Where's the security code?

[Hunter Lupe]

The thing is almost entirely useless -- you can use IE to let the user log in (bypassing any log-in time security codes, however complicated), and then read its stored cookies to authentificate the ab session. It's more of a strain on the real users than on the people using some kind of program.

[iconoplast]

Hunter, I never thought that particular system was even meant to protect against autobuyers -- I always figured it was meant as a deterrent to brute-force password attacks.

[Sable]

Meh, I'm still feeling sort of vunerable without the code. I've seen first hand a program harvest passwords through brute force before, and it ain't pretty what a determined hacker can do with a little skill and time (my uncle is a computer programmer and he was demonstrating some safty software to me and my dad so this wasn't actually a real scenario). Until the code comes back or something replaces it, I'm going to be changing my password a lot.

[Hunter Lupe]

Hunter, I never thought that particular system was even meant to protect against autobuyers -- I always figured it was meant as a deterrent to brute-force password attacks.

It also only allows 3 or 5 login attempts from the same IP during a 24 hour period anyway, and that is enough to stop brute-force attacks dead in their tracks.
Even assuming you could have a thousand different computers doing the attack, it would take you 11360047 days to brute-force a 6-letter alphanumeric password (or 61783 days for a 6-letter all-lowercase password) with this limitation.

Of course, if your password is password, none of that holds up.

[Sable]

Hunter, I never thought that particular system was even meant to protect against autobuyers -- I always figured it was meant as a deterrent to brute-force password attacks.

It also only allows 3 or 5 login attempts from the same IP during a 24 hour period anyway, and that is enough to stop brute-force attacks dead in their tracks.
Even assuming you could have a thousand different computers doing the attack, it would take you 11360047 days to brute-force a 6-letter alphanumeric password (or 61783 days for a 6-letter all-lowercase password) with this limitation.

Of course, if your password is password, none of that holds up.

Good point, I should've remembered that before I started worrying. I'd forgotten that my uncle's demonstration didn't have any limitations since it was all hypothetical.

[iconoplast]

It also only allows 3 or 5 login attempts from the same IP during a 24 hour period anyway, and that is enough to stop brute-force attacks dead in their tracks.
Even assuming you could have a thousand different computers doing the attack, it would take you 11360047 days to brute-force a 6-letter alphanumeric password (or 61783 days for a 6-letter all-lowercase password) with this limitation.

Of course, if your password is password, none of that holds up.

Last I checked that limitation was 3 every hour, not every 24 -- but your point is still valid. Social engineering and poor passwords are still the weakest points, and probably always will be.

By the way, anyone who wants truly secure passwords should check out Diceware. Now that's good stuff.

[Ixistant]

OK. I think that this was removed by accident as I just went to login, entered my username and then where it said password, I entered my correct password. The security code box wasn't there. So I clicked "Submit" and it took me to Pet Central. So then I went to castle battles and just as I was about to play it said I wasn't logged in. So I tried again. And again. And again. I can't log in. And my account isn't frozen. So I have come to the conclusion that they have suspended log-ins as that was a mistake.

[OmniIcyshelf]

The security code proabably doesn't work anymore anyway. The programmers find ways around them in two weeks or less It would explain how autobuyers keep snagging all the MP's without anyone in the store getting so much as a haggle. It's horrid how quickly some of the items go. I saw 4 MP's stock yesterday, and got only a haggle on one of them. The rest disappeared instantly.

[vtothec]

The security code proabably doesn't work anymore anyway. The programmers find ways around them in two weeks or less It would explain how autobuyers keep snagging all the MP's without anyone in the store getting so much as a haggle. It's horrid how quickly some of the items go. I saw 4 MP's stock yesterday, and got only a haggle on one of them. The rest disappeared instantly.

Isn't that the way it in the magic shop though? Noticed more AB'ers than usual in the last couple of days

[OmniIcyshelf]

Yeah- If they would just change the security code system every three days or so, we wouldn't have to worry about abers :K

[vtothec]

Yeah- If they would just change the security code system every three days or so, we wouldn't have to worry about abers :K

Ab'ers *sigh* no chance of EVER getting a good potion from the magic shop for me I dont even try anymore

[Qanda]

In Firefox, for example (along with, most certainly, Opera and Safari... don't know for sure if IE is vulnerable to it, but I'd assume it is), URLs can be spoofed disturbingly easily. There's an exploit that uses alternate character codes to force a false URL to display. You can also make it look very similar to the correct letters, which is enough to fool a casual glance.

Firefox developers read your post and updated their browser

http://news.com.com/Mozilla+releases+Fi ... 89693.html