Jump to content

Account Security & You


Recommended Posts

Apparently forum search didn't turn up anything other than this:
https://forums.pokemmo.eu/index.php?/topic/76302-no-newly-implemented-abilitiesitems-this-update

 

So what do you know about this?

I'm only a professional IT security expert that does this for a living, but who cares right?

Well if you care at all about your game accounts or any other type of accounts (PSN, XboxLive, etc) or if you're older and have bank accounts and such; all of you should have at least an idea of what's going on.

We have to answer two simple things:  What is going on and Why should anyone care?

 

What's going on?

Account compromise/thefts/cyberbreaches (bad stuff) have become far more commonplace, unreported (mostly), and affecting even large major corporations.  They've also become really sophisticated (smarter) using custom-written malware (viruses and stuff).

This costs a lot of money for those affected to figure out the cause, repair the damage, and try to prevent it in the future.

This affects gaming as well from Battle.net accounts (Blizzard) for WoW all the way down to something like PokeMMO that a majority of players just play for fun casually (according to the community survey).

 

Why should I care?  I'm not a target right? My stuff isn't worth anything to them so why bother?

I hear this a lot unfortunately.

As for gaming, you should care if you don't want your gaming accounts to go poof and have to sit and deal with support (try contacting Microsoft or Sony for help, good luck waiting hours/days).

If your stuff is compromised (taken over) then you also should also worry about people impersonating you to do potentially illegal things and end up with the police at your door with an arrest and/or search warrant.

Trust me when I say that is not a pleasant experience.  Not at all.  Happened to my parents because they thought they didn't need security and 'they were not a target'.  Some assholes parked a white windowless van (might as well say 'Free Candy') and hacked into our (weakly secured) home WiFi to perform illegal activities (which I won't mention in detail to keep things PG).  It was a wake-up call when the FBI team came knocking.

Even if you are innocent?  You still have to waste time and effort cleaning up the mess caused by others.

Ironically just a week before this incident, I'd offered to beef up security and use WPA2 WiFi with a strong password instead of their system of WPS.

To use a metaphor they were protecting the WiFi with a closed and unlocked door instead of an electrified fence guarding the deadbolted door with spikes on it.

 

Again why does any of this matter?

How much is the potential time and hassle worth to you?  Do your parents handle everything and you think they won't care when things happen?  Do you like randomly losing access to games or not being able to play online?  Having 'random' slowdowns on your computer due to malware?

If you live life wondering 'why bother' then maybe try not washing your hands (ever) for a week and see how that goes.  I mean they're 'just' germs right?  Why bother? :P

 

What do I do about it?

For now, create and use super-strong passwords that you access by remembering ONE master password to unlock the rest.

I recommend using BitWarden: https://bitwarden.com
 

It is (really) free, open source, and lets you sync and use on multiple devices including mobile.

It is easy to use and user-friendly.  I don't get paid to say any of this (lol I wish) but they're pretty damn awesome.  I've always disliked recommending LastPass to anyone because they're so secret and closed-source.

They can offer to host for organizations and businesses so that's how they make their money.  Since it is open-source then if they ever go down then someone else can easily do hosting or people can self-host on their own using free accounts to sync data.

Unlike LastPass (closed-source) and KeePass (no easy way to sync), this is a nice way to do things.

Everything is stored locally and a copy is sync'd on their servers in a way they can't access.  Just an encrypted blob of data.

If they're hacked, the data is worthless to them.  If you have no internet and only mobile and you last sync'd a day ago you'll still be able to access your local data.

And for those still worried about security you can always use an alternative.

Best alternative to BitWarden that I've found is KeePassWeb if you want to do everything yourself and trust nobody else.

 

I still don't care about any of this!  WALL OF TEXT CRITZ MEEEE111!!!

Oh whelp.  I tried.  Enjoy living on the edge of insanity! :)

Edited by Daedalus007
Link to comment

Honestly I don't care. Also, I'll never trust a company that "protects passwords" cause, the moment someone figures the master password out, they'll have access to all passwords. Especially if it is open source. 

Link to comment
11 minutes ago, Perreh said:

Lastpass.com > physical notebook noob

It really isn't though. The notebook I use is one that I used for school; so it's full of random notes. About 1/4th of the way through, I've erased the contents and replaced with passwords and stuff. This way, if a random person opens to the first page, or somewhere in the middle, they'll just think it's a crummy school notebook and will toss it to the side.

I believe this is a better way to store passwords than giving all my passwords to some random 3rd party on the internet to "keep safe" for me. Cause we all know how good 3rd parties are at keeping sensitive digital information safe *cough* equifax *cough*.

Link to comment

i came here expecting to shit talk @Daedalus007 but surprise surprise all his info is pretty spot on. the only vulnerability to lastpass/bitwarden/ect beside the obvious brute force, is if your computer/phone is compromised then accessing your passwords, gives them everything. but if you're rooted you are kinda fucked anyways.

it's like having to be inside a house to pick the lock.

