• Play
  • About
  • News
  • Forums
  • Yppedia
  • Help
Welcome Guest   | Login
  Index  | Recent Threads  | Register  | Search  | Help  | RSS feeds  | View Unanswered Threads  
  Search  


Quick Go »
Thread Status: Locked
Total posts in this thread: 24
[Add To My Favorites] [Watch this Thread] [Post new Thread]
Author
Previous Thread This topic has been viewed 25788 times and has 23 replies Next Thread
Cleaver
Captain
Member's Avatar


Joined: May 7, 2002
Posts: 3124
Status: Offline
Username/Password Stings, 'Mods' and so forth

[size=24]Do not give out your Password to Anyone

Recently someone has been trying to dupe people out of their usernames and passwords as a character called 'Mod' (who is now banned').

People, we don't need your username and password. We will never ask for them. If someone does, /complain about them immediately and alert me or another Ringer if we're online. Don't give out your username and password. We will NOT ask for it.

Real admins are: Cleaver, Nemo, Jack, Peghead, Lass, Bluebeard, Sophocles, Calrissian, Hussar and Lizthegrey and will have Blue names.

Real Ocean Masters are: Artemis, Poseidon, Hermes, Demeter, Mnemosyne, Castor, Lelantos, Bia, Dionysus, Eurydice, Hypnos, Nemesis, Prometheus, Amphitrite and Clio, and will have Blue names.

[size=24]Do not Save your Password on a Shared Computer

Please remember to check that you have disabled password storing before using a shared computer. It may only be shared with family, or you are using a computer at a friend's house, rather than a publicly accessible computer, but the same rules about protecting your password apply. The game will store the last used log-in information otherwise, so the next person to start the game will be presented with your log-in information and can access your account.

If you forget to check the status before logging on, log out and disable it by choosing "More Options" and clearing the check box, then log in again. This will clear your password.

- from Demeter, more information about this here:

http://www.puzzlepirates.com/community/mvnforum/viewthread?thread=2898
----------------------------------------
[Edit 3 times, last edit by Cleaver at Aug 12, 2003 3:55:09 AM]
[Aug 12, 2003 3:55:09 AM] Show Printable Version of Post        Send Private Message    http://www.puzzlepirates.com/ [Link]  Go to top 
Xerin



Joined: Jul 28, 2003
Posts: 1
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

Sad thing it happens in every online game =/
[Aug 12, 2003 11:27:40 PM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
jfjnpxmy



Joined: May 12, 2003
Posts: 103
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

Xerin wrote: 
Sad thing it happens in every online game =/


And there's always some people who fall for it.
[Aug 13, 2003 4:19:09 AM] Show Printable Version of Post        Send Private Message    jfjnpxmy [Link]  Go to top 
Jaghond



Joined: Jul 28, 2003
Posts: 11
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

jfjnpxmy wrote: 
And there's always some people who fall for it.


And that be the saddest thing of all.
----------------------------------------
Jaghond
_________________

That's right. The same as the forum name.
[Aug 9, 2005 4:00:00 PM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
Chibimorph



Joined: Jul 28, 2003
Posts: 6
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

*grabs a flyswatter* No username/password stings for me!
[Aug 17, 2003 7:29:19 AM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
BrokenShard

Member's Avatar


Joined: Jul 25, 2003
Posts: 276
Status: Offline
Re: Username/Password Stings, 'Mods' and so forth

Actually i think the saddest part is most of the people who try to steal other peoples accounts is because they fell for it first but yet they are so bad at trying to steal it becomes blatently obvious i.e. Assistor* tells you "There is a bug...give me your account name and password...i will fix it" and then of course someone falls for that making them a stealer and so on and so forth... but usually the way i've seen it go, the accounts that get stolen have little or nothing on them and they just end up getting bounced around by people like that....THAT is the saddest part of all.

*Assistor is just a sample name, if that really is someone's name i apologize, i didnt mean you said that or anything like it

-Faldez
-Da Sea Urchin
----------------------------------------
~Faldez the Urchin of Former Legend
[Aug 21, 2003 4:33:46 AM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
6Dragonfly9



Joined: Aug 5, 2003
Posts: 66
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

Cleaver wrote: 

People, we don't need your username and password. We will never ask for them. If someone does, /complain about them immediately and alert me or another Ringer if we're online. Don't give out your username and password. We will NOT ask for it.

Real admins are: Cleaver, Nemo, Jack, Peghead, Lass, Bluebeard.

- Cleaver


If it is then maybe I am blind, which is most likely the case, but,
this should really be posted everywhere! On the main webpage on the login screens etc. I know many people don't read the forums.
----------------------------------------
A Note From Yer Local Beta Tester,
Dragonlilly
[Aug 21, 2003 6:08:53 AM] Show Printable Version of Post        Send Private Message    dragonslilbird [Link]  Go to top 
tipeon



Joined: Jul 19, 2003
Posts: 77
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

It should be written on every screen, every keyboard and every mouse.

This is a universal law of security: No one except YOU (be it an admin, moderator, root, friend, relative or anyone) should know your password.
[Aug 21, 2003 6:22:25 AM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
JonIncognito



Joined: Jul 28, 2003
Posts: 34
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

Well it's a universal rule that anyone who actually needs to know your account infomation won't need to ask you to get it. Any, and all admins of any game that hold your account on a external server "I.e not your computer" can simply look up your password in their database, and if they need to make adjustments to your account can do so without needing your password anyhow.
----------------------------------------
"Super Profundo on the early eve of your day." - Waking Life
[Aug 26, 2003 7:47:02 PM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
tipeon



Joined: Jul 19, 2003
Posts: 77
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

right!
Newbies will have to buy a bigger mouse so that all these rules fit on it! :)
[Aug 27, 2003 12:30:39 AM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
JonIncognito



Joined: Jul 28, 2003
Posts: 34
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

Oh F.y.i when i talk about
 
any game that hold your account on a external server
i'm talking generally about the games that run on "Battle.net", and "Bungie.net". :)

However i'm sure most of you got that anyways. :P
----------------------------------------
"Super Profundo on the early eve of your day." - Waking Life
[Aug 27, 2003 9:44:36 PM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
garf



Joined: Jun 17, 2003
Posts: 860
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

it should be noted that neither nemoo nor barrghnaby are admins.
----------------------------------------
- Randal

[size=9]also Garf, Silvain and a few others
[Aug 28, 2003 2:27:37 AM] Show Printable Version of Post        Send Private Message    garf+on+aim [Link]  Go to top 
Male Guest
Re: Username/Password Stings, 'Mods' and so forth

the information has to be stored somewhere, so yes they could look it up if they wished
[Sep 4, 2003 6:31:10 AM] Show Printable Version of Post   [Link]  Go to top 
burrito



Joined: Aug 18, 2003
Posts: 288
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

Technically, they could have an authetication system where the passwords would be encrypted and couldn't be decrypted. Of course, that would be retarded, but even so... it's possible. ;D
----------------------------------------
-Peppy, Senior Officer of the Salty Mouthfuls
"Yarr, thar be stairs here."

1st Place, First Drinking Contest, Gaea 24 Hour Bash
2nd Place, Cayte's Sword Tournament, 9/29
[Sep 4, 2003 1:41:46 PM] Show Printable Version of Post        Send Private Message    burrito+OMG [Link]  Go to top 
Chibimorph



Joined: Jul 28, 2003
Posts: 6
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

Point is, they don't need your username and password. They have a separate administration system that changes everything without needing each user's username and password.
[Sep 6, 2003 4:02:30 AM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
Thunderbird

Member's Avatar


Joined: Sep 4, 2003
Posts: 5762
Status: Offline
Re: Username/Password Stings, 'Mods' and so forth

burrito wrote: 
Technically, they could have an authetication system where the passwords would be encrypted and couldn't be decrypted. Of course, that would be retarded, but even so... it's possible. ;D


Excuse me replying to an old thread (can't say I bumped it, cause it's a sticky), but many forum systems actually operate that way. MD5 hashes are one-way. What the system would do when you log in is apply the MD5 algorithm (or whatever it uses) to your password, and sees if it matches the value stored in the database. I know for a fact that this is the way phpBB operates. This is why some BBS systems tell you that your password cannot be retrieved if lost.
----------------------------------------
Pirate tells you, "my, that's one BIG wad o' chewing gum ye have mounted on yer bonce! oO'"
Sungod officer chats, "I wonder if anyone's sailing the harpsichord"
Pirate tells you, "ZOMG CANDYFLOSS!!! *munches*"
[Oct 27, 2003 2:39:54 PM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
lilewyn



Joined: Oct 14, 2003
Posts: 52
Status: Offline

Passwords

Thunderbird wrote: 
burrito wrote: 
Technically, they could have an authetication system where the passwords would be encrypted and couldn't be decrypted. Of course, that would be retarded, but even so... it's possible. ;D


Excuse me replying to an old thread (can't say I bumped it, cause it's a sticky), but many forum systems actually operate that way. MD5 hashes are one-way. What the system would do when you log in is apply the MD5 algorithm (or whatever it uses) to your password, and sees if it matches the value stored in the database. I know for a fact that this is the way phpBB operates. This is why some BBS systems tell you that your password cannot be retrieved if lost.


