Incorrect Access Code, Decking question Options

[GrinderTheTroll]

So what kinda of test/security tally hit would you give someone who attempts access with an incorrect password? It's more than likely regular users make this type of error. Maybe 0-3 points depending on Host color?

The scenario here is that runners have a login/password that's only good for one Host system or that it expires soon as they use it once. Next time they try and use it, I wasn't sure how to proceed with the security tally.

Thanks.

[Necro Tech]

I would play it as some variation of a validate test. They think they are using a password, system bounces back. Maybe 1 pt for a minimum system test failure.

[Crusher Bob]

Most systems will give you between 1-3 attempts to enter a password, then they lock you out for around 30 seconds, this is to prevent dictionary attacks on passwords, but still allows legimitimate users to use the system quite easily.

The really secure systems will totally lock an account after a few failed logons, and you need to call an admin and have them reactivate the account.

So maybe a tally increase based on the security level of the system:
somthing like green: 0, orange: 1, red: 2 ? or whatever color coding decking uses these days...

[Kagetenshi]

I'd say that it would definitely take between three and five password attempts before there's a lockout for anyone who isn't being paid massively to do things like never ever mistype their password. Even in high-security environments there should be two attempts almost all of the time.

Edit: the same number before there's any security tally response, too.

~J

[BitBasher]

Remember though, if you try a test and it fails, theres a cumulative +2 the next time you try the same test that adds up each time you fail.

[FlakJacket]

[Necro Tech]

You might just want to not tell them that their password is wrong. Access to hosts in 2064 is just a matter of carrying the right ID number like a wristband at the club. Your deck is litterally hardwired with the codes (if on site) or you carry the software the same way. No one really uses passwords anymore, just varying levels of priviledge. Your chipset doesn't have it and you rack up a security tally. Legal users never worry about it. If the decker can get superuser access he can perform any system test automatically.

[Firewall]

I suppose the username/password, for a legitimate user, would be determined from a list right? So a legitimate user logs in and his system discards the code once it is used, while the server can log whose code was used?

If it is supposed to be manually typed, I would say three tries. First failure returns an error message (and maybe a tracer), the second sends a tracer, the third failure triggers more aggressive IC and a system-wide alert.

If it is machine operated, such as an automatic password sending as part of the handshake, then I would give them a message that it has failed and about one matrix combat-turn to send a legitimate code (easy for a legitimate user, since their system will automatically respond to the request) before it triggers an alert and IC.

Both of these would have their place; a user memorising a password is good if the decks are used on external networks and so are vulnerable to attack, an automatic password system is good if the decks are secure (physical security like an isolated network) because the user cannot screw up too badly.

The best advice I could offer would be to run the system in your mind as a legitimate user. What is secure but still fairly uninvasive?

The server paradigm is another thing to think about. If your server feels like an office building, then the logon would be showing your security-pass (auto-generated login/password) to the donut-eating guard on the front desk (sentinel IC?) (or else keying your entry code (memorised login/password) into a numberpad) and then passing through a checkpoint (barrier IC) which may have a metal-detector (some kind of IC that checks your icon against the paradigm?).

In this one, they would show their pass the first time and walk in easily. The second time, the guard tells them that they are wearing yesterday's pass and takes it off them. A legitimate user would reach into their pocket and clip on the new pass.

The other thing I often wonder is whether you could just program IC to look at the avatar. Deckers have their custom icons, while wage-slaves tend to simply wear a corporate shell. So when a silver boy in a black cloak goes running around the building full of samurai and men in kimonos, you can assume that he is an outside decker...

[Shockwave_IIc]

[michaelius]

for the missing password, i would let them roll the normal Log-on test, but if they state they are using the password, all of their successes would be lost (i wouldn't tell them that, at least not right away) and i would give the system either a free detection test, or automatic successes. i agree with Necro Tech, i'm not sure there would be a three strikes you're out in the future, just because they wouldn't want to give a decker three tries to figure out the password without gaining a security tally. so, i would call it a failed Log-in attempt. if a wage slave did that, then entered the correct password the second time (if we go with three strikes), then their security tally wouldn't go up after the failed log-on, because all the stuff they're doing is legal from there (if they are legit).

those are my thoughts.

[GrinderTheTroll]

I suppose you could say that even legitimate users "roll" their Computer Skill each time they logon (TN=2?), so the only failure (botched logon) is if they blow the roll completely (all ones). I feel this would model the logon process for legitimate users more accurately, since basic users (who would have a lower skill) would be more likely to blow a roll.

I will present my runners with these two options:

(1) If they want to use the logon information they were provided they may do so, but will require a basic computer test just to make sure they don't mess up the logon. If they realize it's not working, they will know something is up and hopefully stop using it since multiple attempts at this point would be foolish.

(2) I permit them to use Hacking Pool and Utilities if they wish (this is what a real hack is like normally) but let them know it would be like a normal attempt an unlawful entry and would not be using the provided logon information whatever it may be.

EDIT: As a side note, I use the Security Tally as a measure of paranoia where small interval = less room for error. I think a bad logon info per my scenario will just provide Blue=0, Green=1, Orange=2 and Red=3 security tally and no +2 penalty since they really weren't actively hacking it. However, I will give the +2 if they trigger IC.

Using the 0-3 tally per legitimate logon attempt, we can model a Host that allowed infinite legitimate logon attempts (Blue), or whatever was desired dependant on Host color and how the interval was setup. This is just attempting to logon with legitimate information.

Thanks for the insights and thoughts all.

[Kagetenshi]

I doubt that any but the most secure of systems would put up a system-wide alert for a few mistyped passwords. IC? Certainly, and maybe plenty of it, but even a Passive Alert is pushing it unless we're talking a blatant dictionary attack.

~J

[mfb]

keep in mind that a decker is not registered as a user. as a decker, i can fake up a pretend user ID for every logon attempt. if my pretend user ID isn't good enough, the system will mark me down and start keeping an eye out for more anomalies--security tally.

in other words, roll the security value against the decker's detection factor, just as if the decker had made an actual logon attempt. because his password is wrong, though, he doesn't get to make the logon roll--he automatically gets 0 successes.

after all, it's not like normal logon attempts set off alerts after three tries.

[Kagetenshi]

But my point is that the first few attempts, unless intrinsically suspicious in some way (like trying Damien_Knight as your login), really should not spark any reaction. You can have them roll if you want, but the security tally should not increase.

~J

[mfb]

why not? it does when you roll badly on a normal logon. and that's what this is, basically--a normal logon, which happens to be doomed to failure. if you're going to mess with Matrix stuff to make it more realistic, there are better places to start than logon attempts.

[Kagetenshi]

A normal logon is more likely to be an exploit or an entire dictionary attack (or significant portion thereof) than a single attempt at a password. Otherwise I would've sent the UMass servers into Passive Alert the other day trying to remember what I used as a password to my account there.

~J

[mfb]

eh, point. i'd probably still roll, because otherwise my players would devise some crazy agent or something that hacks computers without ever raising security tally by simply taking a week to complete any action.

i mean, i know i would.

[Kagetenshi]

Hey, as long as you rotate your access points, that should work. It'd probably take rather longer than a week, though…

~J