Blizzard introducing security dongle

[Salamok]

favpassword+number of the current month

[Bzalthek]

I would use phrases, but as acronyms.  (FmdIdgad = Frankly my dear, I don't give a damn) and append one of several numbers I prefer depending on the system the password is for.

[Oban]

I would use phrases, but as acronyms.  (FmdIdgad = Frankly my dear, I don't give a damn) and append one of several numbers I prefer depending on the system the password is for.

I am selling a level 70 full T6 blood elf mage account I just cracked for 700 dollars.  Armory data is Bzalthek on Destromath.

[Typhon]

I just changed jobs, went indpendent, had to get my own laptop which came with a finger print reader.  I already can't remember how I ever lived without it.  I <3 Biometrics!

[Murgos]

With SCII, DIII and WOW II (c'mon, you know it's in the works) coming this sort of investment in technology makes absolutely perfect sense.

It might not make that much sense for anyone other than Blizzard though.

[schild]

It might not make that much sense for anyone other than Blizzard though.

Steam.

[UnSub]

It might not make that much sense for anyone other than Blizzard though.

Steam.

Which is why I wouldn't be surprised if Bnet The Next Gen has a lot more attention put on account security. There'd be a level of free play, but a lot more unlocked by paying a monthly fee or something. With dongle.

[Bzalthek]

I would use phrases, but as acronyms.  (FmdIdgad = Frankly my dear, I don't give a damn) and append one of several numbers I prefer depending on the system the password is for.

I am selling a level 70 full T6 blood elf mage account I just cracked for 700 dollars.  Armory data is Bzalthek on Destromath.

Hah, actually Bzalthek is on Lightbringer and is still a 60 Troll Shaman.  The password above, however, hasn't been used since 97 when I maintained the local High School computer servers.

[Jerrith]

It's a great idea, and the costs are finally getting low enough that it's financially reasonable to do it.  There are also some subtle benefits to it - while not impossible, it makes giving out your account info (to a friend, or a powerleveling service) difficult, resulting in less of that behavior.  There's also some IPs (such as Stargate, which I'm working on) where you could make it fit in really well (the GDO device). 

[Koyasha]

My question on this would basically be, why NOT a USB dongle?  If we're going to make a physical device the user has to have in order to log in, why not something they just plug into their computer?  Seems a lot more user-friendly.  Having to mess with reading a number off the thing and typing it in is enough to discourage me from wanting to use something like that, since for a game, I use easily memorized passwords, and anything that delays my login, especially if it requires me to interact further (even an unneeded CLICK is annoying) is something I'll avoid.

[Talonus]

My question on this would basically be, why NOT a USB dongle?

Most likely because the dongles are more prone to breakage than RSA keyfobs. Really, the RSA keyfobs are durable little fuckers; I've left mine in the wash more than a couple times and it always comes out good as new.

[Trippy]

My question on this would basically be, why NOT a USB dongle?  If we're going to make a physical device the user has to have in order to log in, why not something they just plug into their computer?  Seems a lot more user-friendly.  Having to mess with reading a number off the thing and typing it in is enough to discourage me from wanting to use something like that, since for a game, I use easily memorized passwords, and anything that delays my login, especially if it requires me to interact further (even an unneeded CLICK is annoying) is something I'll avoid.

Ignoring the endless support issues with dongle drivers (heh) they are fine if you only use one computer and never have to move it. If you are in a situation like in China where people play in Internet cafes, it becomes a big big problem putting them in all the time (especially if the case doesn't have front USB ports), leaving them behind, mixing them up with other people's etc.

Edit: They are also potentially hackable in the same way that dongles used as copy protection can be bypassed if you can hack the code that makes the check.

[fuser]

My question on this would basically be, why NOT a USB dongle?  If we're going to make a physical device the user has to have in order to log in, why not something they just plug into their computer?  Seems a lot more user-friendly.  Having to mess with reading a number off the thing and typing it in is enough to discourage me from wanting to use something like that, since for a game, I use easily memorized passwords, and anything that delays my login, especially if it requires me to interact further (even an unneeded CLICK is annoying) is something I'll avoid.

edit: snipping out stuffy trippy covered...

You would also defeat the purpose of the security measure (atleast with blizzard) because someone could still get into your account management page where the device is physically still attached to your computer and turn the device off from your account management.

Another hope is something like OpenID gaining more traction...

[Kitsune]

My password advice for users is to pick a mnemonic system that they can remember, fit a theme to the mnemonic system that lets them associate common words to the place they're logging into, then l33t up the words with letter substitution for numbers and symbols and tack an arbitrary number on there for good measure.  Just as an off the cuff example, basing the mnemonic off of the number of characters in the name, and associating that with the name of a month.  F13 has three characters, so M4rch2008.  Paypal has six, so Jun32008.  If you ran across something with more than twelve characters, you'd need to improvise somehow, but otherwise it should be pretty solid.  By keeping a whole suite of passwords in your brain, even if one password gets found out somehow, whoever has that one password doesn't have the key to everything, unless they can guess the pattern you used to make the passwords.

[Lantyssa]

I just changed jobs, went indpendent, had to get my own laptop which came with a finger print reader.  I already can't remember how I ever lived without it.  I <3 Biometrics!

