*Yawn* Change your passwords again

Talk on any game/console that doesn't have its own forum, including browser-based games

Moderator: Forum Moderators

Post Reply
Dog Pants
Site Moderator
Site Moderator
Posts: 21653
Joined: April 29th, 2005, 13:39
Location: Surrey, UK
Contact:

*Yawn* Change your passwords again

Post by Dog Pants »

This time it's PlaySpan, the company WoT and GW2 use for their in game purchases. Fortunately I've not felt the need to buy anything in GW2 yet, and WoT wouldn't let me when I fancied it. It isn't good enough though. The eye-rolling we all feel when it happens again is because it happens too often. Other companies manage to retain your details without having breaches, but games companies expect you to just tut at the hackers and change your passwords for the nth time. This happens because they don't look after their data properly, they don't put enough budget into security or educate their staff enough. The companies involved need to take responsibility.

http://www.pcgamesn.com/wot/playspan-se ... ild-wars-2

Personally I now use a different password for every site I sign up to, varying my normal one slightly based on the URL. It's not a huge step forward, but I can remember it and it stops one compromise affecting every account.
Thompy
Shambler In Drag
Shambler In Drag
Posts: 768
Joined: July 9th, 2010, 13:34

Re: *Yawn* Change your passwords again

Post by Thompy »

Dog Pants wrote:Personally I now use a different password for every site I sign up to, varying my normal one slightly based on the URL. It's not a huge step forward, but I can remember it and it stops one compromise affecting every account.
I do pretty much the same thing as I can't be arsed with password sites and what not. I have two words/numbers that I always use, combined with something related to the site which is easy to remember. I've been meaning to ask what people think of such a system, but I used the same goddamn password for every site until maybe a year ago so can't say I'm that concerned about it (I know, I'd think differently should the worst actually happen to me).
ProfHawking
Zombie
Zombie
Posts: 2101
Joined: February 20th, 2005, 21:31

Re: *Yawn* Change your passwords again

Post by ProfHawking »

I use lastpass for everything now. It saves me from any hassle when things like that happen, and also from having to think. :ignore:
FatherJack
Site Owner
Site Owner
Posts: 9597
Joined: May 16th, 2005, 15:31
Location: Coventry, UK
Contact:

Re: *Yawn* Change your passwords again

Post by FatherJack »

I've thought about developing a system, but that all goes to fuck when these clowns keep getting breached and I have to supply a new password, as any system I can think of relies on some combination of a root key plus a site-specific variant which in order for me to remember it must intrisically remain the same.

So I just end up reverting to 'password123' where the number of digits reflects the level of fail on the part of the service in question and I save an abbreviated copy in a text file - ie 'pw123'. Not exactly secure, but even something like Keepass is a bit of a ballache when you just want to see the list on-screen.

Anything with real, proper money attached, gets its own unique password and one chance - if compromised I'd rather ditch the account and make a new one, or certainly at least permanently remove any saved payment options. Even Steam.
Dog Pants
Site Moderator
Site Moderator
Posts: 21653
Joined: April 29th, 2005, 13:39
Location: Surrey, UK
Contact:

Re: *Yawn* Change your passwords again

Post by Dog Pants »

I resented giving EA a load of answers to personal questions for the SWTOR signup, because they'll only lose them and they're something I can't change. So I had fun with them instead. For them, my first pet was Cliffy B's prolapsed rectum.
FatherJack
Site Owner
Site Owner
Posts: 9597
Joined: May 16th, 2005, 15:31
Location: Coventry, UK
Contact:

Re: *Yawn* Change your passwords again

Post by FatherJack »

Dog Pants wrote:I resented giving EA a load of answers to personal questions for the SWTOR signup, because they'll only lose them and they're something I can't change. So I had fun with them instead. For them, my first pet was Cliffy B's prolapsed rectum.
Now that's a password reset clue I'd just have to ring up and demand they repeat back to me in a stentorian monotone even if I hadn't lost my password.
Joose
Turret
Turret
Posts: 8090
Joined: October 13th, 2004, 14:13
Location: The house of Un-Earthly horrors

Re: *Yawn* Change your passwords again

Post by Joose »

I had a ballache of a time remembering passwords and such, so i've started using 1Password. I'm now using massively long randomised strings*, each one unique to the thing i'm logging into. Its safe, I don't have to change all my passwords when something gets haxed, and because everything including generating the passwords can be done with copy-paste I wouldn't get bummed even if someone did manage to sneak a keylogger past me. I only have to remember the master password, which doesn't even have to be that complex because it would only be an issue if someone gets physical access to my computer. I love it.

*In case you dont believe me, one of my passwords was generated with the same settings as this:

=72B#4q{.VYZ(HG(Rv=23s?Mnur:28Uh*s;rj*4oXZ9h[#<trh

Excessive? Certainly! But why the hell not?
FatherJack
Site Owner
Site Owner
Posts: 9597
Joined: May 16th, 2005, 15:31
Location: Coventry, UK
Contact:

Re: *Yawn* Change your passwords again

Post by FatherJack »

Joose wrote:=72B#4q{.VYZ(HG(Rv=23s?Mnur:28Uh*s;rj*4oXZ9h[#<trh
I would love to always have passwords like that and for copy-paste to be the ubiquitous method by which I could input them. But in my work (which is with all sorts of customers, with all sorts of complifangled security edicts they must adhere to) I've found there's always that one time where you have to actually fucking type the bastard.

