Login Pin + Screenshot Logger Protection -New RSOF Thread-

[Gradeskip]

What if someone is rune mining or searching for a good world for black dragons slaying/chin hunting/ whatever?

 

It'll take much longer..

 

 

 

Other than that, add me to teh uber leet supporters list! :D

[Crimsoncow42]

What if someone is rune mining or searching for a good world for black dragons slaying/chin hunting/ whatever?

 

It'll take much longer..

 

 

 

Other than that, add me to teh uber leet supporters list! :D

 

 

 

There could be a system where, if someone is switching worlds within five minutes (maybe less), you wouldn't need to put a login pin. Or they could turn it off after their first login. And besides, people have to wait 30 seconds or so to login into another world anyway.

[Crimsoncow42]

Protect your inventory! Support today!

[Crimsoncow42]

Bump.

[Crimsoncow42]

The time it takes to enter your login pin won't matter. You won't login to the game until you entered both your password and your login pin. Plus, you have to wait about 30 seconds to login anyway.

[Your Grandpa]

I support

[Jenove]

sooooo support. I just got hacked like that 2 times in a row 40 mil + lost f2p

[Bountyjosh]

I support this :D

 

 

 

Would've prevented the time I was hacked and after my account was recovered I logged back in in bounty hunter with an empty inventory.

[Computergee3]

Ahh, I like this idea :)

 

I wouldn't have to worry about keyloggers anymore -.-

 

 

 

I SUPPORT!

[kudos6969]

its pointless we have passwords you get keylogged coz your careless or you tell soemone your password because your careless, simple answer dont be careless.

[Crimsoncow42]

its pointless we have passwords you get keylogged coz your careless or you tell soemone your password because your careless, simple answer dont be careless.

 

If that's the case with everyone, then there is no reason to to have login pins or bank pins. However, this is definitely not that case and the answer is not as simple as people think. You can be the most cautious person while you surf the web, but that one time you decide to download something is all it takes. Instant messengers can be used to send keyloggers to unsuspecting friends. Password crackers can brute force any number of password through an account. Also, ask yourself, "Do I have the bank pin?". If you do, then there is no reason you should be questioning this suggestion.

[Smudge4dusty]

Support all the way I think it'll be handy I've had one account stolen/hacked. and a keylogger but I got rid of it as soon as I found out about it so I changed passwords on other computer.

[AndJusticeForOne]

Hell yes I support. I recently set up a bank PIN as my account is getting pretty good, and if I was to lose it.... no comment.

[Abc1230]

Good idea :thumbup:

 

 

 

I support

[Crimsoncow42]

If you have a bank pin, there is no reason you shouldn't support. This suggestion would only help cover more of your account. Instead of just covering all those little things that pins cover in game, the login pin will protect your entire account. This will include your inventory, something that was previously unprotected.

[boydeath]

support

[DeltaFire26]

This is a pretty good idea. I don't really see any problems with it. Especially with the "disappearing numbers" idea. It would be a minor inconvenience to some players, but since it's a good idea for account safety, I would be able to live with it.

 

 

 

I Support! ^_^ :thumbsup:

[Crimsoncow42]

Bump

[Crimsoncow42]

A thing to remember: When hopping between multiple worlds, you have to wait 30 seconds or so. The login pin would not be annoying for world hoppers because of this.

[Mylez]

I like this idea, and would use it.

 

 

 

I support! :D

[Crimsoncow42]

bump

[Crimsoncow42]

This would replace all other pins, such as the bank pin, the grand exchange pin, and the house pin.

[sirlonewolf]

sorry i do not support

 

 

 

 

 

here is why

 

I got this from one of my friends that works in IT

 

 

 

[hide=PHPBB Password Analysis]PHPBB Password Analysis

 

 

 

Posted by Robert Graham, Feb 6, 2009 05:56 PM

 

 

 

 

 

A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.

 

 

 

 

 

This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. Both Wired and InfoWorld published articles analyzing the passwords.

