Home > Other > Security concerns

Security concerns

May 3, 2011

With all the debacle about the Sony security breach and concern about their perhaps less than stellar security handling, it may be a good time to think about our own handling of personal data.

Sony is not the first and will not be the last where customer information may be compromised. It has become big news because it is a high profile company, but our personal information may still be just as much at risk with low profile entities with less than stellar security policies or policies that are not enforced.

A concern for outselves is how useful is that information at any single location? Do we have the same account name in multiple locations? Do we have the same password? Do we have the same account name and password and email address in multiple places? Is any of that information used in gaming context also used elsewhere in other parts of your life?

If a place has a not totally crap security handling they will never have your actual password stored, but instead a hash of it – essentially an long number calculated from the password which would be different for different words and one cannot revert the calculation to deduce the word from it.

Check what happens if you click on the “forgot the password” option most places have. If they will email or send you the actual password, then definitely think twice about using their services. Anyone that does actually store vital information in clear text that have no need whatsoever to be stored that way is a big potential disaster.

Places with better-than-crap security will always require you to create a new password in those cases and through a secure link. They should also send emails to notify that the password has been changed afterwards and send a notification that for other important information that have been changed as well.

In gaming context account identities should really also be different from anything that is shown in public; character names, in-game IDs, forum names etc. I think Cryptic screwed up a bit when they by default had account names and global in-game IDs to be the same. Using email addresses as account names are not ideal either IMHO, at least not when other vital information may be stored in the account information.

It is good to see that two-factor authentication is being used in some places (e.g. the Rift authenticator). It will not help if someone manages to break through to a company’s servers, but at least someone will not be able to use information from some other place, or simply get in through brute force if you have a bad password. I really hope more places start to use this, at the very least as an option.

In a market where we have an increase of online games, F2P games to try out etc we tend to increasingly leave digital footprints in many places we should think about what kind of prints we leave behind in various places.

Categories: Other
  1. May 3, 2011 at 21:06

    Getting my WoW account hacked last year forced me to seriously reconsider my account security. None of my important passwords are variations of each other any more now, and I use letters, numbers, and shiftkey symbols any time I can. I do still use the same password across a lot of different MMOs, but that’s mainly because I jump around a lot and have a hard time remembering old passwords (what would I have used a year ago?). Obviously, that too needs to change.

    As an aside, how great would it be if there was something like the WoW authenticator that your could use for multiple MMOs? So far only Rift has anything similar, and you need to be able to get text messages to use it.

  2. May 3, 2011 at 22:05

    Yes, jumping around causes problems since you will inevitably re-use something you have used before. I have started to throw out pretty much all of my “old” passwords and use completely new ones not used before and only use those for a period of time. At least any old data encountered by someone would not be usable if they could match identities from different places.

    That was also one of the disturbing things about the more recent SOE news – there was some old no longer used data still around somewhere on their premises (from 2007). Not used by them perhaps, but may still be vital information that some users still are using today.

    Why would you need to need to receive text messages for the Rift authenticator? It is just an application running in your smartphone, a digital version of the physical authenticators used in a number of places.

    • May 3, 2011 at 22:42

      My mistake. I don’t have a smartphone, so I haven’t been playing close attention to it (I use a very simple cell phone with text messaging shut off).

  3. Tesh
    May 4, 2011 at 21:26

    I don’t remember who wrote it, but it was suggested that the time is long past to simply lie to most companies. If they cannot be trusted with your information, why give them useful information?

    • May 5, 2011 at 17:01

      Quite true. Although I have usually been truthful so far I tend to get the information I provide to a minimum though – if something is optional I generally do not provide the info.

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: