HittingSmoke
08-19-2009, 03:13 PM
I've noticed this more and more lately, especially since the rise in popularity of mainstream MMOGs. The problem? The game refusing to save your password for you. I think this is a particularly big issue with STO as, if the other thread on user name displays is true, everyone's account logins will be readily available to anyone who can see them in game.
I don't remember playing an MMOG before the SOE Station launcher was introduced that wouldn't save my password. Since then it seems commonplace to have no option to keep a password saved which contrary to popular opinion is a huge security hole. Before you post that I'm a moron because stored passwords are a security risk, let me enlighten you as to some of the more complex issues of password security that go far beyond if they're saved locally or not.
We'll start with the obvious culprit that leads to most password theft, malware. Here's an example.
When you first create your WoW account there's a small chance you already have a virus that's going to log your keystrokes. The first time you log in your chances aren't increased much because it's probably very close to the time you create your account. So let's say that this time you select the "save password" option, which encrypts and stores your password for next time. You've greatly reduced your risk of getting your password nabed in the future by some piece of malware because the next time you log in there's no keystrokes to record. You'd only be at risk each time you reinstalled the game.
However, the way it works in WoW is you have to input your password each time you start the game. This means that if anywhere down the line in your WoW adventures, you pick up a piece of malware that aims to steal your password, you're screwed. The more often you put in your password, the more you are at risk.
The second and less obvious security risk posed by this system is password complexity.
Most people don't use very complex passwords as it is, but having to type it every time you log in discourages things like mixed-case alphanumeric passwords, which are the only kind that should ever be used. This opens up the door for a flood of social engineering and is also where the problem with STO account names being available in game come into question. Here's an example.
I'm an older STO player who knows the ropes. I try to find a new, young player just starting out who needs a hand. I meander around casually chatting with players asking if they need any help until I find someone who fits the profile of young and technologically naive. I find my mark, write down the account name, add them as a friend and move on.
I could spend hours or days honestly helping this person out with great game advice while earning his friendship and respect until casually shifting a conversation one day during some down time to more personal topics. Over time, with the right person I could easily obtain pet names, first names of crushes at school, favorite bands, TV shows, movies and favorite characters in them. In games I've played in the past I've always tried to be very helpful to new players and in some cases have taken entire groups out to help with missions and just learning the game. You'd be amazed at how personal conversations in the groups would get at times, especially when friends would come in together and would talk casually to each other as if no one else was listening in.
I now have a pretty good database of info that very likely contains this person's password. A couple hours of mix and match guessing with decent typing skills and you have a decent chance of getting into someone's account. Most people who take the minimal precautions just add the last two digits of the year they were born or the year they made the account. How hard is it to get this info and tag it on to a second round of searches for this person's password?
Back when I was a kid and still learning, all of my passwords were cartoon character names. Of course this was back when malware wasn't a real word and viruses focused on causing functional damage as opposed to stealing information or promoting spam so it wasn't much of an issue. Social engineering was not a common term or practice back then either.
In the new age of malware, information is currency and the easiest way to obtain it is to have it handed to you on a silver platter. Obtaining a locally stored and encrypted password is infinitely more complicated than just getting someone to install an .exe file that logs keystrokes or sitting and BSing for a few hours to obtain enough personal information to make some educated guesses.
This all falls under the category of people just being ignorant to basic security measures but unfortunately that ignorance encompasses a huge majority of internet users. You can pound in to people's heads the simple ways to avoid getting infected with malware, or how important it is to create complex passwords but many will never learn. Giving people the option to have their passwords saved locally will help encourage stronger passwords that are less likely to be guessed or just given away.
So, Cryptic, can we see some better password management with STO than we've seen with MMOG's of recent past? it's not just a minor inconvenience, it encourages laziness and poor security. I support the availability of forums names in game in the interest of accountability, but I would hate to see this open the door for account, or worse, identity thieves.
I don't remember playing an MMOG before the SOE Station launcher was introduced that wouldn't save my password. Since then it seems commonplace to have no option to keep a password saved which contrary to popular opinion is a huge security hole. Before you post that I'm a moron because stored passwords are a security risk, let me enlighten you as to some of the more complex issues of password security that go far beyond if they're saved locally or not.
We'll start with the obvious culprit that leads to most password theft, malware. Here's an example.
When you first create your WoW account there's a small chance you already have a virus that's going to log your keystrokes. The first time you log in your chances aren't increased much because it's probably very close to the time you create your account. So let's say that this time you select the "save password" option, which encrypts and stores your password for next time. You've greatly reduced your risk of getting your password nabed in the future by some piece of malware because the next time you log in there's no keystrokes to record. You'd only be at risk each time you reinstalled the game.
However, the way it works in WoW is you have to input your password each time you start the game. This means that if anywhere down the line in your WoW adventures, you pick up a piece of malware that aims to steal your password, you're screwed. The more often you put in your password, the more you are at risk.
The second and less obvious security risk posed by this system is password complexity.
Most people don't use very complex passwords as it is, but having to type it every time you log in discourages things like mixed-case alphanumeric passwords, which are the only kind that should ever be used. This opens up the door for a flood of social engineering and is also where the problem with STO account names being available in game come into question. Here's an example.
I'm an older STO player who knows the ropes. I try to find a new, young player just starting out who needs a hand. I meander around casually chatting with players asking if they need any help until I find someone who fits the profile of young and technologically naive. I find my mark, write down the account name, add them as a friend and move on.
I could spend hours or days honestly helping this person out with great game advice while earning his friendship and respect until casually shifting a conversation one day during some down time to more personal topics. Over time, with the right person I could easily obtain pet names, first names of crushes at school, favorite bands, TV shows, movies and favorite characters in them. In games I've played in the past I've always tried to be very helpful to new players and in some cases have taken entire groups out to help with missions and just learning the game. You'd be amazed at how personal conversations in the groups would get at times, especially when friends would come in together and would talk casually to each other as if no one else was listening in.
I now have a pretty good database of info that very likely contains this person's password. A couple hours of mix and match guessing with decent typing skills and you have a decent chance of getting into someone's account. Most people who take the minimal precautions just add the last two digits of the year they were born or the year they made the account. How hard is it to get this info and tag it on to a second round of searches for this person's password?
Back when I was a kid and still learning, all of my passwords were cartoon character names. Of course this was back when malware wasn't a real word and viruses focused on causing functional damage as opposed to stealing information or promoting spam so it wasn't much of an issue. Social engineering was not a common term or practice back then either.
In the new age of malware, information is currency and the easiest way to obtain it is to have it handed to you on a silver platter. Obtaining a locally stored and encrypted password is infinitely more complicated than just getting someone to install an .exe file that logs keystrokes or sitting and BSing for a few hours to obtain enough personal information to make some educated guesses.
This all falls under the category of people just being ignorant to basic security measures but unfortunately that ignorance encompasses a huge majority of internet users. You can pound in to people's heads the simple ways to avoid getting infected with malware, or how important it is to create complex passwords but many will never learn. Giving people the option to have their passwords saved locally will help encourage stronger passwords that are less likely to be guessed or just given away.
So, Cryptic, can we see some better password management with STO than we've seen with MMOG's of recent past? it's not just a minor inconvenience, it encourages laziness and poor security. I support the availability of forums names in game in the interest of accountability, but I would hate to see this open the door for account, or worse, identity thieves.