Account / Password Security

[Tyrion]

So, essentially, this thought occurred to me recently dealing with an Imperial member / related matter and a line from a conversation I had in the past with another Imperial member was triggered: "My game account was hacked." If you get to thinking about that statement, you have to realize and sorta understand the limitations in hacking. How does a game account actually get hacked? I am going to try and walk you guys through a hacker's mindset.

Lets look at the facts; to hack a game account requires 2 things: account name and account password. Next step, getting that information. On Pangaea, since it is an old game, most people don't choose complexity over convenience, so in many cases your forum account user name and password is your game account name and password and even if it's not, the layer of complexity to the password, probably is not representative of the word 'complex'. The password, arrow, comes to mind . Again, the next step remains, how do I get that information. First option is using SQL injection tools that exploits a vulnerability in the phpbb code of the forum, which is doable with some -minimal- effort or abuse a gm account (harder to do) and the last option is possibly to use some other medium (social network sites [FB, MySpace, BeBo etc.], IM chat program [ICQ, Miranda, Trillian, YahooMessenger, AIM, MSN etc.]) to get the information I need. In the process, convince them I'm a nice guy and persuade them to accept this file (jpg, pdf, doc, ppt etc.) or executable malware disguised as a legit program or embedded in one of the attachments listed above (eg. jpg, pdf etc.) which runs malicious code that grabs information and beacons info to a DNS under my control. Conclusion = Winning.

Realistically, the only way for a game account on Pangaea to get hacked is via forum account being same as IG account or GM account abuse.

My point is this: I believe the current system of security can be upgraded. Correct me if i'm wrong (staff) but most if not all account/password information is currently available to ALL (old and new) staff members. I am sure that all of us have known at least one person that has said, "my account was hacked". While I do not believe current staff (Icarus included) would abuse any game accounts, I am not so optimistic that previous staff have / would not. If we look at the history, in regards to previous staff maintaining both a player and game master account and recall some of the abuses that have transpired over the near decade of Pangaea's history, I believe, this should be a cause for concern and worth the time to implement some changes regarding account security. We owe it to Pangaea to keep the shard secure.

[Boris]

The problem with people quitting / having a long break is ignorance. When people stop playing (in 90% of all the cases) they pass their account details to a friend, because they simply don't care anymore. That will just end up bad with massive jail times and account nuking.

The safest way when taking a break is having a staff member jailing your account. When/if you come back, we simply reopen it.

- Boris

[Boris]

Small addition:

GM's don't have access to passwords. Even I have no access. It's limited to Neon.

- Boris

[Tyrion]

Small addition:

GM's don't have access to passwords. Even I have no access. It's limited to Neon.

- Boris

This is a recent addition I take it?

[Wille]

Nope. This has always been information only available with full server access. Any ability externally to do with passwords requires the original to be supplied first.

[Zaradon]

You guys could actually make a list for the people regarding the Account Security topic.


For example;


"Whenever you leave or fall inactive to Pangaea, your account can be held in safe to the staff of the shard but the consequences for the account characters are following;

- Any previously joined religion will be auto-excommunicated (in a period of time)
- Any previously bought houses/inn rooms will be decayed (in a period of time)

Want your account back? We await from you;

- Your previously used account name, provided with an active e-mail adress.
- Prove yourself being the account owner, by naming the characters/items they wear or what religion/guild they used to be in."

[Irming]

Small addition:

GM's don't have access to passwords. Even I have no access. It's limited to Neon.

- Boris

This is a recent addition I take it?

Passwords on the shard is availabe for Irming - Neon and Wille. No one else have access to see passwords. There is no way to see a password using a regular GM account. You need desktop access to the server.

Irming

[Hilda]

They're not encrypted?

[Wolfie]

Put it this way, even if a gm did hack your account its not like they can do more damage to it then doing their gm magic.

[Tyrion]

Put it this way, even if a gm did hack your account its not like they can do more damage to it then doing their gm magic.

That's not the point. The point is that if an attacker gains access to the database he'll be able to get access to everyone's accounts. If they are encrypted, he'll need access to the webserver and get the key/salt before he can decrypt it, he might not be able to at all if it's a one-way encryption.

Of course.. That's a crapload of effort just to gain an advantage on a private shard of an obscure old game

Not true. There have been rogue GM's in the past that plant created or stolen magical items in multiple characters across 10's of accounts with and without the password and most if not all of these people have been banned/jailed infinitely/account wiped (which is essentially a ban). Tink makes a good argument. Additionally the point isn't the effort, it's the simple fact that it 'could' technically be done and that people with an agenda and motive (normally disgruntled players and generally recently banned players) could do it. Hilda might remember when Gabriz McCree defaced the Pangaea website just because he was banned or jailed or w/e the case was. Ofcourse he had access to the site but that doesn't really matter. Deval Von'eGrim essentially took an attack a step further by hacking the forum and launching a Ddos against the server which crashed it. So yeah, it is possible and likely especially if you take some players (currently active) personalities into consideration.