Having been an Online Architect brought in for a couple of major EA projects (other than this one) I can tell you that they have a very robust and secure centralized user account system available.
The problem comes when you have so many different game teams with varying experience in online security that are allowed to basically implement it as they see fit, and basically "proxy" the account generation/creation process to that centralized user account system. While the underlying system is very capable, the individual game team's end-user offering can be less than optimal, shall we say.
This particular password issue is not an EA-wide thing, to be sure.
As an end user, I could not care less about how robust the underlying architecture is or who inside the EA hierarchy is screwing things up. Bottomline is, weak passwords are being stored as unsalted md5 hashes, which is problematic.
Even better somewhere in the EA/BFBC2 account creation process it _allows_ you to use special chars, but when you actually login via the game it fails with a useless error message ("Unable to login. Please try again."), leaving you clueless as to the reason. Googling it tells you to switch of your firewall etc.
Isn't this the password reset form on EA.com? I encountered it the other day as well.
Also, I wondered why EA doesn't use a form of openid via the user account. It has so many games, they all require EA logins, but as we've seen, different sites have different (often bad) implementations. A one-click EA openid would work wonders.
Someone heard "must validate all input", scratched his head for a while going about how to validate the password field, and thus came up with some artificial limitations? If so, it's a huge misconception about what it means to "validate" data. If not, someone's just really stupid.
This goes into the same category as validating email addresses (just go ahead and send the confirmation email and watch me not replying in case I entered a bad address, instead of complaining I can't use plus or some other allowed character in it) or my phone number (if you're picky about formatting I can already give you 01234567890 if I want so just let me, in the first place, type in a nicely formatted "+44-123 4567890" or something that I like) or asking me to provide something twice (I'll just copypaste from the first field, thanks; would be more useful if you just printed a confirmation of what I wrote onto the next page).
asking me to provide something twice (I'll just copypaste from the first field, thanks; would be more useful if you just printed a confirmation of what I wrote onto the next page).
Asking for something (normally a password or email) twice is for your benefit -- to guard against typos. There are many typos you might miss visual confirmation of, I'm fairly certain the type-twice method is a sound one.
Unfortunately the silent limits of the password fields are very prevalent.
I found out the hard way after I'd started to use Keepass to generate and manage my passwords.
There are even sites that have different limits for the "Change password" and "Enter password" input fields. Eg change accepts up to 30 characters but enter accepts only 20 chars.
Obviously they don't even know why it matters.
I think the developer just silently presumed that no one would enter such long passwords.
Limits on password length smell like plain text storage. Hashes tend to make the length of the password irrelevant (although some bad implementations only look at the first n characters of the string and ignore the rest), but when you store it in a relational database row you need to come up with some arbitrary limit.
Myspace used to not check the length of passwords on signup, but would on changing password. You could log into the website with a long password, but whenever you tried to logon to the IM client (well, pidgin plugin), it would complain. It was a ten character limit I think.
The worst example that I've seen has to be the site that could only handle password per {6,12}[A-Za-z0-9] - incredible.
Oh, I remember another one that's just as annoying. This site simply chopped of your password after n characters and it never gave you any kind of warning. Took a lot of troubleshooting to find out the exact position of n.
I have an issue with att where a complex generated password was accepted as a new password, is rejected on the initial log-in page, then accepted on a subsequent "bad username / password" page. Fun and games.
I activated an ATM card once and the automated system told me for a PIN "Many of our customers are choosing their mother's birthday, please enter the month and day your mother was born."
So, out of a keyspace of 10,000, they were shoehorning most
of their users into a space of 365(366). I tried to enter something that was not a valid 4 digit date and the system rejected it. I had to call back and talk to a customer service rep to get a non-date PIN.
Can anyone explain why would you want a password longer than 16 characters? Even if it's unsalted, all lowercase letters and md5 hashed, it's impossible to bruteforce crack it. And people who use 16 character passwords are unlikely to have them all-lowercase-lettered so it's even worse for the crackers.
Sure, the 16 char limit may be arbitrary but even if you make it 50, tomorrow some outraged blogger will be complaining that he can't enter his 100-character password.
A better question is> Why WOULDN'T I want a password longer than 16 chars?
The longer the password, the more secure I feel, even if it's one day leaked as an unsalted MD5. And I don't care whether I can remember it because my password manager has effectively superseded my memory.
There is no reason to put an upper limit to the password length.
I use 16 letter or longer all lowercase passwords. They're easy to type and easy to remember. For example, my HN password might be ishouldbemoreproductive. It's hard to crack, but doesn't require finger gymnastics to enter.
Although MD5 is a little on the short side and collisions can be generated for it easily, it would still be a noteworthy breakthrough for someone to produce a primary preimage for MD5.
That's what it would take for someone to find a working password for your account given your salt and MD5 hash.
In other words, there are still no known cracking tools that can do much better than dictionary or brute force against MD5, so a very strong password is still very strong and a salted SHA-1 password would be only slightly stronger.