It's like that with most unices (unix systems, including Mac OS X and Linux) also. Passwd takes your supplied password, adds some salt, stirs, and ends up with gobbledigook that is a one-way encrption of your password. When Login wants to verify you are you, it does the same process over again to ensure the password matches. Even still, though, a properly secured system using password shadowing doesn't let anyone (even the admin) see the actual password file... you just get to see a dummy in its place. (I mean the file, not the admin!)

I guess it's off topic, but still interesting. :)
----------------------------------------
Azure: Yvette, Lilewyn
Midnight: Yvette
Elsewhere: "Hey, you!"
[Aug 9, 2005 4:00:00 PM] Show Printable Version of Post        Send Private Message    http://www.threerings.net [Link]  Go to top 
Guillaume



Joined: Sep 24, 2003
Posts: 34
Status: Offline

Re: Passwords

lilewyn wrote: 
It's like that with most unices (unix systems, including Mac OS X and Linux) also. Passwd takes your supplied password, adds some salt, stirs, and ends up with gobbledigook that is a one-way encrption of your password. When Login wants to verify you are you, it does the same process over again to ensure the password matches. Even still, though, a properly secured system using password shadowing doesn't let anyone (even the admin) see the actual password file... you just get to see a dummy in its place. (I mean the file, not the admin!)

I guess it's off topic, but still interesting. :)


continueing in the off-topicness, your definition of shadow password files is booched... before shadow password files, all user; encrypted password; and user information (home directory, user id, group id) were stored in the passwd file...the passwords encrypted in the old passwd format were encrypted using a random salt inbetween 1 to 4096 (56-bit), and the password was hashed based on that salt (single-DES encryption)...however due to the very small size of the salt, it was generally easy to do dictionary based attacks on them since encoding a word 4096 times is very fast now a days...so to prevent that, the shadow password suite which is now standard, leaves all the user information in the passwd file, for backwards compatibility, but stores the password encrypted in the shadow file...the option to use other encryption formats such as MD5 hash as mentioned earlier in the thread, do exist, and IMHO should be implemented....a 128-bit key is far better then the 56-bit key default...anyhow, i digress, the shadow file is generally only readable by people with permission to the root directory, so that prevents people from being able to copy it, and only allows the system or people with privledges access it....of course i could go into a tangent about poorly written system code with buffer overflows that could give you a dump of the shadow file, but this is puzzle pirates, not a security lecture ;)

sorry for continueing the tangent/off topicness...please proceed to the nearest sloop and commence carping!
[Oct 27, 2003 10:48:12 PM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
RedDog

Member's Avatar


Joined: Aug 31, 2003
Posts: 842
Status: Offline
User name in the forums

If someone else has said this then I appologise, but it seems to me there is a little hole in the system on here. I used a different login name to my pirate names because if someone has your login they only have to guess your password. However when we come to the forums the logins are all there to see. So with a simple password cracker program you could harvest loads of peoples accounts. Taking just 10 POE from each account each week probably wouldn't be noticed and you could build up quite an empire.
If the pirate names could not be the same as the login and pirate names were displayed in the forums this would go some tiny way to plugging this hole.
Note - Q2cX#_1e4d, a good password cracking program resolved this in 122 minutes when running across my home network (11 PCs). At work if I had admin access (which I don't) I could run the same program over several thousand PC and several hundred servers at the same time. So if your login is Bobbafett and you password is Bobbafett you are asking for trouble.
Oh! maybe I shouldn't use RedDog as a password anymore ;)

Seasnake - Captain of The Flying Tigers and King of The Patrician's Flag
AKA RedDog - Finest pilot in three world wars.
----------------------------------------
Captain of the Flying Tigers, King of The Patrician's Flag
Fortunatly the seasnake rarely bites humans.

