FFXI Keychain Codes Expire in 27 minutes

[Dimmauk]

SE probably made the time limit that long so the Dumb Round Eyes have time to input the code.

[Sykes]

Holy fuck you people are panaoid.

30 minutes isn't that unusual ... it's a configurable option on the server side, and unless you work at the NSA, it's perfectly acceptable. Your keyfob can't keep perfect time, so it's important that a range of time is acceptable otherwise if the clocks end up being separated by more than 30 seconds, you won't be able to log in, and you'll have to bug customer support to reset things. It's true that in most corporations this is set lower (I've used 5 minutes in the past), but when you're potentially supporting up to a few hundred thousand of these things, the tiny incremental benefits that a shorter period of validity bring are dwarfed by the dramatically increased costs of supporting those tokens which end up too far out of sync to log in.

Besides, unless someone discovers a real flaw in the token system (the getting logged off even without a one-time password thing is awesome!), RMT are going to spend their time hacking unprotected accounts rather than wasting massive amounts of time trying to break in to your protected account, even if the number of valid codes is higher than you originally anticipated.

[mackerel]

Paranoid or not, some of us want to understand exactly what's going on with the "security" system and what the account thieves can do to get around it.

If 5 failed password attempts locks them (and you) out of your account for 10 minutes, but they can still try another account, who is inconvenienced? It's not the RMT.

If it's trivial to block IPs that fail to log into many accounts in a short period of time, but we're still talking about SE, will anything really happen? We are not talking about a company with a track record of thinking processes through, or implementing anything well on their first attempt.

[Izzy]

Leave it to Sykes to let me know I'm an idiot

[Cairthenn]

http://img21.imageshack.us/img21/165...sabledship.jpg

Lol.

[shaddix]

Does it lock your account for 15 minutes, or lock attempts on any account from that computer for 15 minutes?

No idea, but whenever it locks you out of logging into pol, it also locks you out of the website as well. I don't know how much that answers your question.

[klvino]

Wouldn't the simple solution is the server re-synchronizes time with the keyfob when you enter a valid code? How do you think the keyless entry on your car works?

server maintains a valid range of passwords, when server receives password within valid range server re-syncs to time of valid password, server generates new valid range of passwords based off time of most re-sync'd time.

[Norellicus]

I know the keyfob is just a dumb terminal, has no communications with anything whatsoever. However, this

i highly doubt that the server is constantly generating the codes and logging them through a sliding window. figure 50,000 accounts every 40 seconds and that's a lot of chugging. instead, when you login, it generates F(T), F(T-30), F(T-60), etc. and sees if any of the elements of that list match the key you submitted.

still doesn't answer my question.

Assuming it does work like this (which is logical, I agree), consider a case where the server works backwards to a code that would have been generated by the keyfob during the 15 minute lockout period. Does the server consider that password valid or not? That is my question. If not, and the first/only passwords that are valid are ones outside lockouts, then brute force attacks would simply be a total nonissue.

[Sykes]

Wouldn't the simple solution is the server re-synchronizes time with the keyfob when you enter a valid code? How do you think the keyless entry on your car works?

That's exactly how it works. The question is how much time variation is acceptable. If I know that all of my users will use the keyfob almost every day, then allowing for a minimal amount of time drift (say, less than 5 minutes) is perfectly fine because, under normal circumstances, the token should only drift a small amount between logins.

With an MMO like FFXI, the time between logins can be significantly longer. While the majority of users will log in every day, some will occasionally go months between logins (I know I have ... more than once). The additional security that shorter periods of validity provide is minimal to start with, so I understand SE's decision in this case.

[shaddix]

Square Enix Account Management System
-------------------------------------------------------

Thank you for using the Square Enix Account Management System.
This e-mail has been automatically sent by the Square Enix Account Management System because there have been several failed attempts to enter the one-time password for your account.

If you have not been attempting to log in, it is possible that these actions were performed by an unauthorized third party and we highly recommend changing your Square Enix password and heightening the security on your computer.

Your Square Enix password can be changed by selecting "Update Square Enix Account Information" and then "Update Password" after logging in to the Square Enix Account Management System.

Thank you for using Square Enix.

*Due to security risks, if login verification fails multiple times in a row, the associated account will be inaccessible for several minutes. During this time frame, you will not be able to log in, even if you enter the correct Square Enix ID, Square Enix password, and one-time password.
If a login restriction message is displayed, please wait a short while before trying again.

-------------------------------------------------------
Please forward your inquiries regarding the content of this e-mail to the Square Enix Information Center.

Please wait ...
-------------------------------------------------------

[Izzy]

Well that's a nice little feature!

[Spekkio]

i agree. you could even create a filter or a monitor for your mail account to set off the klaxons when an email like that comes thru. what a delightful and unexpected feature.

[Max™]

*falls to his knees weeping mantears over Araelus using Star Trek so well*

[Skjie]

Square Enix Account Management System
-------------------------------------------------------

Thank you for using the Square Enix Account Management System.
This e-mail has been automatically sent by the Square Enix Account Management System because there have been several failed attempts to enter the one-time password for your account.

If you have not been attempting to log in, it is possible that these actions were performed by an unauthorized third party and we highly recommend changing your Square Enix password and heightening the security on your computer.

Your Square Enix password can be changed by selecting "Update Square Enix Account Information" and then "Update Password" after logging in to the Square Enix Account Management System.

Thank you for using Square Enix.

*Due to security risks, if login verification fails multiple times in a row, the associated account will be inaccessible for several minutes. During this time frame, you will not be able to log in, even if you enter the correct Square Enix ID, Square Enix password, and one-time password.
If a login restriction message is displayed, please wait a short while before trying again.

