78 replies to this topic

[AhinaReyoh]

Not again...

I need a new paper, my old one is all covered in RO and college passwords.

[Kiryu]

I guess the incentive is that you won't have the password updated by "surprise".

I'd rather give cookies and milk to those that didn't need the reminding to do the password changes as well.

Brute force is one vector, but from experience it is not the majority, keyloggers and man in the middles seem way more prevelant (assuming it isn't account sharing and they were not being truthful with us).

Hey, I want cookies, I change my password every two months =O at least

P.s: XD blame my job, they have me doing three different passwords, a security question and a unchangeable personal question every two months

Edited by Kiryu, 02 February 2011 - 10:49 PM.

[Mwrip]

1st off the passwords are heavily encrypted and salted. I have no idea what your PW is, no one here does. But we can tell if 2 hashes are the same as it was before.

As far as the system denying you to reuse passwords, we are currently working on that functionality. It is not in the immediate update plans though, but is in the work list.

Basically if you are using the password you used at the end of 2009 you are going to get changed.

If the hash is the same, that means your salt isn't being randomly generated. This means that if someone were to subtly break into your server, it would be possible to obtain EVERYONE's password by making a rainbow table.

http://en.wikipedia....i/Rainbow_table

Of course, it's also possible that every user does have a unique salt, and you just don't change the salt for that user on password change. If this is the case, then you're fine.

Edited by Mwrip, 02 February 2011 - 11:09 PM.

[Charisma]

Kinda funny. I can kinda understand my main account getting an e-mail. I liked my password and I didn't give it out and when I wanted to share my account, I changed the password during the time it was to be loaned out and changed it back when I wanted control.

Secondary account however... It's an older account, but I didn't start using it until like... late last year and while it's a totally shared account, its password changes a lot ('cos I like to lock it down when I'm vending) yet it got an e-mail.

Third account makes absolutely no sense. It's a very very new account that I just started to use within the past month or so. I've decided not to share it period.

I'll change... Guess I'll have to...

[Dukeares]

I sure Hope those Gold Botter forgot their Pass word so i can enjoy 1 weeks of free Bot

[espeon]

Not again...

I need a new paper, my old one is all covered in RO and college passwords.

http://keepass.info/

[Xellie]

1st off the passwords are heavily encrypted and salted. I have no idea what your PW is, no one here does. But we can tell if 2 hashes are the same as it was before.

As far as the system denying you to reuse passwords, we are currently working on that functionality. It is not in the immediate update plans though, but is in the work list.

Basically if you are using the password you used at the end of 2009 you are going to get changed.

swt.

[nettokun]

I already changed to completely new passwords for all of my accounts way back in October, yet all the e-mails are claiming that I haven't done that for over a year. What's up with that?

[Kahlev]

Of course, it's also possible that every user does have a unique salt, and you just don't change the salt for that user on password change. If this is the case, then you're fine.

Maybe they alternate between sodium and potasium salt? It may help to keep their blood pressure down...

You should be careful though, too much potasium and you could end with kidney problems.

... anyways,

To those complaining that Gravity keeps your password stored, you realize that they cannot run the login process with fairies magically reading your mind to remember if what you wrote is the password you used the first time, true?

[Tigra]

Ok, seriously? Why do I have to change my passwords? I have never had a problem with anyone breaking into my account.
I rotate my passwords; I have 3 that I use. ALL of my accounts got an email saying the password was bad. So even if I changed my passwords a week ago, I get an email saying it's an old password? So what? (BTW, it's a password you guys gave me).

Why are you keeping track of my passwords? Maybe you guys should be backing up the servers so when you implement an OCA VENDER you can do a rollback.

[Mwrip]

Maybe they alternate between sodium and potasium salt? It may help to keep their blood pressure down...

You should be careful though, too much potasium and you could end with kidney problems.

... anyways,

To those complaining that Gravity keeps your password stored, you realize that they cannot run the login process with fairies magically reading your mind to remember if what you wrote is the password you used the first time, true?

What I'm talking about is the difference between a password that's crackable and one that isn't. Obviously, they have to store the password in some form, the key is to store it in a form that's not easily reversed if someone sneaks in with a subtle hack that they don't catch.

Companies that fail to do this tend to suddenly find a few thousand accounts not in control of their original owners, because all it takes is one lucky script kiddie and a rainbow table. Now obviously, this isn't as big of an issue as it'd be with something more important like a bank, but it can result in a pretty massive server rollback.

It's not like it's at all difficult to fully secure the passwords either. We're talking 15 lines of code, tops.

[ZeroTigress]

I have enough to deal with in my life. I don't need to add making new passwords all the time to that, nor do I want to.

[Heimdallr]

A rainbow table to figure out 1 account... Yes in theory if everything went perfect like getting the table, knowing your account. Then making a rainbow table for JUST YOU, and somehow knew some of your old passwords to compare it to, and the hashes accompanying them.

Of course they could also just trick you into using a keylogger...

What if scenarios can always lead where you want it, but realistically speaking it isn't feasible. The password tables are safe, security in our network is great.. its that whole internet between you and us that I think is a bigger risk.

Oh the list of emails sent out, were if your password is the same today as it was pre-October 5th 2010
Which those were changed because they were pre-October 2009 PWs.

[hoikarnage]

I'm really getting tired of companies forcing their users to change their passwords, or making the password process so complicated that you can never use the password you want to use. It reeks of bad management. It's not just RO.

"Your password must begin with a letter and include a number, underscore, 3 symbols and a tissue sample." Screw this nonsense. There are only two ways a password is going to be compromised, a) careless security on the part of management b ) careless security on the part of the user.

Since I find it hard to believe iRO really cares about the people who have been hacked due to their own visits to gold selling websites, I always assume the worst when we are asked to change our passwords- that iRO once again screwed up somewhere.

imo leave us alone to make are own goddamn decisions about the security of our passwords, or admit you have compromised our passwords.

Edited by hoikarnage, 03 February 2011 - 11:27 AM.

[Starkey]

I don't understand why people are getting upset, though cookies and milk would be awesome.

[binn]

If 90% of people can't make and remember a complex password then those 90% are retarded.

You should get in the habit of making/using /changing complex passwords for ur future job/college/bank/credit cards/e filing tax service/email/etc

Your gonna run into it everywhere once u grow up and not livin in ur mom's basement.

Most more secure services require 3-6 month intervals win explicit rules such as must use a number, must use a special key, must have 1 capital letter, can't use ur name/dob/Etc

It's easy just make a default string and change around some numbers/word then if u have trouble remembering email it/lock app/write down somewhere same

An example of a secure password u can change is

Irbadat1ife!

Then u can change it to

Irstillbad@life

See?? Simple right ??? And u can still be a toys r us kid!!

[Mwrip]

A rainbow table to figure out 1 account... Yes in theory if everything went perfect like getting the table, knowing your account. Then making a rainbow table for JUST YOU, and somehow knew some of your old passwords to compare it to, and the hashes accompanying them.

Of course they could also just trick you into using a keylogger...

What if scenarios can always lead where you want it, but realistically speaking it isn't feasible. The password tables are safe, security in our network is great.. its that whole internet between you and us that I think is a bigger risk.

Oh the list of emails sent out, were if your password is the same today as it was pre-October 5th 2010
Which those were changed because they were pre-October 2009 PWs.

Ah, ok, it is different salts for each user, and you're just not changing the salt on password change. In that case, yeah, there's no problem.

[hoikarnage]

If 90% of people can't make and remember a complex password then those 90% are retarded.

You should get in the habit of making/using /changing complex passwords for ur future job/college/bank/credit cards/e filing tax service/email/etc

Your gonna run into it everywhere once u grow up and not livin in ur mom's basement.

Most more secure services require 3-6 month intervals win explicit rules such as must use a number, must use a special key, must have 1 capital letter, can't use ur name/dob/Etc

It's easy just make a default string and change around some numbers/word then if u have trouble remembering email it/lock app/write down somewhere same

An example of a secure password u can change is

Irbadat1ife!

Then u can change it to

Irstillbad@life

See?? Simple right ??? And u can still be a toys r us kid!!

You are an idiot. It's not about remembering passwords, it's about the real reason we keep getting these forced changes. Companies don't generally ask people to change their passwords unless the passwords have been compromised somehow.

Also by dumbing down the password creation system to the point where everybody has to have a number/symbol/capital, you are not making it safer, but in fact are giving hackers clues. Might as well make a new rule: "Everyone's password must be Zderf_n137"

Edited by hoikarnage, 03 February 2011 - 06:05 PM.

[Maka]

Wow 10,500 people play RO o.o I expected the number to be lower.

[Xellie]

I don't understand why people are getting upset, though cookies and milk would be awesome.

Incorrect information or assuming the customer is a complete fool is really a quick way to piss them off, imo. That'll explain why some people are getting upset.

[meoryou2]

If 90% of people can't make and remember a complex password then those 90% are retarded.

You should get in the habit of making/using /changing complex passwords for ur future job/college/bank/credit cards/e filing tax service/email/etc

Your gonna run into it everywhere once u grow up and not livin in ur mom's basement.

Most more secure services require 3-6 month intervals win explicit rules such as must use a number, must use a special key, must have 1 capital letter, can't use ur name/dob/Etc

It's easy just make a default string and change around some numbers/word then if u have trouble remembering email it/lock app/write down somewhere same

An example of a secure password u can change is

Irbadat1ife!

Then u can change it to

Irstillbad@life

See?? Simple right ??? And u can still be a toys r us kid!!

you must be retarded, why don't you sit over there ----->

I have had my own Network Consulting business for over 10 years. I have forgotten more about security than you will ever learn, and know more than you could learn in 2 lifetimes.


EDIT: yeah, your "secure" password is anything but. One number only, no CaSEchaNgeS, no underscores breaking dictionary words..... I could go on and on.

Edited by meoryou2, 03 February 2011 - 07:47 PM.

[AsuraStrike]

the problem for me is i can't get to the login site as it keep recovering tab

[hoikarnage]

Also constantly asking users to change passwords opens up the playing field for phishing emails. "Oh look we gotta change our email again, let's get this over with". After a while we change so much it becomes mundane and some noob might slip up and fall for the trick of a scam email.

[WMDs]

Also constantly asking users to change passwords opens up the playing field for phishing emails. "Oh look we gotta change our email again, let's get this over with". After a while we change so much it becomes mundane and some noob might slip up and fall for the trick of a scam email.

I recognise that avatar .... is that Dr Tame ???

[hoikarnage]

Yup.