PSA: Pick good passwords, armathentication not super-secure
PSA: Pick good passwords, armathentication not super-secure
The short version: Our in-game authentication mechanism is vulnerable to brute force password guessing attempts if you log in on a server controlled by a malicious admin. They can record information about your password and later try to let a program automatically guess your password with great speed. They know how the client mangles the password; all they need to do is try a lot of passwords and apply the same mangling, then compare that with the information the server collected.
Last week, we had the first *documented* case where such an attack was used to take over a forum account. There surely were previous cases, but we only got third hand knowledge of them and they might have been people tricked into using fake "/login <username> <password>" commands. Or people promising to get you to max level on HFT. The cracked password was a not entirely random two word combination.
The system can still be secure, but you need to pick a really, really good password. Here's a not too shabby suggestion as a base:
Correct the password guessing times in this comic down by a factor of 100000. That is, consider the password hash database of your authority stolen. So... better make that five words. And random improvement: Pick one or two of the words from a different language. It's important that you really pick random words and not the first words that come to your mind; then your password will be RedViolinHammerCar.
Another great source for passwords are password generators; I personally use MasterPassword. It works this way: You pick a single, reasonably good master password you can memorize. The app is locked with that password. In the app, for each site, you generate an entry. Then the program takes your master password and the site name and generates a site specific password deterministically. It's never stored, always generated on the fly. The master password also is stored nowhere, a verification hash is. Hash and master password never leave your device. Even if you lose the site database to a bad guy, it's completely worthless without your master password. Caveat: You'd think you can reconstruct the database if you know your master password... but there also is a long random salt that enters password generation (a good thing). That one you need to back up.
If you use MasterPassword, put the password length to at least 10, better 12.
As another safety precaution, if the account you now use for authentication in the game has additional important functions (Forum moderator, for example), consider using a second account for the ingame stuff. You can ask your server admins to set up aliases between the two. I ran out of email addresses to use, so I guess I'll be Sock@forums for the near future
I'll start working on a new token based authentication implementation where no exploitable information is passed over the server ASAP. It'll be in the 0.2.8 branch, at least the server side part. The client also needs to talk directly to the authority now, I'm not sure whether the 0.2.8 infrastructure is up to that without hiccups.
Take care.
=======================
Technical bits: Authentication on servers works by sending a hash of a hash of the password over the game server to the authority. The first hash is salted, that means it's not only a hash of the password, but also a per-user fixed bit of data. The second hash is nonced, that is also mixed with a random element the server chooses and also the server's IP. The hashes are not easy to invert, nobody knows yet how to do that. We knew it was crackable by brute force, but everything bar quantum encryption is. So at the time we implemented this, we all thought this was secure enough.
Unfortunately, we were wrong. In the past years, several big sites were hacked and password hash databases were stolen and published. Many of them used non-salted hashes, so only the password entered the stored hash; those can be cracked in bulk. You do this by having a good password guessing function, letting it generate lots of passwords, generating the hash from them and then comparing them to all the known password hashes. People started using dedicated hardware (GPU arrays and FPGAs) for massive parallel attacks. After each wave and each new database leak, people understood better how your average users pick their passwords. Every time, they improved their password guessing functions, found more passwords and gained even more experience. Where we stand now, machines are really, really good at guessing passwords. They know all your schemes.
"But our hashes are salted and nonced, surely that makes a difference?" You ask. Yes, it does, but only a little. Plain hashes mean that you can crack a thousand passwords as quickly as you can crack one because you can go at all of them at once. With salts or nonces, you have to crack each password individually. But if all you want is one password, you don't care about that. What makes the problem worse is that we picked the simplest and fastest hash function. That means brute force attacks can try really a lot of passwords; even if it's just CPU based, we're talking about around a hundred million password guesses per second.
Last week, we had the first *documented* case where such an attack was used to take over a forum account. There surely were previous cases, but we only got third hand knowledge of them and they might have been people tricked into using fake "/login <username> <password>" commands. Or people promising to get you to max level on HFT. The cracked password was a not entirely random two word combination.
The system can still be secure, but you need to pick a really, really good password. Here's a not too shabby suggestion as a base:
Correct the password guessing times in this comic down by a factor of 100000. That is, consider the password hash database of your authority stolen. So... better make that five words. And random improvement: Pick one or two of the words from a different language. It's important that you really pick random words and not the first words that come to your mind; then your password will be RedViolinHammerCar.
Another great source for passwords are password generators; I personally use MasterPassword. It works this way: You pick a single, reasonably good master password you can memorize. The app is locked with that password. In the app, for each site, you generate an entry. Then the program takes your master password and the site name and generates a site specific password deterministically. It's never stored, always generated on the fly. The master password also is stored nowhere, a verification hash is. Hash and master password never leave your device. Even if you lose the site database to a bad guy, it's completely worthless without your master password. Caveat: You'd think you can reconstruct the database if you know your master password... but there also is a long random salt that enters password generation (a good thing). That one you need to back up.