They're neat until you have fingerprints the readers can't decipher.

[Oban]

Knife beats fingerprint reader every time.

[Selby]

They're neat until you have fingerprints the readers can't decipher.

Yeah, electrical burns really mess with your fingerprints over time.  The bigwigs at work have fingerprint readers on their laptops, but us peons get the same laptop with the software for the reader removed "as a security measure."

I've used dongles and parallel port readers for years on CAD and FEA software.  I hate using it for them and I'd hate to use it for a game.  An RFID similar to keyless entry in a car would be nifty though.  No more plugging in devices, just have the device within 2 feet of the computer.

[Lantyssa]

Yeah, electrical burns really mess with your fingerprints over time.  The bigwigs at work have fingerprint readers on their laptops, but us peons get the same laptop with the software for the reader removed "as a security measure."

There are plenty of reasons.  Apparently I naturally have really thin skin that makes it hard to get a fingerprint or use an electronic reader.  The FBI rejected my card three times for a routine check until I had an officer take thirty minutes to get my prints and write a letter that it was the best they would ever get.

[Selby]

There are plenty of reasons.

Of course there are =P  I just tend to burn\damage the tips of my fingers regularly which causes them to change a bit as the scar tissue moves around.  Which is why I don't necessarily like cheap finger print readers - which we shouldn't kid ourselves, the ones available for low prices are very cheap readers.

[Trippy]

My aunt is a serious Mahjong player. They don't even bother to look at their tiles -- they just use their thumbs to feel the patterns braille-style. Because of that her thumb prints are so worn down they couldn't get a good print of them when she went to get a driver's license.

[Pendan]

Tobold reports that the Paris Blizzard show over the weekend sold out of the dongles on first day.

[schild]

That means absolutely nothing, Pendan. They would've sold out of MOCK id tags for it simply because it's piece to add to the blizzard collection. Analyzing any sort of success from any sort of sales at WWI is a fallacy.

[Merusk]

I hear the self-castration kit only sold 3/4 of the units.

 

[schild]

If they slold self-castration kits, they'd already be fetching thousands on ebay.

[Oban]

If they slold self-castration kits, they'd already be fetching thousands on ebay.

Aw god, they really do sell those on eBay.

[Furiously]

No one watched the Mythbusters show on fingerprint readers?

[Oban]

No one watched the Mythbusters show on fingerprint readers?

Hey, not everyone has access to jello and/or a photocopier.

[Salamok]

No one watched the Mythbusters show on fingerprint readers?

the gummy bear attack FTW!  Actually I dodn't catch that mythbusters episode and am not sure if they even covered the gummy bear attack but it still rocks.

[UnSub]

If they slold self-castration kits, they'd already be fetching thousands on ebay.

If they sold Diablo 3 self-castration kits that went PING when the 'loot' dropped, schild would already have one.

[Ubvman]

I'm waiting for the first news report of somebody being beaten up/robbed for one of those things.

It's sort of like the rise in carjackings because of the use of encoded car keys. It used to be people would break into the cars when nobody was around to steal them. Now they steal them at gunpoint when the driver is still in it.

Key-logging and hacking is a lot easier to get away with than outright theft or mugging. Robbery is a traditional crime that the police understands; the thief takes a lot of risk doing this since its a lot harder to get away with it. Chances are higher getting caught or getting roughed up if things go wrong, compared to white collar computer crimes (different breed of criminals altogether IMO). Once they are committed to stealing physical stuff - there are far better things to take from you - wallet, purse, cash, credit cards, watches etc. etc. than an esoteric dongle.

BYTW, anyone have a picture of the WoW security device? Its got to attach to a USB port. New computers do not come with  parallel or serial ports anymore. I had a world of trouble fixing my old pre-USB HP laser printer to my new computer.

[Trippy]

BYTW, anyone have a picture of the WoW security device? Its got to attach to a USB port.

No it does not.

[Oban]

Right angle image:



and an image to the left:

[Trippy]

As a side note that button is actually an interesting security feature. The original SecurID device just had an "always on" display with the numbers changing on a regular basis. This had the advantage of allowing for a totally "sealed" enclosure. I'm guessing Blizzard went with a button to prevent people from stealing codes off the devices in a "public" setting. E.g. the user forgets to put the fob back in his pocket/backpack so it's sitting on the table and somebody nearby can steal the latest code off of it and if they know that person's account info they could steal the account still.

[bhodi]

And the downside is if you drop it in the toilet or sink by accident, it no longer works.

My Aladdin token has a button, as well. I assume it also helps to save energy, they probably don't go dead after 2-3 years like the securid ones do.

[Tale]

The original SecurID device

This reminds me, I killed two SecurIDs in a week once. All I did was put them on my keyring (nothing special, just a standard metal keyring).

SecurID #1
Lived on a clip on my laptop bag. Taken off occasionally to read number. Decided one day that I wanted it on my keyring instead. Three days later it blanked out.

SecurID #2
Replacement for #1. Put it on my keyring right away. Three days later it blanked out.

SecurID #3
Lives on a clip on my laptop bag. Never on my keyring. Using it to this day.