Secrurity Risk
 

With the move to email being used for login we must have SSL for the login process as it is putting players at a higher risk.

Will this be sorted soon?

Re: Secrurity Risk
 

..what?

Re: Secrurity Risk
 

sending your e-mailadres over a non-secured connection is considered as highly vulnerable to pretty much everyone in the security community. Especially when it comes to using them in logins.

Re: Secrurity Risk
 

Bullshit.

Re: Secrurity Risk
 

Well technically, yes.... and given the fact most people use the same password......

However, anyone with the know-how of obtaining your details would probably not bother with cracking PA to obtain them as there is no real financial gain from it.

Imagine your empty shed with no lock, you wouldn't worry about things getting stolen :)

Re: Secrurity Risk
 

That is the security risk.

Re: Secrurity Risk
 

The thing is that you don't need to crack PA in order to obtain unencrypted data from the datastream between the user and PA. You can use a simple packetsniffer to analyze the datapackets sent over the network. This is a practice that is commonly used on open and public (wireless) networks.

And given the fact that people allways use the same password (for reasons of ease) adding another 'fixed' field in the login process is frowned upon. Especially over unencrypted connections.

Re: Secrurity Risk
 

God, you are absolutely ****ing clueless. Using an email address instead of a user name makes no difference whatsoever. If that's what your security policy depends on, you are already well and truly ****ed.

Re: Secrurity Risk
 

However i bet you have no problems using it for something else? also how hard is it to use a different password :p

the simple fact is that you will be the security risk not someone knowing your e-mail. The problem is not if the site is secure etc the problem is the user.

Re: Secrurity Risk
 

I might agree to an extent if I was using my [email protected] format email to access PA from a unencrypted public network that SSL would be an added benefit. However, the password argument is entirely user subjective and your responsibility.

You should be aware of the risk of sharing passwords between any website or Internet service, and eliminate it as often as possible by using different passwords. Complexity of your password should be determined by your evaluation of the risk of damage if your account is accessed on a particular service by an unauthorized individual. I'm going to put an extremely complex password but one that I can remember and type it in manually on my banking service, but for PA I'll just save the default randomly generated password emailed to me by PA to my web browser.

My recommendation, is if you're not comfortable using a personally identifiable email address without SSL because you use a public unencrypted network for PA access then you should signup with a secondary email account that obscures those details.

Re: Secrurity Risk
 

A good way to do passwords is to use a phrase.

e.g. "i love pa"

Having it relevant to the website helps in remembering it.

However having SSL as an option is good.

Even if you use different passwords for websites, your email is still on display. Then its open to phishing attacks, and spam.

Re: Secrurity Risk
 

"i love pa" is a bit on the short side, but yes, phrases are easier to remember than arbitrary strings of characters. A related approach is to use a sentence and picking the first letter of each word.

Re: Secrurity Risk
 

While first letter approach is even better, the fact of trying to remember that in a pinch, is lot harder.

Re: Secrurity Risk
 

Password management is not a solvable problem, anyway, not without serious help from technology. Users cannot be expected to remember anywhere between 15 and 50 completely different passwords. So people use sticky notes on their monitor, or the same password everywhere, or '123456'. We clever people then laugh at them and call them stupid for engaging in such laughably bad practices, but forget that we were the ones who originally forced them into a dumb system. When giving people dirt, don't expect cathedrals.

Thankfully, we've now reached a point at which every browser can securely store an infinite number of passwords, no matter how hard to remember they are. There's still a single point of failure (like using the same password everywhere), but the master password that can only be entered locally, making it much harder to get at. And asking people to remember one high quality password is a hell of a lot more reasonable than asking them to remember twenty of them.

None of that has anything to do with PA, though.

Re: Secrurity Risk
 

Your password management post reminded me of: http://imgs.xkcd.com/comics/password_strength.png

:)

SSL should be implemented regardless, unless you have a damn good reason why less security is better than more security. If the reason is PA team will take 4 years to do it, then that's pretty much assumed on every suggestion anyway and has nothing to do with the suggestion at hand.

I'm not even sure Netgamers supports SSL, which is pretty dire. I've certainly not seen it written anywhere which is why I've never tried.

Re: Secrurity Risk
 

That comic has been going around lately. I don't agree with the actual idae, all these cute little remember-your-password schemes work, but only until you have about 5 of them, and then the schemes become just as much effort to remember as Tr0b4dor3&: "What was it again, something with a horse, and it being correct about something? A box?". What the comic has done, though, is make people (me) realise that passwords are a broken idea.

As for SSL.. Yeah, you know, it'd be nice to have, but honestly, no one is going to bother cracking your PA password. Have you ever heard of it happening? I sure haven't. There's just nothing in it for anyone. It would be more useful on IRC, but there too, there's very little to gain by tapping into someone's IRC traffic. It's not like we're under surveillance by the FBI or something.

