[ Irrelevant ]

well thank God you made the grammatical changes!

[ Irrelevant ]

never!!

[ Irrelevant ]

oh i thought you were talking about grammatical changes ! lol :)

[ Irrelevant ]

celphi man, how does one use ascii codes in a pw?? i'm technology nubs

[ Irrelevant ]

Banned for exploiting.

Seriously though, have you messaged qz? I notice you didn't post on sugs forum.....

I messaged qz, but this is exactly the type of fluff you absolutely should spam the fluff out of them to fix....Posting on express talk isn't gonna do fluff.

If we all spam qz it's more annoying and he might do something about it :P

[ Irrelevant ]

[ Irrelevant ]

celphi, I think tella was joking about banning you :p

[ Irrelevant ]

We all can :p

WHAT DO YOU MEAN "WE ALL" MOTHERfluffER? YOU DONT KNOW ME!

yea tella is funny guy celphi

*sigh*

I do fix anything critical basically right away; just message me about it first =/

lol

you don't make any sense.
An exploit would yield a password regardless of how complex the password was or wasn't.
Any modern encryption method pretty much ensures that using
"fluff" as a password vs using a random ascii string of 10,000 characters would be equally difficult to guess
if all you had was the encrypted version, no key and no other strategy.

Defeating any kind of "intelligent" password search would not be hard either. Using @#*( doesn't make your password better in that sense (see xkcd on this subject).
The password thefatcatsatonthemat is probably more effective than tT7tyZL8 (which was a "secure" password assigned to me for a specific computer course many years ago).

Stop attention seeking.

Says the guy making spam posts on AT...

+1

[ Irrelevant ]

[ Irrelevant ]

[ Irrelevant ]

on difficulty of password you missed my point but that's ok.

In short, what you are saying is the vulnerability is centered on the ability to guess a lot of combinations quickly, and using a dictionary to create a high probability match.. ie brute force is easier. It's fine to point that out and *that* argument makes sense.
but saying that using "@" or "$" in my password makes it more secure vs a more sophisticated attack is completely wrong. The possibility that it can be used does. The fact that a "shorter" password could be guessed first is purely a function of how you run the brute force attack.

But you aren't going to convince me that you have a better chance of guessing my password if I don't use those characters or combinations of small and uppercase letters as long as that option exists. You will convince that if I use words or commonly used passwords (like the infamous 2qt4u) you have a better shot at getting it.
But if I string 20 random lower case letters together, I wish you luck brute forcing that.

"http://calc.opensecurityresearch.com/";
assuming you have n choices and k length, the combinations is n^k.
Your strategy is to increase n. I will tell you increasing k is way more effective.
passwords are useless if you can't remember them or have to write them down btw.

The bigger and more serious potential vulnerability is getting the key and at least partially breaking it (for lack of a better way of putting that)..

http://xkcd.com/936/ is what martian was referring to

http://rumkin.com/tools/password/passchk.php
will illustrate my point.
type in
thefatcatsatonthemat
for example:P

[ Irrelevant ]

[ Irrelevant ]

Is there some reason all of this has particular relevance now? (Attention seeking left to one side, I mean.)

[ Irrelevant ]

[ Irrelevant ]

[ Irrelevant ]

why in the world, would anybody want to hack a stinking numbers game? you have too much time on your hands dude

you should ask that from those who hacked earthers accounts during mehul's era and rders who tried to hack bc etc and tc etc who did other hackings.

even i got hacked once, somebody had logged into my alliance-country sometime before i logged in (noticed it that no 6 bonus turns when i logged in) but didn't do anything.

Mods find you? How self-centered are you?

You posted about a potentially serious exploit on ONE of the subboards for this site, which also happens to be the smallest community of all the servers. Apparently you didn't message qz(you know, the admin?), and you didn't make ANY post on the sugs/bugs board. I'm not saying you should have made a post explaining HOW to do it; that's what the PRIVATE messages are for. I'm saying you should have made 'A' post referring to a serious issue in order to increase the likelihood that qz would see it and be able to react.

If I hadn't seen this post, it's pretty unlikely that he would have been made aware of the issue, since he usually doesn't read this forum(as I've told you and others many times). The fact that you pretty much only informed a few players on one forum without alerting the admins is absolutely mind-blowing. If you want them to do something about it, YOU SHOULD TELL THEM FFS.



Because you gave a legitimate warning to 'a small portion' of the community that didn't happen to include the person(or people) that could actually FIX the problem. I'm not attacking your character, I'm calling you out for letting your current jaded attitude towards us(the mods) effect your better judgement. I KNOW you know you should tell the admin if you've found an exploit, but you're too stubborn because you don't like how other(less important) things were handled.

so even if we have all our passwords with capital/numbers etc it's still breakable because there's no time out? it would just take longer I guess.

How many simultaneous authorization transactions can the servers handle without degrading performance or otherwise making it obvious that something is wrong?

Seriously, if you find an exploit you keep quite and tell the gameadmins or at least a mod. You give them as detailed instructions as possible, then you shut the F up about it. By posting on these public boards that there is an exploit will only put everybody at risk.

Any other way to deal with security-issues IS attention seeking.

Celphi, while there may or may not be an actual exploit, bringing it up on a non bugs related board and.not notifying staff is just ridiculous. You are as guilty as the next person who might exploit it(if it is even a concern)

[ Irrelevant ]

[ Irrelevant ]

Wait...is the entire point of this post the fact that it's possible to bruteforce shorter and less complex passwords in a reasonable period of time?

If so, I could have sworn that I had implemented a small waiting period before an IP address was able to log in when a player gt his/her password wrong enough times. Unless that was also taken out when the authentication for the forums was moved to the game, I don't really see an issue.

Absent an explanation as to why any of this has particular relevance right now I think you can put the thread down to Celphi's obsession with Celphi.

No doubt changing passwords on a regular basis and jumbling them up well is a good idea - to-day as on any other day (something the German Enigma machine distributors might have emphasised). But unless there is someone currently at work busily hacking EE accounts I'll get around to that in my own time rather than on Master Celphi's self important prompting.

[ Irrelevant ]

celphi - you need a meaningless calculation to complete this thread...Then you can tell everyone they are wrong. Thank god you only are a weekend warrior or you wouldn't have time for this nonsense.

lol