Long, random strings with weird characters are unlikely to be in any md5 dictionary, so you'd have to bruteforce it. MD5 is a fast algo so that shouldn't take long for short passwords, but it does provide some security. If you've chosen a strong password then bruteforcing isn't a concern, so the fact they <s>hashed instead of encrypting</s> (edit: used a weak hashing algo) won't matter.
It's better than nothing, but not much. The fact that they md5'd it at all suggests they were thinking about security, just not very hard or well.
My biggest surprise when resetting a bunch of passwords from the Sony hack was the fact that Paypal wouldn't let me use a complex password like the one in the article (no longer than 16 [or something like that] chars, no quotation marks, etc.
For another service, I would have thought that'd be okay - annoying, but okay. But a service with access to a whole bunch of my money? Not cool.
Perhaps it's changed since, but still, the fact that it once was that way is bad enough.
ASB Bank in New Zealand allows a maximum of 8 characters for your passwords. Numbers and letters only.
That's right, all that stands between you and your account details is 8 characters.
If someone tries to transfer out over ~$200 then you get a text message on your phone - IF you've enabled that service. So it's not the end of the world, but it's still pretty terrible.
Yes, but (like most banks) I dare say they'd lock your account after 3 incorrect attempts, and you'd have to unlock it out-of-band (e.g. calling their call centre).
I don't get why passwords ever have to be within a certain length, it just makes it obvious that they're not hashing it. I had to pick one between 6-10 characters (with no symbols) for my Visa securecode the other day.
The strenght(randomness), length, transfer and storage is essential. Its the product in itself here thats limited and should allow better security for its customers.
So when talking storage... go that nice looking search field in your imap interface and type "password", any results? I guess its pleasant to never feel the need to delete any mail when you can search for it. Nice collection when attackers breach due to limitations in product.
speculation: last few years, password resets have been a far bigger user hassle then compromised accounts.
obviously companies like EA will need to react to changing conditions -- which might be challenging -- educating computer-illiterate users isn't exactly a core business competency. Implementing more secure systems server-side only addresses half the issue.
Maybe the problem of website credentials could be better solved in the browser, or by the OS.
I had a similar issue a couple of days ago. reddit let me set a password that was longer than what the login box would accept. I used the email password reset instead of firing up Chrome Inspector so I don't know if it would have worked had I got rid of the maxlength attribute on the input tag.
I really wish more companies would be publicly shamed for having poor password practices.
Just the other day I tried to change my twitter password to a password that contained a space, and it was denied. Their site doesn't allow passwords with spaces.
Nice. EA aint the only ones. My online paystub system demands 6-11 characters, and alphanumeric+a few special ones. And thats sensitiveish data. Don't worry EA is not so terrible. (ok yes they are)... calling @lolsec and friends.
DEERS/RAPIDS (the DOD contractor/employee ID system, among other things) has the best restrictions EVER:
Passwords must be exactly 14 characters - no more, no less.
Passwords must contain 2 of each character type:
Caps alpha, lower alpha, symbol, number
Symbols can only be a handful, rather than anything goes.
I can beat that. For a while my timesheet software at work let us reset our passwords to something containing special characters, but sanitized the password field of the login to remove those special characters.
Backblaze enforces a limit to password length as well. Not as short as 16 characters, but still -- in Backblaze's case, we're talking about a backup of all your personal data and keys to said data.
Shameful plug for a tool I love: use Readable. It's like Readability, in that it strips all content other than the articles text and styles it to make it more readable (larger, aesthetic font), but unlike Readability (or perhaps more correctly, like Readability used to be), it's lightning fast.
[+] [-] nettdata|14 years ago|reply
The problem comes when you have so many different game teams with varying experience in online security that are allowed to basically implement it as they see fit, and basically "proxy" the account generation/creation process to that centralized user account system. While the underlying system is very capable, the individual game team's end-user offering can be less than optimal, shall we say.
This particular password issue is not an EA-wide thing, to be sure.
[+] [-] random42|14 years ago|reply
[+] [-] drinian|14 years ago|reply
[+] [-] Havoc|14 years ago|reply
[+] [-] decadentcactus|14 years ago|reply
Also, I wondered why EA doesn't use a form of openid via the user account. It has so many games, they all require EA logins, but as we've seen, different sites have different (often bad) implementations. A one-click EA openid would work wonders.
[+] [-] yuhong|14 years ago|reply
[+] [-] yason|14 years ago|reply
This goes into the same category as validating email addresses (just go ahead and send the confirmation email and watch me not replying in case I entered a bad address, instead of complaining I can't use plus or some other allowed character in it) or my phone number (if you're picky about formatting I can already give you 01234567890 if I want so just let me, in the first place, type in a nicely formatted "+44-123 4567890" or something that I like) or asking me to provide something twice (I'll just copypaste from the first field, thanks; would be more useful if you just printed a confirmation of what I wrote onto the next page).
[+] [-] killerswan|14 years ago|reply
[+] [-] starwed|14 years ago|reply
Asking for something (normally a password or email) twice is for your benefit -- to guard against typos. There are many typos you might miss visual confirmation of, I'm fairly certain the type-twice method is a sound one.
[+] [-] Revisor|14 years ago|reply
I found out the hard way after I'd started to use Keepass to generate and manage my passwords.
