Ok, I just read in another thread that KK plans on patching it so that we can't have our username and passwords automatically saved... Ok I don't know about you but if this was to happen I would be EXTREMELY pissed and that itself would make me quit the game. I dont know how many times I have been in a op war and I get a fatal error and I have to log back in, I just click through the startup splash then when I get the the username and password screen I just hold enter down and get back into game within seconds since I am on pluto I dont have to click what server I am on. So, if I was to enter my username and password in, good chances are I will be dead when I come back unlike now where I actually have a chance of coming back alive. Can anyone confirm that KK are actually planning on doing this?

All i can say is...

No KK No...

dont you dare

well, saving ur password & log in name makes it easier for any hacker to get ur password & name. its happened before

Originally posted by Mr Friendly
well, saving ur password & log in name makes it easier for any hacker to get ur password & name. its happened before

Well, I don't know much about hacking but, I get the feeling the way most of it is taken is through a key logger. So that means that in order for them to get your username and password through a key logger you actually have to type your username and password in, in order for it to log your keystrokes to get your account info. If it was saved, you don't have to type it in therefore a key logger couldn't get your info. Correct?

Originally posted by Mr Friendly
well, saving ur password & log in name makes it easier for any hacker to get ur password & name. its happened before Read the other thread first, before you make ill advised statements.

Originally posted by kurai
Read the other thread first, before you make ill advised statements.


Other thread? :confused:

http://neocron.jafc.de/showthread.php?s=&threadid=71707

Originally posted by Thanatos
we will disable the option to save your password locally in the next patch.

:mad: Guess I won't be renewing my account. Too much of a pain in my ass to retype my password everytime I crash or have to relog.

I mean really now. Why can't KK just issue a warning about saving your password and give the people the choice on if they should save the passoword or not like it is now. Why force us to do it?

They MUST do it becos just replacing chars that have been looted was being exploited to dupe stuff so ... blame the fools who always have to get stuff for free

Originally posted by Psyco Groupie
They MUST do it becos just replacing chars that have been looted was being exploited to dupe stuff so ... blame the fools who always have to get stuff for free *points at the other thread*

Tell me just how that will address the issue.

erm...
why dont kk just use a stronger encryption?

MD5 is not backwards decryptable so thats good

and hell, ive made and encrytion that encrypts the password with a different encryption depending on the sername

they could do stuff like that

then neither keyloggers or spyware would work

just deal with it, someone spoilt it for everyone else

If you're going to quit over that then I doubt you'd be around for much longer anyway. o_O

Originally posted by Psycho_Soldier
Well, I don't know much about hacking but, I get the feeling the way most of it is taken is through a key logger. So that means that in order for them to get your username and password through a key logger you actually have to type your username and password in, in order for it to log your keystrokes to get your account info. If it was saved, you don't have to type it in therefore a key logger couldn't get your info. Correct?

when ur saving the password, its saving on the game server, use common knowledge & ull see why

Originally posted by Psycho_Soldier
:mad: Guess I won't be renewing my account. Too much of a pain in my ass to retype my password everytime I crash or have to relog.



Why make a password thats harder to rember? long, simple and effective..

Takes all of ten seconds to type a username and password in, and if it stops little brother/niece/sister/cat/BF and, or GF from deleting your char aciedentaly, then I'm all for it...

Originally posted by Q`alooaith
Why make a password thats harder to rember? long, simple and effective..

Takes all of ten seconds to type a username and password in, and if it stops little brother/niece/sister/cat/BF and, or GF from deleting your char aciedentaly, then I'm all for it...

True dat.

In Neocron, EVE, Hotmail....everything really, I type my username and password in each and every time. Doesn't take that long, and it prevents a lot of hassle in the long run.

If someone's too lazy to remember a password, then that's their problem.

Originally posted by Helen Angilley
True dat.

In Neocron, EVE, Hotmail....everything really, I type my username and password in each and every time. Doesn't take that long, and it prevents a lot of hassle in the long run.

If someone's too lazy to remember a password, then that's their problem.


But then if your the only user of a PC you don't need to rember your password so much...

cepting the startup and windows, and keylock ones, but then you have to type them in anyway..

on not forgetting the file encrypters..