11 years and still flying the flag.
[Nov 18, 2003 5:42:05 PM] Show Printable Version of Post        Send Private Message    http://seasnake.mysite.freeserve.com/ [Link]  Go to top 
Cleaver
Captain
Member's Avatar


Joined: May 7, 2002
Posts: 3124
Status: Offline
Re: User name in the forums

RedDog wrote: 

If the pirate names could not be the same as the login and pirate names were displayed in the forums this would go some tiny way to plugging this hole.

Total revision of the forums, including posting as Pirates, is firmly on the list.
[Nov 18, 2003 6:02:19 PM] Show Printable Version of Post        Send Private Message    http://www.puzzlepirates.com/ [Link]  Go to top 
Scotto



Joined: Dec 25, 2003
Posts: 1
Status: Offline

Re: Username/Password Stings, 'Mods' and so forth

Additionally, requiring passphrases, rather than passwords, and with a minimum length of eight or more characters in the phrase would help security. Forget the upper case, special characters nonsense. The most common attack uses a dictionary lookup attack, followed by a brute force attack. On your average computer, a brute force attack can break any 5 character password (regardless of how complex it is) in a few minutes. The length of time grows exponentially wiht each character in the password. A pass-phrase like "shiver me timbers matey" is easy to remember (so it won't get written down and stuck onto the monitor) and at 23 characters, would take most desktop computer 3000 years to break, and an NSA supercomputer a couple of years.

Brief version: require long passwords
[Jan 19, 2004 1:47:10 AM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
Cedric

Member's Avatar


Joined: Jul 17, 2003
Posts: 2301
Status: Offline
Re: Username/Password Stings, 'Mods' and so forth

I already registered a separate forum account to post as, so "Cedric" isnt my login name. This was natural for me when I seen how the system worked here, but I'm a longtime forum admin.

It works, but since you've been posting with you login account, you'd need to do some futzing around with the accounting department.

Oh, and "shivermetimbers" wouldn't last all that long, since anyone trying to dictionary their way into a puzzle pirate account would add piratey phrases to their word lists.
----------------------------------------
Captain of the Yellow Jackets (Midnight)
Not to be taken internally (or seriously)
May cause rash
[Jan 19, 2004 2:16:34 AM] Show Printable Version of Post        Send Private Message    Maverick1701 [Link]  Go to top 
ekerin

Member's Avatar


Joined: Jul 19, 2003
Posts: 264
Status: Offline
Re: Username/Password Stings, 'Mods' and so forth

Brute force methods will work on any password given the ability to ask the server about enough passwords. Many systems implement a lockout and/or delay to get around this.

For example: Only allow 1 authentication attempt per second per account (normally implemented by adding a delay before responding if the login succeeded/failed)

Another common method is if there are oh say 5-10 failed authtication attempts in a time of 15 minutes, Lock the account (or block the sending IP) for say 15 minutes. This limits the ammount of passwords a cracker can try against the server to a rate that is too slow to be of any use. (of course, there could be evil implications of locking the account)

You can't always secure a system against every attack, but you can make it so much work that no one even tries.
----------------------------------------
Hack - I don't even play poker now...
Bootseg.com
[Jan 19, 2004 3:42:46 AM] Show Printable Version of Post        Send Private Message    http://www.bootseg.com [Link]  Go to top 
LongJohnGrey

Member's Avatar


Joined: Mar 6, 2004
Posts: 2210
Status: Offline
Re: Username/Password Stings, 'Mods' and so forth

The best way I know of to generate a pass phrase is to take two phrases, and mix them together -- the front of one, the back of the other.

Or, add in a deliberate mis-spelling

Or, just plain confuse a nursery rhime:

Three blind mice ran up the clock

Or something like that. No dictionary will contain all those, and they are very rememerable. I did something like that when registering my email digital signature.

Mixing pirate themed phrases?

Avast ye plank walker
Load 16 men, whatya get? Dead man's chest and deeper in debt.

Etc.
----------------------------------------
Re: Market on Scurvy Reef:
Hypnos wrote: 
I didn't realize it was such a hot forage spot until I dropped it and three pirates showed up on the island in quick succession.
And it wasn't even 9 spaces from the arrow :-).
[Apr 27, 2004 2:21:55 AM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
[Show Printable Version of Thread] [Post new Thread]

Puzzle Pirates™ © 2001-2020 Grey Havens, LLC All Rights Reserved.   Terms · Privacy · Affiliates