There are even sites that have different limits for the "Change password" and "Enter password" input fields. Eg change accepts up to 30 characters but enter accepts only 20 chars.
Obviously they don't even know why it matters.
I think the developer just silently presumed that no one would enter such long passwords.
The problem is really prevalent.
[+] [-] fmw|14 years ago|reply
[+] [-] keeperofdakeys|14 years ago|reply
[+] [-] pavel_lishin|14 years ago|reply
But they had to make a specific decision to forbid long passwords; "lazy developer" or "silent assumption" doesn't explain the extra effort.
[+] [-] arkitaip|14 years ago|reply
Oh, I remember another one that's just as annoying. This site simply chopped of your password after n characters and it never gave you any kind of warning. Took a lot of troubleshooting to find out the exact position of n.
[+] [-] gonehome|14 years ago|reply
[+] [-] Derbasti|14 years ago|reply
[+] [-] techdmn|14 years ago|reply
[+] [-] windsurfer|14 years ago|reply
* 7 to 8 characters long * Must contain at least one of each: non-capitalized letter, capitalized letter, and a number * No special characters allowed
[+] [-] zimbu668|14 years ago|reply
So, out of a keyspace of 10,000, they were shoehorning most of their users into a space of 365(366). I tried to enter something that was not a valid 4 digit date and the system rejected it. I had to call back and talk to a customer service rep to get a non-date PIN.
[+] [-] drdaeman|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] plamenv|14 years ago|reply
Sure, the 16 char limit may be arbitrary but even if you make it 50, tomorrow some outraged blogger will be complaining that he can't enter his 100-character password.
[+] [-] Revisor|14 years ago|reply
The longer the password, the more secure I feel, even if it's one day leaked as an unsalted MD5. And I don't care whether I can remember it because my password manager has effectively superseded my memory.
There is no reason to put an upper limit to the password length.
[+] [-] tedunangst|14 years ago|reply
[+] [-] benologist|14 years ago|reply
[+] [-] marshray|14 years ago|reply
Although MD5 is a little on the short side and collisions can be generated for it easily, it would still be a noteworthy breakthrough for someone to produce a primary preimage for MD5.
That's what it would take for someone to find a working password for your account given your salt and MD5 hash.
In other words, there are still no known cracking tools that can do much better than dictionary or brute force against MD5, so a very strong password is still very strong and a salted SHA-1 password would be only slightly stronger.
[+] [-] VMG|14 years ago|reply
I shudder at the thought that this is their way of preventing SQL injections or something like that.
[+] [-] redthrowaway|14 years ago|reply
It's better than nothing, but not much. The fact that they md5'd it at all suggests they were thinking about security, just not very hard or well.
[+] [-] rdin|14 years ago|reply
http://profile.ea.com
Though it doesn't fix any of the encryption limitations that they are using.
[+] [-] redfloatplane|14 years ago|reply
For another service, I would have thought that'd be okay - annoying, but okay. But a service with access to a whole bunch of my money? Not cool.
Perhaps it's changed since, but still, the fact that it once was that way is bad enough.
[+] [-] muppetman|14 years ago|reply
That's right, all that stands between you and your account details is 8 characters.
If someone tries to transfer out over ~$200 then you get a text message on your phone - IF you've enabled that service. So it's not the end of the world, but it's still pretty terrible.
[+] [-] jlangenauer|14 years ago|reply
[+] [-] genbattle|14 years ago|reply
Good thing i'm not with ASB.
[+] [-] s00pcan|14 years ago|reply
[+] [-] pandrew|14 years ago|reply
So when talking storage... go that nice looking search field in your imap interface and type "password", any results? I guess its pleasant to never feel the need to delete any mail when you can search for it. Nice collection when attackers breach due to limitations in product.
[+] [-] dustingetz|14 years ago|reply
obviously companies like EA will need to react to changing conditions -- which might be challenging -- educating computer-illiterate users isn't exactly a core business competency. Implementing more secure systems server-side only addresses half the issue.
Maybe the problem of website credentials could be better solved in the browser, or by the OS.
[+] [-] benatkin|14 years ago|reply
[+] [-] tensafefrogs|14 years ago|reply
Just the other day I tried to change my twitter password to a password that contained a space, and it was denied. Their site doesn't allow passwords with spaces.
[+] [-] dlikhten|14 years ago|reply
[+] [-] treetrouble|14 years ago|reply
http://www.techrepublic.com/blog/security/american-express-p...
[+] [-] count|14 years ago|reply
Passwords must contain 2 of each character type:
Caps alpha, lower alpha, symbol, number
Symbols can only be a handful, rather than anything goes.
[+] [-] Symmetry|14 years ago|reply
[+] [-] erso|14 years ago|reply
[+] [-] alanh|14 years ago|reply
[+] [-] pavel_lishin|14 years ago|reply
[+] [-] beaumartinez|14 years ago|reply
http://readable.tastefulwords.com/
[+] [-] eli|14 years ago|reply
[+] [-] mikle|14 years ago|reply
Not salting though, should be against the law.