If you use MasterPassword, put the password length to at least 10, better 12.
As another safety precaution, if the account you now use for authentication in the game has additional important functions (Forum moderator, for example), consider using a second account for the ingame stuff. You can ask your server admins to set up aliases between the two. I ran out of email addresses to use, so I guess I'll be Sock@forums for the near future
I'll start working on a new token based authentication implementation where no exploitable information is passed over the server ASAP. It'll be in the 0.2.8 branch, at least the server side part. The client also needs to talk directly to the authority now, I'm not sure whether the 0.2.8 infrastructure is up to that without hiccups.
Take care.
=======================
Technical bits: Authentication on servers works by sending a hash of a hash of the password over the game server to the authority. The first hash is salted, that means it's not only a hash of the password, but also a per-user fixed bit of data. The second hash is nonced, that is also mixed with a random element the server chooses and also the server's IP. The hashes are not easy to invert, nobody knows yet how to do that. We knew it was crackable by brute force, but everything bar quantum encryption is. So at the time we implemented this, we all thought this was secure enough.
Unfortunately, we were wrong. In the past years, several big sites were hacked and password hash databases were stolen and published. Many of them used non-salted hashes, so only the password entered the stored hash; those can be cracked in bulk. You do this by having a good password guessing function, letting it generate lots of passwords, generating the hash from them and then comparing them to all the known password hashes. People started using dedicated hardware (GPU arrays and FPGAs) for massive parallel attacks. After each wave and each new database leak, people understood better how your average users pick their passwords. Every time, they improved their password guessing functions, found more passwords and gained even more experience. Where we stand now, machines are really, really good at guessing passwords. They know all your schemes.
"But our hashes are salted and nonced, surely that makes a difference?" You ask. Yes, it does, but only a little. Plain hashes mean that you can crack a thousand passwords as quickly as you can crack one because you can go at all of them at once. With salts or nonces, you have to crack each password individually. But if all you want is one password, you don't care about that. What makes the problem worse is that we picked the simplest and fastest hash function. That means brute force attacks can try really a lot of passwords; even if it's just CPU based, we're talking about around a hundred million password guesses per second.
Re: PSA: Pick good passwords, armathentication not super-sec
Thanks for the warning.
I was wondering when this will become a topic. Are there any plans for the future to provide a more secure mechanism? Of
course this would need an update of the forums software aswell. But I think it would be a necesary step for the future. We cannot make it impossible to do brute force attacks but we can make them a lot harder.
I was wondering when this will become a topic. Are there any plans for the future to provide a more secure mechanism? Of
course this would need an update of the forums software aswell. But I think it would be a necesary step for the future. We cannot make it impossible to do brute force attacks but we can make them a lot harder.
- kyle
- Reverse Outside Corner Grinder
- Posts: 1876
- Joined: Thu Jun 08, 2006 3:33 pm
- Location: Indiana, USA, Earth, Milky Way Galaxy, Universe, Multiverse
- Contact:
Re: PSA: Pick good passwords, armathentication not super-sec
Fist of all, thanks z-man for pointing this out and planning to implement something better. I'll probably post something a little more in depth in a few days, but I do want to mention that there is a possibility that a long password can be easy to guess also. In the case that the hashes collide when a weaker, shorter password is used. I just recently randomly typed something for one of my passwords (not tron related), because I did not want to authenticate when I was testing something. It happened to be something that collided with my password hash and I was authenticated. So I know a collision can happen between a weaker/ shorter password and a longer password. Now if the forms are smart they will probably use some different hashing method for the form login vs the forum password, so that theses collisions will not be the same, therefor requiring them to find the longer password.
Re: PSA: Pick good passwords, armathentication not super-sec
Also, resist the temptation to change your forums password to RedViolinHammerCar. I really, really want to do that, but instead I'm naming my next 4-song EP RedViolinHammerCar, which naturally is the name of all the songs in order.
Re: PSA: Pick good passwords, armathentication not super-sec
Good to see quick disclosure and hopefully a fairly quick fix of this issue, thanks.
Playing since December 2006
Re: PSA: Pick good passwords, armathentication not super-sec
Yup, I was going to suggest just that. It would be cool if you can still use your shorter forum password in trusted servers though.kyle wrote:Now if the forms are smart they will probably use some different hashing method for the form login vs the forum password, so that theses collisions will not be the same, therefor requiring them to find the longer password.
Re: PSA: Pick good passwords, armathentication not super-sec
Z-Man wrote:It's important that you really pick random words and not the first words that come to your mind; then your password will be RedViolinHammerCar.
