Nasomi Community FFXI Server https://na.nasomi.com/forum/ |
|
One time password or Authorize login https://na.nasomi.com/forum/viewtopic.php?f=6&t=12270 |
Page 2 of 4 |
Author: | Zigma [ Fri Oct 04, 2019 1:09 pm ] |
Post subject: | Re: One time password or Authorize login |
Boötes wrote: I like the one-time idea, but in the meantime, if you're worried that your password is weak, something like this will give you a decent alphanumeric string, so that you're safer from brute force/dictionary attacks. Although, it's probably an exploit somewhere else. https://www.random.org/passwords/ Brute force and dictionary attacks are easy to mitigate against. I would not worry about these as much as long as you have a long, complex password. Here's some food for the 'old mind. You know all those emails and notifications that we're all used to seeing, regarding databases that are compromised, where hackers from xyz were able to get the records etc for millions of people? But companies say you have nothing to worry about because the data is encrypted and safe? The reality is -- your data is not safe. There are warehouses in places like China, Russia, etc where the only objective us to get as much data dumps, they don't care about encryption or not because every single encryption algorithm that is used today is vulnerable -- it just takes time to crack it ith today's computing efforts -- but once quantum computing becomes an actual thing then all that data is cracked in sometimes minutes. Scary stuff. Not to get off-topic (I apologize - this is a topic I hold dear), any option suggested here is better than not having any at all. |
Author: | seventythree19 [ Fri Oct 04, 2019 2:15 pm ] |
Post subject: | Re: One time password or Authorize login |
Is there any increased risk associated with having a complex password that is saved into the Ashita launcher? I'm all for making my password something like: SDG$$^^Y#bfdg21G2%677&&re34Fbanana but it'll sure be a pain in the butt if I have to type it in every time. |
Author: | Hamster [ Fri Oct 04, 2019 2:30 pm ] |
Post subject: | Re: One time password or Authorize login |
seventythree19 wrote: Is there any increased risk associated with having a complex password that is saved into the Ashita launcher? I'm all for making my password something like: SDG$$^^Y#bfdg21G2%677&&re34Fbanana but it'll sure be a pain in the butt if I have to type it in every time. I think it's limited to 15 characters, but other than that I don't see why not. I like the #2 option. If they figure out how to bypass the game password system like last year, passwords won't matter. If they manage to access my forum account then it won't matter either way. But if I keep my forum account locked down, I wouldn't have to worry about unauthorized access because it would only be accessible when I said it was ok. However I would make a suggestion to not have to reauthorize after dc or game crash. I don't know how hard that would be. I would like to inquire about changing login names for game accounts though. I made some poor choices. |
Author: | Starbright [ Fri Oct 04, 2019 2:37 pm ] |
Post subject: | Re: One time password or Authorize login |
This doesn't really seem to address the fact that forum accounts are usually what is compromised, but I guess it's better than nothing.. |
Author: | Aeroo [ Fri Oct 04, 2019 2:51 pm ] |
Post subject: | Re: One time password or Authorize login |
wow sexist poll bro |
Author: | disposablehero [ Fri Oct 04, 2019 2:59 pm ] |
Post subject: | Re: One time password or Authorize login |
A system like ffxiv where u can set up a token pw and authorization from the non current ip would be sick XD |
Author: | Zigma [ Fri Oct 04, 2019 3:01 pm ] |
Post subject: | Re: One time password or Authorize login |
seventythree19 wrote: Is there any increased risk associated with having a complex password that is saved into the Ashita launcher? I'm all for making my password something like: SDG$$^^Y#bfdg21G2%677&&re34Fbanana but it'll sure be a pain in the butt if I have to type it in every time. Depends on how passwords are stored within Ashita Launcher. For example, you can have a complex password such as that -- yet if you have your browser, as an example, "remember password" etc then ... if your computer gets compromised and they are able to grab that -- then you're screwed. There's a reason why password managers exist. |
Author: | cthalupa [ Fri Oct 04, 2019 3:07 pm ] |
Post subject: | Re: One time password or Authorize login |
Zigma wrote: cthalupa wrote: I like #2, but adding one time password for site login would also be something I would like. Combine the two and it should be super secure. I am ... about anything that uses this forum for handling authentication. PhpBB is notorious for having exploits and vulnerabilities. Unfortunately, 2FA/MFA authentication platforms aren't free .. some aren't even cheap. Google's is free |
Author: | Zigma [ Fri Oct 04, 2019 3:15 pm ] |
Post subject: | Re: One time password or Authorize login |
cthalupa wrote: Zigma wrote: cthalupa wrote: I like #2, but adding one time password for site login would also be something I would like. Combine the two and it should be super secure. I am ... about anything that uses this forum for handling authentication. PhpBB is notorious for having exploits and vulnerabilities. Unfortunately, 2FA/MFA authentication platforms aren't free .. some aren't even cheap. Google's is free lol, yes. I've never used Google but you can use something like freeradius/google's pam but in order to do that -- you'll still need something to hook it into it. In other words, Nasomi's authentication method would need to support, say, RADIUS, in order for such a thing to work. |
Author: | cthalupa [ Fri Oct 04, 2019 3:24 pm ] |
Post subject: | Re: One time password or Authorize login |
Zigma wrote: cthalupa wrote: Zigma wrote: I am ... about anything that uses this forum for handling authentication. PhpBB is notorious for having exploits and vulnerabilities. Unfortunately, 2FA/MFA authentication platforms aren't free .. some aren't even cheap. Google's is free lol, yes. I've never used Google but you can use something like freeradius/google's pam but in order to do that -- you'll still need something to hook it into it. In other words, Nasomi's authentication method would need to support, say, RADIUS, in order for such a thing to work. No you don't. You can add Google Authenticator support incredibly easily to just about anything. Google Auth codes are just RFC6238 and HMAC - you don't need PAM or RADIUS or any other sort of heavyweight auth method to support it. There's a bunch of existing RFC6238 implementations for PHP and basically every other language that would be very easy to adapt. e.g. https://github.com/mindgruve/two-factor-authentication / https://github.com/Voronenko/PHPOTP/wik ... entication |
Page 2 of 4 | All times are UTC |
Powered by phpBB® Forum Software © phpBB Limited https://www.phpbb.com/ |