Re: Secrurity Risk
 

Just because your paranoid, doesnt mean someones not after you....

Re: Secrurity Risk
 

If you have nothing to hide.... **** you if you're doing illegal shit.

Re: Secrurity Risk
 

SSL is an easy win. doesn't have any ramifications of implementing and gives users a better peace of mind. When pa changed to email log in, i created a new email for it.... I don't want my personal email address known, I don't want to be spammed or anyone trying to hack it...

All this talk about using a better password or what not is mute... SSL has lots of benefits and zero negatives...

To me this is a no brainer implementation.

Re: Secrurity Risk
 

Of course there are negatives. A certificate costs money, installing mod_ssl costs time, and HTTPS traffic requires more CPU time than plain HTTP.

Also wow that avatar looks a lot like Assassin's.

Re: Secrurity Risk
 

You had to submit your email in the old registration as a way of validation, no-one complained back then.

Re: Secrurity Risk
 

You don't have to pay for a certificate, you can create your own. The increase in HTTPS traffic for a browser game like PA is minimal.

And yes my avatar was from when I last played PA back when I was apart of Jenova. Assassin's is a vts Penguin if I remember correctly, not quite the same :)

I have no problems submitting my email for registration, that is one off. Having to submit it everytime i log in however is more of a risk.

Re: Secrurity Risk
 

You misunderstood: the CPU time required to encrypt pages and (to much lesser extent) decrypt requests was one of the problems I referred to. The increase in the amount of data is indeed negligible. There is an increase in page load times, though.

With HTTPS, your phone battery would last a little shorter (communication is energy intensive), the server would need/use a fair bit more processing power, some time should be invested to add mod_ssl to Apache (or whatever web server they use) amd pages would load half a second slower; none of that is particularly world-shattering, though all are a nuisance.

All that said, I have yet to see any good reason why you would possibly need HTTPS for PA: do you really think there's anyone who cares about your PA account or activity?

Why is that a risk?

Re: Secrurity Risk
 

Accessing "secure" websites that have generated their own SSL certificates rather than one generated by a known signing authority is far more risky behaviour than submitting your email every time you login.

Re: Secrurity Risk
 

this thread made me giggle :D

Re: Secrurity Risk
 

You do not know the half of it:

MH team including me at the time had access to the server where we could see every players details Real name, Real location City/Town Country, (altho addresses were not there) Email addresses, IP addresses, the Browsers they used, and a whole host of other useful stuff for the unscrupulous.

The really worrying part is that most of the people who have access to this information are not required to sign a legally enforceable non disclosure agreement, they just have to verbally agree on irc to not leak it.

It makes you wonder who is getting your personal information?

Re: Secrurity Risk
 

"Verbally agree on IRC" is not a thing. Not that it matters, verbal agreements are just as binding as written ones. Not that that matters either, because there is in fact a written agreement, the NDA for multihunterdom is printed and mailed or faxed back.

I'm not sure if you could be more wrong if you tried.

Re: Secrurity Risk
 

https://lastpass.com/

Pimp your password

Re: Secrurity Risk
 

Odd. I was given a non-disclosure agreement to sign before I could even start training as a MH. I never signed it, no training.

That said, the disclosure of the above information is not necessarily terrible acts of awfulness. It depends on what the tools are like. If the MHs can do datamining that lets them search for nicks and find addresses, that's not great (in fact it would make me glad I started avoiding using my real nicks ingame).

Anyway, relevant: Jagex's privacy policy. Specifically:

Re: Secrurity Risk
 

Once again talking out of your proverbial about something you know nothing about.

There may well be a written agreement, I was never sent one, nor was I ever required to sign it.

I asked specifically at the time I joined the "team" if they were going to send it to me, so I could sign it and agree to it, Ace replied that it was not a requirement, and that only senior admin staff and employees were obliged to sign it.

What the situation is now, I have no idea, but that is how it was.

Re: Secrurity Risk
 

Ah yes, complaining about how things used to be. Very helpful. For someone who admits he has "no idea", you seem awfully eager to tell me I know nothing about it.

I am amused.

Re: Secrurity Risk
 

As I am not an employee of Jagex there Policy is of little interest to me, had I chosen too (and I wont confirm one way or another) I could have garnered that information and sold it to anyone who was interested, or just publish it for the hell of it.

Either way there would be little Jagex or anyone else could do about it, or too me.

Re: Secrurity Risk
 

And my cock is effing huge.

Put up or shut up.

Re: Secrurity Risk
 

A typical response from the "Village Idiot"

Re: Secrurity Risk
 

No, a typical response from the village idiot would be to make veiled threats about disclosing everyones private information, or to make himself look more important than he actually is.