I actually laughed at this part. Is it, by chance, a variant of this?
Are you saying that you just typed something completely random into the tron login for your password and you were successfully authenticated due to the hash somehow becoming identical to the actual hash that would have occurred with the correct password? Wouldn't the odds be like one-in-a-trillion or something?kyle wrote:I just recently randomly typed something for one of my passwords (not tron related), because I did not want to authenticate when I was testing something. It happened to be something that collided with my password hash and I was authenticated.
"Dream as if you'll live forever,
Live as if you'll die today." -James Dean
- kyle
- Reverse Outside Corner Grinder
- Posts: 1876
- Joined: Thu Jun 08, 2006 3:33 pm
- Location: Indiana, USA, Earth, Milky Way Galaxy, Universe, Multiverse
- Contact:
Re: PSA: Pick good passwords, armathentication not super-sec
Even though not tron related, still slim odds.Ratchet wrote:Are you saying that you just typed something completely random into the tron login for your password and you were successfully authenticated due to the hash somehow becoming identical to the actual hash that would have occurred with the correct password? Wouldn't the odds be like one-in-a-trillion or something?kyle wrote:I just recently randomly typed something for one of my passwords (not tron related), because I did not want to authenticate when I was testing something. It happened to be something that collided with my password hash and I was authenticated.
Re: PSA: Pick good passwords, armathentication not super-sec
Another thing: don't use your global ID and password to log in to third-party web sites.
Well, unless you're ok with that site's operator handling your plaintext password.
Well, unless you're ok with that site's operator handling your plaintext password.
Re: PSA: Pick good passwords, armathentication not super-sec
Are there certain servers we should avoid logging into?
Just that I entered a server with people talking about someone stealing passwords in Ladle servers.
Just that I entered a server with people talking about someone stealing passwords in Ladle servers.
Re: PSA: Pick good passwords, armathentication not super-sec
Wasn't really quick. We knew about the weakness for a while now, but those blasted time constraints prevented us from doing anything about it. Disclosure was delayed because it always also helps the bad guys, but I guess we don't need to worry about that any more.Monkey wrote:Good to see quick disclosure and hopefully a fairly quick fix of this issue, thanks.
Yes. I learned about it when reading about a magic mind reading trick for children waaay back. I never verified whether it's true (the 2% figure in that image seems low), but what definitely is true is that our brains are very bad at randomness.Ratchet wrote:I actually laughed at this part. Is it, by chance, a variant of this?
That is rather unlikely to happen even with the current system. Sure, there are bound to be colliding passwords, but if they're shorter than your actual password, your password must be very good.kyle wrote:I just recently randomly typed something for one of my passwords (not tron related), because I did not want to authenticate when I was testing something. It happened to be something that collided with my password hash and I was authenticated.
Re: PSA: Pick good passwords, armathentication not super-sec
I'll take this as either you don't know the answer to my questions and/or you're just ignorant and don't care to answer.
This is where I end up agreeing with people like Durf.
I have a question... You (as a dev/moderator) have completely ignored me, making my questions and opinions look irrelevant.
That right there was a serious question from me.
Thanks (you as a dev and moderator) for making my Armagetron experience feel safe and secure.
This is where I end up agreeing with people like Durf.
I have a question... You (as a dev/moderator) have completely ignored me, making my questions and opinions look irrelevant.
That right there was a serious question from me.
Thanks (you as a dev and moderator) for making my Armagetron experience feel safe and secure.
Re: PSA: Pick good passwords, armathentication not super-sec
Want to feel secure? Take the advice from this thread and construct a stronger password. It's good practice and it really shouldn't matter which server have been compromised. Protect yourself all of them, now.ConVicT wrote:Thanks (you as a dev and moderator) for making my Armagetron experience feel safe and secure.
Re: PSA: Pick good passwords, armathentication not super-sec
I get it but...sinewav wrote:Want to feel secure? Take the advice from this thread and construct a stronger password.ConVicT wrote:Thanks (you as a dev and moderator) for making my Armagetron experience feel safe and secure.
In his position, I'd have answered me if I'd know the answer, wouldn't you?
The fact of the matter is, I should have at least have gotten:
Sorry if I seem like a dick, I just can't stand ignoranceZ-Man (If he didn't know) should've wrote:I have no idea.
Re: PSA: Pick good passwords, armathentication not super-sec
He's got a valid point, Z-Man is pretty much ignoring his questions.sinewav wrote:Want to feel secure? Take the advice from this thread and construct a stronger password. It's good practice and it really shouldn't matter which server have been compromised. Protect yourself all of them, now.ConVicT wrote:Thanks (you as a dev and moderator) for making my Armagetron experience feel safe and secure.