-------------------------------------------------------
Please forward your inquiries regarding the content of this e-mail to the Square Enix Information Center.

Please wait ...
-------------------------------------------------------

For the next page. Definitely nice, I get my email all forwarded to my blackberry.

[Flokk_9]

Reminds me of

http://badblue.com/temp/080410-st-opening-shot.jpg
A badly garbled distress call was just received.

http://badblue.com/temp/090216-st-spock-sensor.jpg
Captain, computer scanning recognized the location ZZ9 Plural Z Alpha ... then we lost the signal...

http://badblue.com/temp/090216-st-starfield.jpg
Our sensors show this entire region has been destroyed.

http://badblue.com/temp/090216-st-kirk.jpg
That's. Incredible.

http://img21.imageshack.us/img21/165...sabledship.jpg
The signal appears to be coming from a small object of unknown origin, made up of high density polyethylene and thermoplastic carbonate groups.

http://badblue.com/temp/090216-st-spock.jpg
Readings are difficult due to subspace interference, but the object has taken heavy damage and remains functional. It may be related to the Twentieth-Century phenomenon known as "RMT-PWNER".

http://badblue.com/temp/090216-st-kirk-alert.jpg
RMT? Not that. It might. Be. Hostile to. Us.

http://badblue.com/temp/090216-st-sp...or-serious.jpg
Sir... sensors indicate the device is generating random numbers at a geometrically increasing frequency.

http://badblue.com/temp/090216-st-sulu.jpg
Captain! The number refresh rate has increased to maximum!

http://badblue.com/temp/090216-st-battle-stations.jpg
Number stream has resolved to a visual data transmission.

http://badblue.com/temp/090216-st-decker3.jpg
MY ACCOUNT THEY HACKED MY ACCOUNT I HAD NINURTA'S SASH TOO

http://badblue.com/temp/090216-st-kirk-2.jpg
Did you call the. Help. Desk or a. GM?

--
The SEA page says passwords are supposed to no longer work after 30 seconds, so this is not working as planned.

LOL. Sooooo well-played.

[Day]

Don't think you needed to quote the whole thing... but I agree.

[Norellicus]

Square Enix Account Management System
-------------------------------------------------------

Thank you for using the Square Enix Account Management System.
This e-mail has been automatically sent by the Square Enix Account Management System because there have been several failed attempts to enter the one-time password for your account.

If you have not been attempting to log in, it is possible that these actions were performed by an unauthorized third party and we highly recommend changing your Square Enix password and heightening the security on your computer.

Your Square Enix password can be changed by selecting "Update Square Enix Account Information" and then "Update Password" after logging in to the Square Enix Account Management System.

Thank you for using Square Enix.

*Due to security risks, if login verification fails multiple times in a row, the associated account will be inaccessible for several minutes. During this time frame, you will not be able to log in, even if you enter the correct Square Enix ID, Square Enix password, and one-time password.
If a login restriction message is displayed, please wait a short while before trying again.

-------------------------------------------------------
Please forward your inquiries regarding the content of this e-mail to the Square Enix Information Center.

Please wait ...
-------------------------------------------------------

Nicely done, this definitely makes things better. Set up SMS alerts that only go off when you get one of these and you can be aware of bogus logins just about anywhere.

[Flokk_9]

Don't think you needed to quote the whole thing... but I agree.

The awesomeness of Star Trek + the token discussion overwhelmed me and I had no choice in the matter. ; ;

[Yugl]

My token seems to be working fine. I clicked it once to log in, and when my character was fully logged in (On the screen and all), I checked again. It displayed a different PW.

[Khamsin]

My token seems to be working fine. I clicked it once to log in, and when my character was fully logged in (On the screen and all), I checked again. It displayed a different PW.

That's not quite the problem. There is no communication between the token and anything else.

Try this:

Press the button on your token. Note the number.
Press the button again. The display turns off.
Press the button again. The display comes on again, and shows you the same number.

You can keep pressing the button again and again, and you'll see the same number for approximately 40 seconds.

So wait a little bit, and then...

Press the button on your token. Note the number has changed. This number will now keep showing up every time you press the button, until approximately 40 more seconds have passed, then another number will start showing up.

Now, it doesn't matter if you pressed the button or not, that password that appeared during those 40 seconds will work whether you pressed the button to see it or not.

What's going on is this:

The tokens count the number of seconds from some point in time, call it time zero. The SE servers also keep track of this time.

When you press the button, the token notes that, say, 780112 seconds have passed since time zero. It divides this number by 40 and rounds it down (19502), and uses it in a secret algorithm to derive a 6 digit number. Now, if you wait 5 seconds and press the button again, 780117 seconds will have passed, but when it divides it by 40 and rounds it down, it's still 19502. A few seconds later, however, and it'll get 19503.

Now, the 6 digit password it creates for 19502 is different than the password it creates for 19503. Hence, every 40 seconds or so, you get a different number.

The SE server knows what password to expect because, like your token, it also counts how many seconds have passed since time zero and uses the same algorithm to figure out the 6 digit password. And if it's a few seconds off, it doesn't matter. If your token thinks 780112 seconds have passed, but the SE servers think 780117 seconds have passed, they both generate the same password as demonstrated above.

The meat of the matter is that the code you got when pressing the button at 780112 seconds will still work up to 27 minutes later, when you'll have gone through quite a few codes (a new one every 40 seconds). If you keep pressing the button every 40 seconds and write down every code you get for 27 minutes, any single one of those codes will work at the end of that time. However the earliest one you wrote down will expire, and be replaced by the newest one every 40 seconds.

However, when you finally do log in, all codes prior to the current time will become invalid. So at that point, all those codes you wrote down will no longer work, even if they are less than 27 minutes old.