Dear NGD, me is sorry

Angel_de_Combate · 03-26-2009, 10:41 AM

Right last night, i was on Horus id just had a friend download the game, so i went to Initiation summit to meet him. So i gave him some gold, some items then i said if you get bored grinding and questing you can have my pass to have a play with my hunter. Right now the scary bit, as i typed in my password this big scary red writing came up..blah blah PERMANENTLY BANNED !!!!! EEEEKKK. Ok so NGD im sorry i really didnt know that i shouldnt have done that, seeing as i havent played in many months.

Therefore i have 2 questions :-

1. Are you going to ban me (cause i like this game loads) ?
2. Can other players not use your account anymore, even if they've been given permission by the account holder ?

Cheers
Meco

Aries202 · 03-26-2009, 01:01 PM

I know your not blind Emily, everytime you log in you'll see the message dont give out your password. Right ontop of the chat log..Take it from me, dont share your account.

niclam · 03-26-2009, 01:23 PM

Hello,

To be perfectly clear:

1) That you tried to, willingly or not, share a password does not necessarily mean that your account is going to be banned, but if something happens (like your characters being deleted. This might come as a surprise to some but this happens more often than you'd think) you could have a preemptibe account desactivation.

2) For a long list of reasons that conclude in privacy and account security, here it goes again: It's completely forbidden to give your password to anyone. There are no exceptions. And NGD Studios won't ever request your password, not inside the game and not by e-mail or any other medium.

Regards

Snoid · 03-26-2009, 01:30 PM

Im not understanding this.

So, if i type my password in a chat, i receive a warning?

Edit: Hi Echelon! i just tested it, and yes. If you type your password, you get a red warning message, scary.
Well, it is not a very clever filter, and if you type "yourpassword." ended with a dot, it doesnt recognize it.

I dont like the idea of a function constantly looking our chats and comparing them with account password, which now i think, are stored unencripted. Or are you hashing every chunk of chat to compare?
Indeed, i dont like the idea of having such warning, as it's just a positive match, and does nothing but scare the user (what if my password is a common phrase used in common language?). This "security measure" is not raising the level of security in any form.

I dont like it at all.

Why dont you store passwords crypted? why dont you force the user to choose a strong password? why dont you salt hashes? why is all chat sent unencripted, even if you recognize a password in it? Why not just "hide" the password if recognized? (even if it's a bad solution too)

Im not here to tell anyone how to do his job, but im a customer. And i need some warranties about my privacy.

Regards.

Zodar · 03-26-2009, 02:44 PM

I work in I.T and the flippant attitude some users have towards their accounts and passwords REALLY PISSES ME OFF

Everyone knows they shouldn't give their details to other users and pleading ignorance is no excuse.

What if you'd given your cash card details to a friend and they decided to take all your money our of your account? Would you then ask your bank to repay the money? NO!

If you are account has been disabled then you've learned a valuable lesson in Data Protection and computer security, so hopefully you'll think twice next time

-Edge- · 03-26-2009, 02:46 PM

Well I see the reason for this, just in this month there have been more and more occurances of people getting their characters deleted, by accident, or from a friend, etc. I guess this breaks into that line,

I see nothing wrong with passing on your account to a friend after you don't want it, as long as you are positive you won't complain about it later. If you do, don't do it ingame.

Zodar · 03-26-2009, 04:41 PM

Quote:

Originally Posted by Snoid

Im not here to tell anyone how to do his job, but im a customer. And i need some warranties about my privacy.

Oh come on, this is just an excuse to rant an NDG for someone else's stupidity. Logging into the forum and the main page is via http and not https and that doesn't appear to have bothered enough people to kick up a fuss.

If anyone is stupid enough to type their password into a chat window, then it doesn't really matter how NGD stores it.

Apart from that, what makes you say its not stored encrypted? Its fairly trivial to compare a word against an encrypted password and then return a true or false if there's a positive match.