 

 

 

The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords "must be between 6 and 10 characters, and contain at least 1 number or punctuation character." Most people satisfied this requirement by simply appending "1" to the ends of their passwords. The phpbb site has no such restrictions -- the passwords are shorter and rarely contain anything more than a dictionary word.

 

 

 

It's hard to judge exactly how many passwords are dictionary words. A lot of words, like "xbox" or "pokemon," are clearly words, but aren't in an English dictionary. I ran the phpbb passwords through various dictionary files and come up with a 65% match (for a simple English dictionary) and 94% (for "hacker" dictionaries). The dictionary words were overwhelmingly simple ones, like "apple" or "orange," rather than complex words like "pomegranate."

 

 

 

16% of passwords matched a person's first name. This includes people choosing their own first names or those of their spouses or children. The most popular first names were Joshua, Thomas, Michael, and Charlie. But I wonder if there is something else going on. Joshua, for example, was also the password to the computer in "Wargames," which almost certainly accounts for it being at top. Variations of the name "Jordan" are popular, which almost certainly refers to "Michael Jordan," a prominent basketball start (such as "jordan23," referring to his jersey number). This makes me wonder how many people use "Michael" as a password to refer to their children compared to sports stars.

 

 

 

14% of passwords were patterns on the keyboard, like "1234," "qwerty," or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357," trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among righthanded people, "159357" will be popular among lefties.

 

 

 

4% are variations of the word "password," such as "passw0rd," "password1," or "passwd." I googled "drowssap," trying to figure out how to categorize it, until I realized it was "password" spelled backward.

 

 

 

5% of passwords are pop-culture references from TV, movies, and music. These tend to be youth culture ("hannah," "pokemon," "tigger") and geeky ("klingon," "starwars," "matrix," "legolas," "ironman"). Music, though, appears to have a much broader age demographic, with a lot of old bands, like "ironmaiden." Some notable pop-culture references are chosen not because they are popular, but because they sound like passwords, such as "ou812" ('80s Van Halen album), "blink182" ('90s pop), "rush2112" ('80s album), and "8675309" ('80s pop song).

 

 

 

4% of passwords appear to reference things nearby. The name "samsung" is a popular password, I think because it's the brand name on the monitor that people are looking at (I have two in front of me right now). Similarly, there are a lot of names of home computers like "dell," "packard," "apple," "pavilion," "presario," "compaq," and so on. It's hard to figure out what belongs in this category, though. Is "cocacola" a popular password because there is a can of coke on their desks? Or just because it's a well-known name? In any event, "cocacola" appears to be more popular than "pepsi" among those who choose passwords.

 

 

 

3% of passwords are "emo" words. Swear words, especially the F-word, are common, but so are various forms of love and hate (like "iloveyou" or "ihateyou").

 

 

 

3% are "don't care" words. I've always thought that dialogs, like Microsoft's UAC, should have a button labeled "whatever." When prompted with, "This program may contain a virus, do you want to run it?" instead of having two buttons, "YES" or "NO", dialogs should contain a third button labeled "WHATEVER" or "I DON'T CARE." A lot of password choices reflect this attitude, either implicitly with "abc123" or "blahblah," or explicitly with "whatever," "whocares," or "nothing."

 

 

 

1.3% are passwords people saw in movies/TV. This is a small category, consisting only of "letmein," "trustno1," "joshua," and "monkey," but it accounts for a large percentage of passwords.

 

 

 

1% are sports related. I'm not a sports fan so I'm unlikely to recognize a lot them and categorize them correctly. The U.S. has a lot of popular sports, a lot of teams, and a lot of stars. This breadth means that no particular name is very popular, but in other countries, they become more concentrated. For example, in the U.K., the popular soccer teams, "arsenal" and "liverpool," are regularly in the Top 10 lists of passwords.

 

 

 

Here is the top 20 passwords from the phpbb dataset. You'll find nothing surprising here; all of them are on this Top 500 list.

 

 

 

3.03% "123456"

 

2.13% "password"

 

1.45% "phpbb"

 

0.91% "qwerty"

 

0.82% "12345"

 

0.59% "12345678"

 

0.58% "letmein"

 

0.53% "1234"

 

0.50% "test"

 

0.43% "123"

 

0.36% "trustno1"

 

0.33% "dragon"

 

0.31% "abc123"

 

0.31% "123456789"

 

0.31% "111111"

 

0.30% "hello"

 

0.30% "monkey"

 

0.28% "master"

 

0.22% "killer"

 

0.22% "123123"

 

 

 

Notice that whereas "myspace1" was one of the most popular passwords in the MySpace dataset, "phpbb" is one of the most popular passwords in the phpbb dataset.

 

 

 

I'm interested why "dragon," "master," and "killer" made the list. They appear prominently in other password lists, too. I have no explanation for their popularity.

 

 

 

The password length distribution is as follows:

 

 

 

1 character 0.34%

 

2 characters 0.54%

 

3 characters 2.92%

 

4 characters 12.29%

 

5 characters 13.29%

 

6 characters 35.16%

 

7 characters 14.60%

 

8 characters 15.50%

 

9 characters 3.81%

 

10 characters 1.14%

 

11 characters 0.22%

 

 

 

Note that phpbb has no requirements for password lengths, so people tend to choose shorter passwords than for sites like MySpace.

 

 

 

Update: Ashley Pinner wrote to tell me that phpBB3 uses the newer salted-passwords that require a minimum of six characters, and that anybody who has logged in since the change has had their accounts upgraded to the new hashing scheme. This means if you have logged into phpbb.com recently, then your password is less likely to have been stolen.

 

 

 

Update: A lot of left-handed people have told me that they use their right hand for the mouse, and therefore my theory about "159357" is incorrect.

 

 

 

Robert Graham is CEO of Errata Security. Special to Dark Reading[/hide]

 

 

 

i hope player have better passwords

 

 

 

Nough Said

 

and more

 

I found this on the same web site

 

 

 

[hide=How Hackers Will Crack Your Password]How Hackers Will Crack Your Password

 

 

 

Posted by Robert Graham, Jan 21, 2009 02:53 PM

 

 

 

 

 

I've been cracking passwords lately for pen tests, and I'm surprised at how corporate guidelines don't really help people choose passwords. As in many places in security, a disconnect exists between how people secure systems and how hackers break systems. So the following is a brief description of what hackers do (or, at least, what I do when pen-testing systems).

 

 

 

The first problem is an "online" vs. "offline" attack. An online attack is where hackers try to log on pretending to be you and guess your password. Unless you've chosen something extremely easy to guess (such as "Wasila High"), this isn't a big danger. Online systems automatically lock your account after too many bad guesses.

 

 

 

The real danger is "offline" cracking. Hackers break into a system to steal the encrypted password file or eavesdrop on an encrypted exchange across the Internet. They are then free to decrypt the passwords without anybody stopping them.

 

 

 

Doing this, hackers can guess passwords at the rate of 1 billion guesses a second. That's fast, but not when you consider how big the problem is. Consider passwords composed of letters, numbers, and symbols. That's roughly 100 combinations per character. A five-character password will have 10 billion combinations. This means a hacker can guess a five-character password in only 10 seconds. But things quickly get worse for the hacker. This problem grows exponentially:

 

 

 

5 characters = 10 seconds

 

6 characters = 1,000 seconds

 

7 characters = 1 day

 

8 characters = 115 days

 

9 characters = 31 years

 

10 characters = 3,000 years

 

 

 

This is why you need long passwords. Hackers can usually crack anything with seven characters or fewer, but they would be unlikely to guess passwords using this technique that are nine characters or more.

 

 

 

This is also why you need complex passwords containing uppercase and lowercase, numbers, and symbols. That's 100 possible combinations for each character. Lowercase passwords have only 26 combinations per character. A hacker can guess an all-lowercase password of 10 characters in about two days.

