Security Token Issue - Not 56k Friendly

Feolthanos · 2009-04-17 00:59

Friend generated a one time password for me, I wrote it down. He generated a new one. He logged in and went about his business. I attempted to log into his account ten minutes later and it worked. So does that mean that the passwords don't have a temporary timer to them? So doesn't that mean that you can randomly guess at someone's "one-time password?" Here is a conversation with a GM. It's a big picture, but to cut it short, he doesn't help. He even stated he had issues with it.

http://img5.imageshack.us/img5/9909/32549464.jpg

So if these passwords never run out of time, and are always active until someone uses it, then isn't it a possibility to simply brute force the password? I am not saying it would be instant, but think about it. There are 6 digits to the number, starting at 000000, to 999999. That means there are 10^6 possibilities of number combinations. To give an example, if you had a two digit number starting at 00 and ending at 99; then there are 100 combinations no? To find out you times the amount of possibilities in the first digit by the amount in the following digits. The first digit can contain 0-9, as in ten numbers; the same thing occurs in the second digit. So 10 x 10 = 100 combinations. So, 6 digits = 10 x 10 x 10 x 10 x 10 x 10 or more easily written as 10^6 (One million possibilities). So either there is only one million possibilites over all of the accounts existent in FFXI and they all can only be used once (which will run out quickly). Or somehow the security token is able to generate a wireless signal and transmit it to a satellite in space which bounces back to Square Enix headquarters. Some people might say that SE and your token generate a password at the same time and when you push the button, it works for only a certain small time. But then how long does the password last for? Because if I recall, SE said it only lasted thirty seconds, but yet I just discussed with a GM that it worked for more than 10 minutes at a time. So If multiple sources are brute force hacking a PoL ID at the same time, does the token even help?

Discuss....

**Airenn** · 2009-04-17 01:03

Honestly, this is kinda what I was thinking:

Since there is no way for this to be an online thing to sync with anything, it's a 6 digit number randomly generated.

If someone has your account info, and SE info (which is now stretching it, but let's just say so)
then they can try all the combination til they hit the right one.

And since there was no way to verify which number was used that previous ones would still work.

Always thought the "one-time" thing was BS.

**Pikarya** · 2009-04-17 01:09

Even if they bothered with "brute-force" whatever your randomly generated password. You still have your POL and SE ID/Passwords. I seriously don't see the problem here. Its just added security.

**Eanae** · 2009-04-17 01:18

Your token is not networked. It has no idea of "knowing" when a password is used. If their system will let a generated password stay active until used and not kill it after x amount of time, then it's a broken system and that's not how it's supposed to work.

**Izzy** · 2009-04-17 01:22

Originally Posted by Eanae

Your token is not networked. It has no idea of "knowing" when a password is used. If their system will let a generated password stay active until used and not kill it after x amount of time, then it's a broken system and that's not how it's supposed to work.

This is not how it's supposed to work. Your serial number is supposed to be synced to something back at SE's databases. Only one password is supposed to work at any given time. If SE does not have expiring passwords, then they are doing this wrong.

**sruon** · 2009-04-17 01:25

WoW’s New Security - Authenticator | the StarOnion

That's how it's supposed to work.

Unless SE has set it to be something retarded like 10-30 minutes.

**Izzy** · 2009-04-17 01:26

Originally Posted by sruon

WoW’s New Security - Authenticator | the StarOnion

That's how it's supposed to work.

Unless SE has set it to be something retarded like 10-30 minutes.

I'm hoping it has to do with the fact he just activated his token. I'll jerk with mine when I get it but why doesn't someone else just test this out right now?

**Darwinion** · 2009-04-17 01:29

Well has anyone else tried this? If you know you're gonna log on then generate a password early and go make some lunch, take a shower or a shit and come back maybe 45 mins later? (No... a single shit shouldn't take 45 mins). See if that password still works?

**Izzy** · 2009-04-17 01:43

Someone in my LS is in salvage now and wrote down the number that's currently on his chain. Once they get out of salvage they're gonna log out and try it. That should be enough time.

**Darwinion** · 2009-04-17 01:47

Originally Posted by Izzy

Someone in my LS is in salvage now and wrote down the number that's currently on his chain. Once they get out of salvage they're gonna log out and try it. That should be enough time.

Well it won't work if that's the number he logged in with earlier (one time use). Or has he just generated a new number while in Salvage? I know you know this Izzy.... just making sure he does.

**Izzy** · 2009-04-17 01:58

Zumi generated a code on his keychain, did salvage for another 15 mins, logged off, used the old code he generated 15 mins ago...

...The 15 min old code worked. WAY TO FUCK THIS ONE UP SE!

**Izzy** · 2009-04-17 02:06

*EDIT* nevermind, the pic works.

Dulek · 2009-04-17 02:14

Originally Posted by Izzy

Zumi generated a code on his keychain, did salvage for another 15 mins, logged off, used the old code he generated 15 mins ago...

...The 15 min old code worked. WAY TO FUCK THIS ONE UP SE!

Ugh, refund yes please.
Ask in interview about this, and you will get a similiar following response:
I.E.: Will not answer your questions.
Credit to Alma for this one:

Spoiler: show

Ehh, it still 'added security' but SE dropped the ball once again from executing it right from get go.

**Spekkio** · 2009-04-17 02:18

if that's the case, have you tried just plugging a random number into the OTP field? is it possible that the check amounts to if(1) due to a programming screw up?

**Izzy** · 2009-04-17 02:20

I made a thread in Advanced. Hopefully that'll get enough attention that SE will fix it haha.

**Zumi** · 2009-04-17 02:21

2 passwords generated a min
120 password generated a hour
2880 passwords generated a day

1,000,000 possible passwords

I did the math 2880 passwords generated per day. 1,000,000 / 2,880 = 347.222

So 347 days before every password will work. If SE doesn't fix this its pretty useless in less then a year.

**SnickySnacks** · 2009-04-17 02:22

I wonder how long until the numbers time out.

Even if it's 30 minutes (60 numbers) that's still
60/1 million or about 0.006% chance of guessing it.

But, yeah, anything over a 5-ish minute timeout seems a bit excessive, doesn't it?

**Zumi** · 2009-04-17 02:27

I wrote a new one down 15 min ago, I will test 1 hour time out when an hour is up.

**Darwinion** · 2009-04-17 02:28

We need further testing Izzy to see if the code does eventually expire. Maybe after some hours? I would help but I'm in UK and nobody in Europe as far as I know has a token yet.

**warheit** · 2009-04-17 02:54

2:55am (cst) right now and logging out for the night.
I used my token and generated 2 passwords, when I log in tomorrow I'll try them both and see if they work.

Thread: Security Token Issue - Not 56k Friendly

Thread Tools

Security Token Issue - Not 56k Friendly

Similar Threads

Security tokens not working?

Square Enix Security Token Fair or Not

Introducing the Square Enix Security Token

Stuff! (Not Dialup-friendly)

Latest Threads

Up & Coming Threads

Hottest Threads