my PM, or i will spam your inbox!:thumb_up:

Well thanxs everyone for the input, but as for my password ive given out to clan members(very well trusted ones), i periodically change my pass(even though i dont play that often), the person i was giving my pass to is a very close RL friend and i trust him completely, i just wanted him to see what a lvl 50 char was like. :)
So panic over !!

Look forward to see you all ingame in the future. :closed2:

P.s Thanxs Kailer for your prompt reply.
P.p.s Yes, Aries point taken, you know about all this stuff better than anyone, ty hun xx.