Snoid · 03-26-2009, 04:57 PM

Quote:

Originally Posted by antowen

Oh come on, this is just an excuse to rant an NDG for someone else's stupidity. Logging into the forum and the main page is via http and not https and that doesn't appear to have bothered enough people to kick up a fuss.

If anyone is stupid enough to type their password into a chat window, then it doesn't really matter how NGD stores it.

Apart from that, what makes you say its not stored encrypted? Its fairly trivial to compare a word against an encrypted password and then return a true or false if there's a positive match.

Excuse? what have i to excuse?
I dont bother about https or http login, as they store passwords in a safe. I keep safe my own lan. Do they? I dont know. I bother about how they store my info. Do you?

It's trivial to compare ONE password, but it seems they are comparing every chatline, to see if it contains the valid password. Do they crypt all the chunks between spaces before to compare it to a hash of the password? i doubt it. And that's not trivial.

This is not about stupid persons, it's about stupid security implementations.

who needs a warning about "you typed you password"?. I can only think in a bruteforce attacker. I know i typed my password. Im not stupid.

If, as is implied in you message, this is a feature only for stupid people, well, maybe they get scared, or they just have a nice confirmation, or they just ignore any RED WARNING MESSAGE.

But this system is not avoiding anything. And they can get this information privately, anyway.

Zodar · 03-27-2009, 12:59 AM

Quote:

Originally Posted by Snoid

It's trivial to compare ONE password, but it seems they are comparing every chatline, to see if it contains the valid password.

I would imagine they would only compare the text you type against your own password, not everyone's.

Quote:

Do they crypt all the chunks between spaces before to compare it to a hash of the password? i doubt it. And that's not trivial.

That's assuming the password doesn't contain a space. As far as hashing it is concerned, it really is quite trivial. For example, I can generate a 150+character SSHA encrypted password in a fraction of a second (actually using the OpenLDAP password tool called slappasswd) and that's with pasting a password in at the console prompt or using an expect script. It would be even faster using something custom written that didn't wait for keyboard interaction. We're only talking about a few 100 bytes each time, so the overhead is miniscule.

Quote:

who needs a warning about "you typed you password"?. I can only think in a bruteforce attacker. I know i typed my password. Im not stupid.

I'm not suggesting that you are, but clearly there are *some* people stupid enough to type their passwords into a chat window. What happens if they do it in public chat?

With regards to a brute force attack, even if the system is only checking your own password, I will agree that this might be possible, but only if the user is already logged in and is dumb enough to leave their terminal in a public place, without locking it. If that's the case then, quite frankly, they're asking for trouble. Its still more secure than web browsers offering to remember passwords.

Quote:

But this system is not avoiding anything. And they can get this information privately, anyway.

Yes they can and that's completely out of NGD 's control. However, if someone is using NGD's system, then NGD have every right to implement any security feature they see fit. I scan everyone's email in work for executable attachments, viruses and inappropriate words - it doesn't mean I need to read everyone's email to do it, I have installed software and written scripts to take care of it for me. These spit out warnings, either to the I.T staff or to the user, depending on what's detected.

I can't see it being any different to that to be perfectly honest.

iteomagazu · 03-27-2009, 11:01 AM

Quote:

Originally Posted by antowen

I scan everyone's email in work for executable attachments, viruses and inappropriate words

?? Huh... Againt inappropriate words too? This is frightening...

I don't want NGD to encrypt everything, since i guess everything would slow down then - and hell, it is slow enough!

Just do not give away your passwords - i think that is much more dangerous than unencrypted chats...

Quote:

Originally Posted by Snoid

who needs a warning about "you typed you password"?. I can only think in a bruteforce attacker. I know i typed my password. Im not stupid.

As we can see by this thread (and some more on the other servers) it works by scaring the users that want to give away their password.

