Dear NGD, me is sorry

Snoid · 03-26-2009, 01:30 PM

Im not understanding this.

So, if i type my password in a chat, i receive a warning?

Edit: Hi Echelon! i just tested it, and yes. If you type your password, you get a red warning message, scary.
Well, it is not a very clever filter, and if you type "yourpassword." ended with a dot, it doesnt recognize it.

I dont like the idea of a function constantly looking our chats and comparing them with account password, which now i think, are stored unencripted. Or are you hashing every chunk of chat to compare?
Indeed, i dont like the idea of having such warning, as it's just a positive match, and does nothing but scare the user (what if my password is a common phrase used in common language?). This "security measure" is not raising the level of security in any form.

I dont like it at all.

Why dont you store passwords crypted? why dont you force the user to choose a strong password? why dont you salt hashes? why is all chat sent unencripted, even if you recognize a password in it? Why not just "hide" the password if recognized? (even if it's a bad solution too)

Im not here to tell anyone how to do his job, but im a customer. And i need some warranties about my privacy.

Regards.

Zodar · 03-26-2009, 02:44 PM

I work in I.T and the flippant attitude some users have towards their accounts and passwords REALLY PISSES ME OFF

Everyone knows they shouldn't give their details to other users and pleading ignorance is no excuse.

What if you'd given your cash card details to a friend and they decided to take all your money our of your account? Would you then ask your bank to repay the money? NO!

If you are account has been disabled then you've learned a valuable lesson in Data Protection and computer security, so hopefully you'll think twice next time

Zodar · 03-26-2009, 04:41 PM

Quote:

Originally Posted by Snoid

Im not here to tell anyone how to do his job, but im a customer. And i need some warranties about my privacy.

Oh come on, this is just an excuse to rant an NDG for someone else's stupidity. Logging into the forum and the main page is via http and not https and that doesn't appear to have bothered enough people to kick up a fuss.

If anyone is stupid enough to type their password into a chat window, then it doesn't really matter how NGD stores it.

Apart from that, what makes you say its not stored encrypted? Its fairly trivial to compare a word against an encrypted password and then return a true or false if there's a positive match.

Snoid · 03-26-2009, 04:57 PM

Quote:

Originally Posted by antowen

Oh come on, this is just an excuse to rant an NDG for someone else's stupidity. Logging into the forum and the main page is via http and not https and that doesn't appear to have bothered enough people to kick up a fuss.

If anyone is stupid enough to type their password into a chat window, then it doesn't really matter how NGD stores it.

Apart from that, what makes you say its not stored encrypted? Its fairly trivial to compare a word against an encrypted password and then return a true or false if there's a positive match.

Excuse? what have i to excuse?
I dont bother about https or http login, as they store passwords in a safe. I keep safe my own lan. Do they? I dont know. I bother about how they store my info. Do you?

It's trivial to compare ONE password, but it seems they are comparing every chatline, to see if it contains the valid password. Do they crypt all the chunks between spaces before to compare it to a hash of the password? i doubt it. And that's not trivial.

This is not about stupid persons, it's about stupid security implementations.

who needs a warning about "you typed you password"?. I can only think in a bruteforce attacker. I know i typed my password. Im not stupid.

If, as is implied in you message, this is a feature only for stupid people, well, maybe they get scared, or they just have a nice confirmation, or they just ignore any RED WARNING MESSAGE.

But this system is not avoiding anything. And they can get this information privately, anyway.

Zodar · 03-27-2009, 12:59 AM

Quote:

Originally Posted by Snoid

It's trivial to compare ONE password, but it seems they are comparing every chatline, to see if it contains the valid password.

I would imagine they would only compare the text you type against your own password, not everyone's.

Quote:

Do they crypt all the chunks between spaces before to compare it to a hash of the password? i doubt it. And that's not trivial.

That's assuming the password doesn't contain a space. As far as hashing it is concerned, it really is quite trivial. For example, I can generate a 150+character SSHA encrypted password in a fraction of a second (actually using the OpenLDAP password tool called slappasswd) and that's with pasting a password in at the console prompt or using an expect script. It would be even faster using something custom written that didn't wait for keyboard interaction. We're only talking about a few 100 bytes each time, so the overhead is miniscule.

Quote:

who needs a warning about "you typed you password"?. I can only think in a bruteforce attacker. I know i typed my password. Im not stupid.

I'm not suggesting that you are, but clearly there are *some* people stupid enough to type their passwords into a chat window. What happens if they do it in public chat?

With regards to a brute force attack, even if the system is only checking your own password, I will agree that this might be possible, but only if the user is already logged in and is dumb enough to leave their terminal in a public place, without locking it. If that's the case then, quite frankly, they're asking for trouble. Its still more secure than web browsers offering to remember passwords.

Quote:

But this system is not avoiding anything. And they can get this information privately, anyway.