 

 

 

However, hackers have another trick up their collective sleeve: the mutated dictionary attack. Because of the above problem, you might choose a large password, like "Aardvark-Zebra9." This is longer than what a hacker will be able to discover by brute force. So hackers solve this with a "dictionary" attack. Instead of trying all combinations of characters, they instead try to match passwords with words in a dictionary. They then "mutate" the words, reflecting common things people do to passwords.

 

 

 

When users are told to make their passwords complex, they usually do something simple to them. Instead of choosing "robert" as a password, they will make it "robert!". Putting an exclamation mark at the end of a password is one of the most common mutations people choose. Hackers know this, so their dictionary cracks will do the same thing.

 

 

 

Here is a list of common mutations a hacker will try to dictionary words:

 

 

 

capitalizing the first letter of a word;

 

 

 

checking all combinations of upper/lowercase for words;

 

 

 

inserting a number randomly in the word;

 

 

 

putting numbers on the ends of words;

 

 

 

putting numbers on the beginning of words;

 

 

 

putting the same pattern at both ends, like *foobar*;

 

 

 

replacing letters like "o" and "l" with numbers like "0" and "1";

 

 

 

punctuating the end of words;

 

 

 

duplicating the first letter, or all letters in the word;

 

 

 

combining two words together; and

 

 

 

putting punctuation or space between the words.

 

 

 

Hackers are also smart about which words they choose. They don't just choose English words, but also include most popular languages (i.e., Spanish, French, German). They also choose words from pop culture, like xbox360 or Britney Spears.

 

 

 

If they know who you are, they will find words particular to you. Let's say your name is "John Smith," you drive a "BMW," you work for "Microsoft," and you like to watch "The Office." A hacker will Google these terms and create wordlists from the resulting Web pages. Thus, "Carell325i" seems like a fine 10-character password to defeat hackers, but will get cracked in only a few minutes by a hacker who knows you. (I like to use the Associative Word List Generator Web site to generate password lists for me.)

 

 

 

So how do you choose something that hackers can't guess? Well, remember that hackers aren't all-powerful. Increased complexity of things they have to check, the less likely they will guess your password. Yes, they will check for numbers on the ends of passwords, but as long as you've chosen something like your birthdate instead of 1234, it's something more likely to be missed.

 

 

 

Including just one international character, like a vowel with an umlaut, will defeat most password crackers. They can be typed by holding down the key and typing a -three-digit number on the numpad. Typing long phrases instead of words will also help. In theory, it should be easy to guess "Twas as a dark and stormy night" as a passphrase, but in practice, hackers won't catch it.

 

 

 

On the flip side, the more complex you make your password, the harder it will be for you to type it in. Try to create something as long as you can comfortably type, while still keeping in mind the techniques above.

 

 

 

Robert Graham is CEO of Errata Security. Special to Dark Reading[/hide]

 

 

 

My password was only 6 letters long its now 10 letters long and totally random :twisted:

 

 

 

Ps: u need to make it at least 10 number's long before i will give my support

 

1. 
    
   How fast Hackers Will Crack Your Password
    
   5 characters = 10 seconds
    
   6 characters = 1,000 seconds
    
   7 characters = 1 day
    
   8 characters = 115 days
    
   9 characters = 31 years
    
   10 characters = 3,000 years
    
   

[Crimsoncow42]

If hackers used this method with pins, then 10 characters wouldn't be enough. Instead of 100 characters, pins only use 9.

 

 

 

However, pin number is not meant to be the main line of defense against hackers. We have passwords for that. Pins are in-game and provide an extra measure of security if your password becomes compromised.

[Assume Nothing]

Definately support, but I heard about hackers being able to send multiple screenshots easily as your cursor even nears the bank pin, so maybe make the clickable range wider, making the numbers disappear even 20 pixels away from the number of the pin. Also, try and get a Jmod to look at this idea... I'm sure Mmg and other mods would like it... there may be flaws but it's easy to get around.