03-26-2009, 10:41 AM	#1
Angel_de_Combate Banned Join Date: Jan 2008 Posts: 440	Dear NGD, me is sorry Right last night, i was on Horus id just had a friend download the game, so i went to Initiation summit to meet him. So i gave him some gold, some items then i said if you get bored grinding and questing you can have my pass to have a play with my hunter. Right now the scary bit, as i typed in my password this big scary red writing came up..blah blah PERMANENTLY BANNED !!!!! EEEEKKK. Ok so NGD im sorry i really didnt know that i shouldnt have done that, seeing as i havent played in many months. Therefore i have 2 questions :- 1. Are you going to ban me (cause i like this game loads) ? 2. Can other players not use your account anymore, even if they've been given permission by the account holder ? Cheers Meco

03-26-2009, 01:23 PM	#3
niclam Legend Join Date: Mar 2006 Posts: 1,636	Hello, To be perfectly clear: 1) That you tried to, willingly or not, share a password does not necessarily mean that your account is going to be banned, but if something happens (like your characters being deleted. This might come as a surprise to some but this happens more often than you'd think) you could have a preemptibe account desactivation. 2) For a long list of reasons that conclude in privacy and account security, here it goes again: It's completely forbidden to give your password to anyone. There are no exceptions. And NGD Studios won't ever request your password, not inside the game and not by e-mail or any other medium. Regards __________________ niclam

03-26-2009, 01:30 PM	#4
Snoid Master Join Date: Feb 2007 Location: Altaruk :) Posts:31,337 Posts: 446	Im not understanding this. So, if i type my password in a chat, i receive a warning? Edit: Hi Echelon! i just tested it, and yes. If you type your password, you get a red warning message, scary. Well, it is not a very clever filter, and if you type "yourpassword." ended with a dot, it doesnt recognize it. I dont like the idea of a function constantly looking our chats and comparing them with account password, which now i think, are stored unencripted. Or are you hashing every chunk of chat to compare? Indeed, i dont like the idea of having such warning, as it's just a positive match, and does nothing but scare the user (what if my password is a common phrase used in common language?). This "security measure" is not raising the level of security in any form. I dont like it at all. Why dont you store passwords crypted? why dont you force the user to choose a strong password? why dont you salt hashes? why is all chat sent unencripted, even if you recognize a password in it? Why not just "hide" the password if recognized? (even if it's a bad solution too) Im not here to tell anyone how to do his job, but im a customer. And i need some warranties about my privacy. Regards. __________________ I'm an outsider, outside of everything... RAMNA Elegida Miss Ignis 2009 por votación popular Last edited by Snoid; 03-26-2009 at 03:07 PM.

03-26-2009, 02:44 PM	#5
Zodar Apprentice Join Date: Aug 2008 Location: UK Posts: 93	I work in I.T and the flippant attitude some users have towards their accounts and passwords REALLY PISSES ME OFF Everyone knows they shouldn't give their details to other users and pleading ignorance is no excuse. What if you'd given your cash card details to a friend and they decided to take all your money our of your account? Would you then ask your bank to repay the money? NO! If you are account has been disabled then you've learned a valuable lesson in Data Protection and computer security, so hopefully you'll think twice next time __________________ Zodar - The Evil Bald Fu^wPerson...

03-26-2009, 01:01 PM	#2
Aries202 Banned Join Date: Mar 2007 Location: New York City Posts: 569	I know your not blind Emily, everytime you log in you'll see the message dont give out your password. Right ontop of the chat log..Take it from me, dont share your account.

03-26-2009, 02:46 PM	#6
-Edge- Banned Join Date: Jun 2007 Location: Łódż, Poland Posts: 1,506	Well I see the reason for this, just in this month there have been more and more occurances of people getting their characters deleted, by accident, or from a friend, etc. I guess this breaks into that line, I see nothing wrong with passing on your account to a friend after you don't want it, as long as you are positive you won't complain about it later. If you do, don't do it ingame.