Edited by fredrichnietze
Link to comment
1 minute ago, fredrichnietze said:

i came here expecting to shit talk @Daedalus007 but surprise surprise all his info is pretty spot on. the only vulnerability to lastpass/bitwarden/ect beside the obvious brute force, is if your computer/phone is compromised then accessing your passwords, gives them everything. but if you're rooted you are kinda fucked anyways.

Not entirely true, I use Lastpass for work and it forces you to re-authenticate it every 30 days, can be set to be sooner than that too iirc, so its pretty nice - and if you want you can have your account setup with only login info but you cant view that info without actually having a master password or it can be set to just not be viewed period by someone who is an administrator (alot of companies do it this way)

Link to comment
2 minutes ago, Parke said:

Not entirely true, I use Lastpass for work and it forces you to re-authenticate it every 30 days, can be set to be sooner than that too iirc, so its pretty nice - and if you want you can have your account setup with only login info but you cant view that info without actually having a master password or it can be set to just not be viewed period by someone who is an administrator (alot of companies do it this way)

even if you the user cant see the information, it is there and it is being sent through you browser. all the root kit has to do is grab it form the ram before it gets encrypted and hashed or lie to lastpass with a fake request from "pokemmo server i promise".

Link to comment
2 hours ago, Gilan said:

I personally prefer to keep all my passwords written in a physical notebook that I keep in a safe place.

 

1 hour ago, Gilan said:

It really isn't though. The notebook I use is one that I used for school; so it's full of random notes. About 1/4th of the way through, I've erased the contents and replaced with passwords and stuff. This way, if a random person opens to the first page, or somewhere in the middle, they'll just think it's a crummy school notebook and will toss it to the side.

I believe this is a better way to store passwords than giving all my passwords to some random 3rd party on the internet to "keep safe" for me. Cause we all know how good 3rd parties are at keeping sensitive digital information safe *cough* equifax *cough*.

Good evening @Daedalus007, Gilan and I use the exact same equipment to store usernames and passwords. I am a bit old school, so I write down most of my information in a notebook with a pencil or pen. It is a tiny notebook, so I can cram it into my pocket when I travel (and it fits very snugly so it has a strong likelihood of not slipping out of my pocket). The only difference is that Gilan's book is a physical notebook and mine is an unused planner from 2015-16 that was converted into my account database. Other than account info, I have the badge level caps listed in case I bump into newer players that need assistance. 

 

I guess you can say that @Gilan and I guard our notebooks/planners like Fort Knox.

Link to comment

Don't get me wrong; I'm paranoid enough to be wary of just about everything, but the convenience of setting up and auto-syncing the kinds of passwords that would take centuries to brute-force, the kinds of passwords that I don't have to look up or recall or (potentially) lose to fire or theft or carelessness...

 

I've memorized my master password and that unlocks all the rest.  If you want to keep the sole copy of your passwords in a physical medium that can be destroyed, lost, stolen, discarded, or otherwise messed up (simple water will ruin it) then have at it.

 

For those who don't trust password-locker web services, might wanna stop using Windows while you're at it :P

BitGuardian is pretty good, though KeePass is also a useful offline FLOSS program as well.

 

Stick with manually writing down and utilizing easily-bruteforced passwords for everything and trying to store and organize and backup and keep track of it all yourself.  I'll be happy using an auto-sync'd service instead.  Most of the responses in this thread come from people who have no idea how things work or how they're done so I won't bother responding to them individually.  LastPass is ok but the closed-source proprietary nature of it means I trust it less than something which is public open-source instead.  Open-source cryptography is just going to always be better IMHO.

Link to comment
9 minutes ago, Daedalus007 said:

Don't get me wrong; I'm paranoid enough to be wary of just about everything, but the convenience of setting up and auto-syncing the kinds of passwords that would take centuries to brute-force

quantum computers already work, the first consumer model is already for sale, it wont be too long until they are powerful enough to brute force any password within minutes. 

Link to comment
29 minutes ago, fredrichnietze said:

quantum computers already work, the first consumer model is already for sale, it wont be too long until they are powerful enough to brute force any password within minutes. 

That's not entirely true tho, while quantum means that asymmetric crypto is doomed that's not the case for symmetric. The best known search algorithm in quantum can only achieve a 2x  speedup and they already think that's a solid bound. Just stop using 128-bit keys and NSA won't be able to sniff your emails for the next 100 years.

Link to comment

I keep my passwords safe in one place - my head. I actually use a different combination according to the type of service - say if you get my PokeMMO password. It is combination of an unique key pertaining to PokeMMO, and a pass key I use for all my gaming accounts. Desu or whoever has access to that information now know my PokeMMO unique key and my gaming key, but do they know which is which? And if they do know which is which, they now need to find the unique key for each of my other account in order to crack it. For security stuff like banking, I actually have three keys. This has not failed me so far.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use and Privacy Policy.