Shaiya, How to protect accounts of players

[GM]Nivea · 02/10/2014, 02:00

Hi.
I talk for a big problem in some shaiya private servers, no is a hack, no is stat panding,is other thing much more dangerous, is account theft.
A account theft is a simply action, and all players they can do... the problem is:
The account theft no need a program hack or a bug, its simply to search accounts and finally found, for:
*Some account have simply names, generally the password and username are the same word's , and are simply things or name/ anime characters, a few examples:
joseph12 joseph12 sakura10 sakura10 goku1234 goku1234
The players who want to find accounts, first find only names or names with letters, 10,20,12,01 ,etc,and later other things.
Some players want to have a easily account to enter more fast to play in game, but is very big problem.
Every server have different account registration system, some want only 8 or 7 letters, and no need numbers, NOTE: a lot of servers not distingish uppercase, is the same joseph12 or JosePh12.

Players who are 'finders' of accounts, no are stupid, are inteligent people with no try only with names, try with a lot and a lot of words, and can use hours of a day to searchs accounts.

If a server have full protection of accounts, are needed:
* First, no only a count of words, but, more than 5,6 letters no is bad idea.
* Need Yes or Yes to be 1 or 2 numbers in the username and password.
* No permit to username and password have the same data.
* The official page of server have a button to Password/username change, is VERY important.

A examples of a perfectly secure accounts is:
sakura56 sakura73
nick4376 nick2376
goku5430 goku1023

The thiefs of accounts not search for a very hard accounts , only try to find accounts with easy data.

Note: This ideas are tought for a private server with official page of server, and is for only protect account for thiefs,actually don't exist a hack to theft accounts, therefore, if a server have the system mentioned above, the theft of accounts problem never be sudmitted in your server.

nubness · 02/10/2014, 11:15

Quote:

Originally Posted by [GM]Nivea

A examples of a perfectly secure accounts is:
sakura56 sakura73
nick4376 nick2376
goku5430 goku1023

I don't really understand how your examples are secure. You are using only lowercase letters and 2 numbers.

If you want a secure password, you would most likely go for the following rules:

At least 1 uppercase character
At least 1 lowercase character
At least 12 characters
At least 1 special character

Here's some examples:

elite*pVp2014#
(A+B)^2=a^2+2ab+b^2

Quote:

Originally Posted by [GM]Nivea

The thiefs of accounts not search for a very hard accounts , only try to find accounts with easy data.

You're talking about kids like Wolfy who try passwords they found in other databases, while the real thieves that might get your password are those who are attacking the server's database with lots of possible password combinations. The first, and fastest type of attack is a dictionary attack, where the attacker's program submits the username and the most commonly used words. If you are using a password which corresponds to the pattern I wrote above, you're safe against these for sure.
One other password attack type you most likely heard of are the brute force attacks, where the attacker's program tries every possible password combination available, like so: (given the password is 2 characters long)

AA
AB
AC
...
AZ
BA
BB
...

Cracking a password using brute force depends on whether the password has both uppercase and lowercase letters, numbers, special characters, and the password's length.
If your password is longer than 15 characters, containing uppercase and lowercase letters, numbers and special characters, it would take a brute force program centuries to crack it, which means you're secure. Congratulations.

[GM]Nivea · 02/10/2014, 16:15

Quote:

Originally Posted by nubness

I don't really understand how your examples are secure. You are using only lowercase letters and 2 numbers.

If you want a secure password, you would most likely go for the following rules:
At least 1 uppercase character

At least 1 lowercase character

At least 12 characters

At least 1 special character

Here's some examples:
elite*pVp2014#

(A+B)^2=a^2+2ab+b^2

You're talking about kids like Wolfy who try passwords they found in other databases, while the real thieves that might get your password are those who are attacking the server's database with lots of possible password combinations. The first, and fastest type of attack is a dictionary attack, where the attacker's program submits the username and the most commonly used words. If you are using a password which corresponds to the pattern I wrote above, you're safe against these for sure.
One other password attack type you most likely heard of are the brute force attacks, where the attacker's program tries every possible password combination available, like so: (given the password is 2 characters long)
AA

AB

AC

...

AZ

BA

BB

...

Cracking a password using brute force depends on whether the password has both uppercase and lowercase letters, numbers, special characters, and the password's length.
If your password is longer than 15 characters, containing uppercase and lowercase letters, numbers and special characters, it would take a brute force program centuries to crack it, which means you're secure. Congratulations.

Hi,
Some servers no identify uppercases, me in my first times of play shaiya in private server, i find accounts, believe me, the 'finders' no searchs for hard accounts, servers no need extremetly hard password,only a few conditions,
I never look for accounts with this numbers: 47,98,13,etc
Me only searchs in google for a list of girl and boy names in countrys and later go to find, first me put the name, and later the name with easy numbers (10,11,12,15,50,20) , a protected account example:
54goku32 32goku54

No are needed a lot and a lot of words, only a numbers and a different username and password (important: the 'finders' search only for accounts with the same username and password, or little differences)

I have experience in account find, and me can tell you, no is a lot of protection needed, only a few requeirements and perfect, accounts safe !

Regards.
Att: Nivea/Aelita/Cinthia

nubness · 02/10/2014, 19:11

Quote:

Originally Posted by [GM]Nivea

Hi,
Some servers no identify uppercases, me in my first times of play shaiya in private server, i find accounts, believe me, the 'finders' no searchs for hard accounts, servers no need extremetly hard password,only a few conditions,
I never look for accounts with this numbers: 47,98,13,etc
Me only searchs in google for a list of girl and boy names in countrys and later go to find, first me put the name, and later the name with easy numbers (10,11,12,15,50,20) , a protected account example:
54goku32 32goku54

No are needed a lot and a lot of words, only a numbers and a different username and password (important: the 'finders' search only for accounts with the same username and password, or little differences)

I have experience in account find, and me can tell you, no is a lot of protection needed, only a few requeirements and perfect, accounts safe !
Regards.
Att: Nivea/Aelita/Cinthia

You're among the newbies who never heard of programming. While you're manually trying 6-8 passwords a minute, a brute force program can try 600-1000 or even more.

And it's nice to see how you admit being a **** and trying out password combinations until you get what you need, but I'll tell you what, you're inefficient

sominus · 02/11/2014, 17:01

Do these programas attack the sql service (wich should be blocked from the net) or do they attack the game login service?

nubness · 02/11/2014, 17:31

The game login service obviously. They basically inject the game.exe and start calling the login function passing an username and a password.

mulletman · 02/14/2014, 07:33

With any security the best way to secure an account is not to be dumb.

Seems to me most account "Hacking" is caused by stupid mistakes. Sharing accounts, using "Pilots", going to websites offering "free" items and inputting your account info, One i am guilty of is using the same information on different servers.

Also to watch out for (especially those playing at shop's/cafe's) Keyloggers, they can come in many forms from a hidden virus that another player/ user has installed on the PC you are using, to a USB thumb drive that stores the information to its memory to be collected at a later date.

I got burned on one server because I went to a server that had a reputation for the admin being less than reputable. I played there a couple days and moved one week or two into my next server that i had used the account info on my account was cleaned. The admin of that server was nice enough to try tracking down my gear by the time he got to searching for it the gear had changed hands over 7 times with no signs of slowing. He was generous enough to change my PW for me and compensate me with some DP to help me get back on my feet. /end rambling

Basically dont get greedy/lazy and your account information will be 90% safe. the other 10% is reserved for the admin of any server you play.