Like when you're TeamViewering a Remote Desktop of a Logmein connection through a VPN to a VNC connection, or more simply you don't have direct access and have to tell someone else what to type. Even much simpler supposedly 'just mstsc' connections are sometimes CTRL+V-blocked, so I just gnash my teeth and avoid anything too strenuous to replicate. *nix passwords pretty much always need to be typed.

Techincally you only need to include a few 'odd' characters to create a password as strong as your example, ie: "Hereismyreallyeasytoguesspasswordwithacoupleofcurlybrackets{}andthreestars***init" which is still no fun to type, but at least can be recalled. We used to use some famous, near-but-not-quite-correctly punctuated quotes from Star Wars as our master passwords at the university, and they became surprisingly easy to type after time - you only had to remember the phrase and the one-or-two crucial typos.

Security purists would say that if the password touches your clipboard, then all security is lost - "copy pasta is sicurezza perduta" (I made that up) with arguably less/equivalent security than the password being visible on your screen. Security purists also claim the only safe machine is one that has never been connected to a network, is switched off, broken and buried under 30ft of concrete so there's only so far you can take it.

It depends largely on trust. I still cringe and stop customers saying their passwords out loud, when I know what they are and just want confirmation of a few letters that I'm looking at the right one, but a lot of what makes the security guys cringe themselves is where untrusted or random employees could gain access to an unprotected list of user passwords. That seems more of an HR issue to me - don't hire or give any access to people you don't trust. Tesco got a beasting recently as their password reminders were being sent out in plain text, but can one really expect the average shopper to have to decode a hashtagged keycode signature via a web-based form when they can just create new account or register instead with Sainsbury's?

In my experience at least, the biggest threats aren't from overheard passwords, or even lists posted on the internet - it's from people using the exact same username/password combination on other, unhacked but more crucial sites where proper cash is involved. Even though the bots can try trillions of combinations a second, they still seem to rely mostly on these stolen lists, and adding even just one regular, random character to your stock password would keep them busy guessing for centuries, because they get enough good hits from everyone else's unchanged combinations to discard and not bother trying to decode your slightly modifed one - as for all they know you could have changed it to a monstrously complex one.

Doesn't mean they won't try in the future though, if they but looked at the XKCD comic on easily-computer-guessable passwords and applied it to their existing lists, then a lot of stuff would be compromised - but then maybe that's like spammers learning to spell or being able to string a sentence together.
Joose
Turret
Turret
Posts: 8090
Joined: October 13th, 2004, 14:13
Location: The house of Un-Earthly horrors

Re: *Yawn* Change your passwords again

Post by Joose »

FatherJack wrote:
Joose wrote:=72B#4q{.VYZ(HG(Rv=23s?Mnur:28Uh*s;rj*4oXZ9h[#<trh
I would love to always have passwords like that and for copy-paste to be the ubiquitous method by which I could input them. But in my work (which is with all sorts of customers, with all sorts of complifangled security edicts they must adhere to) I've found there's always that one time where you have to actually fucking type the bastard.
This is very true, and has lead to the me having significantly better passwords for my personal stuff than me work stuff. Still, it's better than nothing.
TezzRexx
Dr Zoidberg
Dr Zoidberg
Posts: 4072
Joined: February 8th, 2005, 15:54
Location: BURMINGHUM, England
Contact:

Re: *Yawn* Change your passwords again

Post by TezzRexx »

FatherJack wrote:
Joose wrote:=72B#4q{.VYZ(HG(Rv=23s?Mnur:28Uh*s;rj*4oXZ9h[#<trh
I would love to always have passwords like that and for copy-paste to be the ubiquitous method by which I could input them. But in my work (which is with all sorts of customers, with all sorts of complifangled security edicts they must adhere to) I've found there's always that one time where you have to actually fucking type the bastard.

Like when you're TeamViewering a Remote Desktop of a Logmein connection through a VPN to a VNC connection, or more simply you don't have direct access and have to tell someone else what to type. Even much simpler supposedly 'just mstsc' connections are sometimes CTRL+V-blocked, so I just gnash my teeth and avoid anything too strenuous to replicate. *nix passwords pretty much always need to be typed.
All of this. TeamViwer-ing to remote desktop via VPN has always made me lawl.
Dog Pants
Site Moderator
Site Moderator
Posts: 21653
Joined: April 29th, 2005, 13:39
Location: Surrey, UK
Contact:

Re: *Yawn* Change your passwords again

Post by Dog Pants »

I agree with FJ about the low hanging fruit keeping us safer. Small changes won't stop a determined hacker, but it will stop the majority of random half arsed attempts.
Post Reply