But surly you don't have a l33t speak password like ()wN4G1!!!11!!11!()n£

or anything silly like that.

Psycho you're not really gonna quit over this right?


O_o

Originally posted by Q`alooaith
But then if your the only user of a PC you don't need to rember your password so much...

cepting the startup and windows, and keylock ones, but then you have to type them in anyway..

on not forgetting the file encrypters..

But surly you don't have a l33t speak password like ()wN4G1!!!11!!11!()n£

or anything silly like that.

I never use that "auto-fill" thing, it's more irritating than anything else.

Type one letter and it fills up the "box" with a completely irrevelant word. >.<

dude psuch, just do what i did:

close ur eyes & run ur finger over 5 random buttons, write them down & bam! ther's ur password ":P

Originally posted by Mr Friendly
dude psuch, just do what i did:

close ur eyes & run ur finger over 5 random buttons, write them down & bam! ther's ur password ":P

your passwords only 5 buttoms long?!


lol...

I hate them auto fillers, just use the store to HD when it's nothing vital, like my Mod's directory, though anyone going in there would be bogged down by the number of files, numbered, coded.. EG..

02MWBNS2V3A as a short example of some of the files that sit around and do nothing...

Ok I don't see the point in changing the client so you can't save the passwords locally. I mean it puts it in to the Neocron directory, so its not like EVERYONE has access to it, only peple who have access to Neocron on the local machine.

Originally posted by Helen Angilley
True dat.

In Neocron, EVE, Hotmail....everything really, I type my username and password in each and every time. Doesn't take that long, and it prevents a lot of hassle in the long run.

If someone's too lazy to remember a password, then that's their problem.

Ok with Hotmail you dont have to, because of .NET Passport.

It's not that im too lazy to remember my password. I have had the same password for a few things for awhile now. My problem is running into bugs where you have to relog several times, or get a fatal error in a very bad situation but you may have still had a chance to survive if you password was automatically saved. Just think, if you get that bug with the NPC's where the script doesn't load so you have to relog 15 times or so. Imagine having to retype your password EVERYTIME. I wouldn't mind it as long as fatal errors or bugs like that didnt happen.

OK - time to clear up misconceptions for accuracy's sake :- Username & password are not saved anywhere in the Neocron directory (or anywhere else in the normal filesystem).
Username & password are not saved on the remote server.
Username & password are *only* saved in the registry.
Registry can *only* be read locally, or with a *very* specific Remote Registry network service.
In the registry only the username is plain text - password is hashed
The hash used is universal - the resultant code can be simply copied and pasted to another machine's registry.
Non-reversible encryption is irrelevant. You don't need to extract the original plain text password when the above is considered.
KK's "solution" in no way, shape or form defends against keyloggers
Keyloggers are *massively* more common than attacks that steal specific Registry keys or give total machine remote control to attackers.

You can see from the above that KK's security *does* need work, but that their "fix" is utterly irrelevant - it actually *increases* the vulnerability.

In reality we have two very different issues here.[list=1] Characters deleted "by accident, the little brother, cat or dog"
Spyware/Trojans
[/list=1]Issue 1 has a *very* simple fix - prompt for password to be entered manually when the X Delete Character is pressed.

Issue 2 is not anything KK can or should be involved in, other than to warn users to take common sense precautions.
Installing half assed measures that make the situation worse is just foolish in the extreme.

If you are going to do *anything*, change the registry password hashing, and apply it to username too.

Kurai - great post, and I agree 100%. Don't think it can be said much better.

5 stars due to Kurais post.

/Cryton

if they do this, they should at least remeber username so u just gotta type ur password

Well im going to have fun logging in after the patch...

All my account passwords are multicase, alphanumeric, non-dictionary with 10+ characters. Goodie.

To clear something deeper out:

HASH != Encryption

A Hash is defined as an in the best case random value calculated by an datagram as input. The same datagram will result everytime in the same output value. The Hash value has always a defined size. You can not recover the original datagram by the hash value. Its used to prevent datagram changes due undersigning.

An Encryption is the mathematical algorythm that translates a datagram into a in the best case random other datagram. With a corresponding decryption algorythm the original datagram can be retrieved. It prevents withreading datagrams


Both methods can be used for to create a secure path from client to server, but cant be used to secure the client or server itself.