Yes they can and that's completely out of NGD 's control. However, if someone is using NGD's system, then NGD have every right to implement any security feature they see fit. I scan everyone's email in work for executable attachments, viruses and inappropriate words - it doesn't mean I need to read everyone's email to do it, I have installed software and written scripts to take care of it for me. These spit out warnings, either to the I.T staff or to the user, depending on what's detected.

I can't see it being any different to that to be perfectly honest.

iteomagazu · 03-27-2009, 11:01 AM

Quote:

Originally Posted by antowen

I scan everyone's email in work for executable attachments, viruses and inappropriate words

?? Huh... Againt inappropriate words too? This is frightening...

I don't want NGD to encrypt everything, since i guess everything would slow down then - and hell, it is slow enough!

Just do not give away your passwords - i think that is much more dangerous than unencrypted chats...

Quote:

Originally Posted by Snoid

who needs a warning about "you typed you password"?. I can only think in a bruteforce attacker. I know i typed my password. Im not stupid.

As we can see by this thread (and some more on the other servers) it works by scaring the users that want to give away their password.

Snoid · 03-27-2009, 11:37 AM

Quote:

Originally Posted by antowen

I would imagine they would only compare the text you type against your own password, not everyone's.
...

Yes, my tests say that they are comparing every chat word you type, against your password. I dont really know how they do it. But it's one of two:
1. they compare plain text with plain text password.
2. they hash every word (every string between spaces) and then compare every result with your hashed password.

And yes, i guess they asume that there are no spaces in the password, and that it's not finished but a dot (.)

In any case, i dont like it.

Regards!

arlick · 03-27-2009, 12:01 PM

Quote:

Originally Posted by Snoid

1. they compare plain text with plain text password.
2. they hash every word (every string between spaces) and then compare every result with your hashed password.

1 and 2 are not important, because the comparation is made on client side, so they dont know about your password (you can't know it ever, you just have to believe it), and the server will not get worst doing comparations (so no lag consequences, etc).

Snoid · 03-27-2009, 12:22 PM

Quote:

Originally Posted by arlick

1 and 2 are not importante, because the comparation is made on client side, so they dont know about your password (you can't know it ever, you just have to believe it), and the server will not get worst doing comparations (so no lag consequences, etc).

did you make tests to confirm that? I always asumed that the server was receiving the data, and giving the response, but i never really checked this.

-Edge- · 03-26-2009, 02:46 PM

Well I see the reason for this, just in this month there have been more and more occurances of people getting their characters deleted, by accident, or from a friend, etc. I guess this breaks into that line,

I see nothing wrong with passing on your account to a friend after you don't want it, as long as you are positive you won't complain about it later. If you do, don't do it ingame.

03-26-2009, 01:30 PM	#1
Snoid Master Join Date: Feb 2007 Location: Altaruk :) Posts:31,337 Posts: 446	Im not understanding this. So, if i type my password in a chat, i receive a warning? Edit: Hi Echelon! i just tested it, and yes. If you type your password, you get a red warning message, scary. Well, it is not a very clever filter, and if you type "yourpassword." ended with a dot, it doesnt recognize it. I dont like the idea of a function constantly looking our chats and comparing them with account password, which now i think, are stored unencripted. Or are you hashing every chunk of chat to compare? Indeed, i dont like the idea of having such warning, as it's just a positive match, and does nothing but scare the user (what if my password is a common phrase used in common language?). This "security measure" is not raising the level of security in any form. I dont like it at all. Why dont you store passwords crypted? why dont you force the user to choose a strong password? why dont you salt hashes? why is all chat sent unencripted, even if you recognize a password in it? Why not just "hide" the password if recognized? (even if it's a bad solution too) Im not here to tell anyone how to do his job, but im a customer. And i need some warranties about my privacy. Regards. __________________ I'm an outsider, outside of everything... RAMNA Elegida Miss Ignis 2009 por votación popular Last edited by Snoid; 03-26-2009 at 03:07 PM.

03-26-2009, 02:44 PM	#2
Zodar Apprentice Join Date: Aug 2008 Location: UK Posts: 93	I work in I.T and the flippant attitude some users have towards their accounts and passwords REALLY PISSES ME OFF Everyone knows they shouldn't give their details to other users and pleading ignorance is no excuse. What if you'd given your cash card details to a friend and they decided to take all your money our of your account? Would you then ask your bank to repay the money? NO! If you are account has been disabled then you've learned a valuable lesson in Data Protection and computer security, so hopefully you'll think twice next time __________________ Zodar - The Evil Bald Fu^wPerson...

03-26-2009, 02:46 PM	#10
-Edge- Banned Join Date: Jun 2007 Location: Łódż, Poland Posts: 1,506	Well I see the reason for this, just in this month there have been more and more occurances of people getting their characters deleted, by accident, or from a friend, etc. I guess this breaks into that line, I see nothing wrong with passing on your account to a friend after you don't want it, as long as you are positive you won't complain about it later. If you do, don't do it ingame.