You know what they say: Those who believe in the devil do so because they believe in god, even though they blame him for their failures and misery.Lucifer wrote:If Catholic myth is to be believed, I'm *obviously* on the side of Lucifer and his rebels
PSA: Pick good passwords, armathentication not super-secure
Re: PSA: Pick good passwords, armathentication not super-sec
- Lucifer
- Project Developer
- Posts: 8640
- Joined: Sun Aug 15, 2004 3:32 pm
- Location: Republic of Texas
- Contact:
Re: PSA: Pick good passwords, armathentication not super-sec
God = HitlerWord wrote:You know what they say: Those who believe in the devil do so because they believe in god, even though they blame him for their failures and misery.Lucifer wrote:If Catholic myth is to be believed, I'm *obviously* on the side of Lucifer and his rebels
I lose, Godwins law.
Re: PSA: Pick good passwords, armathentication not super-sec
The server was "Unnamed Servercg ,d;". I think it's gone now. It also had a player on the players list (called "Some F**k" all day but there was nobody in.Z-Man wrote:Oh. Right... It's probably a convenience feature on that server. The client code has to react the way it does to support a standard feature. We may have to break that.ConVicT wrote:Not so sure about that. You should probably take your GID out of player settings altogether.Z-Man wrote: Disable auto-login and only authenticate when you need to, on servers you trust.
I've always had auto login disabled. I just entered a server to be greeted with this:
Which server was that, by the way?
- Phytotron
- Formerly Oscilloscope
- Posts: 5041
- Joined: Thu Jun 09, 2005 10:06 pm
- Location: A site or situation, especially considered in regard to its surroundings.
- Contact:
Re: PSA: Pick good passwords, armathentication not super-sec
Rotten damn community.
Have you seen the series Dominion?Lucifer wrote:Ack! Word! How dare you suggest that you might try to elevate me to some part of the Holy Trinity? WTF were you thinking? If Catholic myth is to be believed, I'm *obviously* on the side of Lucifer and his rebels, and not Yahweh and his fascist league of angels.
If we're gonna make such comparisons, I think I much prefer "Celestial Kim Jong-il."Lucifer wrote:God = Hitler
Re: PSA: Pick good passwords, armathentication not super-sec
Play that funky complex, God-boy. ('cause of the God complex).
Re: PSA: Pick good passwords, armathentication not super-sec
I have "Unnamed Servercf.d;" that was active a couple of hours, hosted by /dev/null. That would also explain the profanity. Probably harmless.ConVicT wrote:The server was "Unnamed Servercg ,d;". I think it's gone now. It also had a player on the players list (called "Some F**k" all day but there was nobody in.
Re: PSA: Pick good passwords, armathentication not super-sec
Source, for those who are interested.Phytotron wrote:If we're gonna make such comparisons, I think I much prefer "Celestial Kim Jong-il."
Re: PSA: Pick good passwords, armathentication not super-sec
Yes, that was the one. I think I said Server'cg' because I could only remember the end reminded me of .cfg.Z-Man wrote:I have "Unnamed Servercf.d;" that was active a couple of hours, hosted by /dev/null. That would also explain the profanity. Probably harmless.ConVicT wrote:The server was "Unnamed Servercg ,d;". I think it's gone now. It also had a player on the players list (called "Some F**k" all day but there was nobody in.
Re: PSA: Pick good passwords, armathentication not super-sec
Ive never logged into a tron server for just these reasons. Its been a blatantly easy hole forever. Its sad that you guys are just now realizing the results of this (im assuming you knew it was an issue) because someone took advantage of it.
Logging into tron does nothing useful but protect your ladder score, I dont give a **** about my ladder score, most people didnt until they could claim thier own little piece of bullshitting hell.
Logging into tron does nothing useful but protect your ladder score, I dont give a **** about my ladder score, most people didnt until they could claim thier own little piece of bullshitting hell.
- echo.bot
- On Lightcycle Grid
- Posts: 25
- Joined: Mon Mar 24, 2014 9:59 pm
- Location: Fairfield, IA
- Contact:
Re: PSA: Pick good passwords, armathentication not super-sec
I think a good future feature for servers may be to have a private key that is issued to anyone who wants to host one. Also, do not allow the end user (player) to see what ip address and port are associated with each server. This would eliminate a lot of DDoS issues.
Re: PSA: Pick good passwords, armathentication not super-sec
Servers like Happy Fun Time or Merlin's Tower can benefit from logging in too.../dev/null wrote:Ive never logged into a tron server for just these reasons. Its been a blatantly easy hole forever. Its sad that you guys are just now realizing the results of this (im assuming you knew it was an issue) because someone took advantage of it.
Logging into tron does nothing useful but protect your ladder score, I dont give a **** about my ladder score, most people didnt until they could claim thier own little piece of bullshitting hell.
For example, your stats could potentially be automatically deleted if you do not log in (if you're a low enough level). Someone else could steal your items from logged out people, and it would be a lot harder with logged in people.
You could create another account, however, with a completely different password, at a place like lightron.org for just logging in with tron, and keep your forums account safe by never logging in.
Re: PSA: Pick good passwords, armathentication not super-sec
How will you be able to connect to a server when you don't know the address?echo.bot wrote:Also, do not allow the end user (player) to see what ip address and port are associated with each server. This would eliminate a lot of DDoS issues.
Re: PSA: Pick good passwords, armathentication not super-sec
Jip: There are services that let you hide your real server behind powerful network infrastructure that can withstand DDoSes and filter out attacks so they don't reach you (well, provided they correctly identify them as attacks). You can already use them for your servers, you just need to set SERVER_DNS to the IP of that infrastructure or better, a DNS name resolving to it. Costs start around 100$ per months, though, so... not really an option.
Good! So we can all blame you for this mess because you did not tell us earlier./dev/null wrote:Ive never logged into a tron server for just these reasons.
Re: PSA: Pick good passwords, armathentication not super-sec
Hash harvesting wasn't an obvious hole? It was one of the first things I thought about when it came to account security. Just tended to avoid throwing it in public to avoid talking people into trying it. Brute forcing an MD5 hash is pretty damn simple given it ain't an extremely tough password. Most people use alpha-numeric and don't go over 8 characters. GPU processing kind'a lets that not be enough anymore.Z-Man wrote:Good! So we can all blame you for this mess because you did not tell us earlier.
Still .. It's not much IMO. If someone gets your forum account, they can't do too much more than make garbage posts or log in as you. Usually a simple IP check will confirm the account to get it back to them. Rarely that changes before you care enough to say something.
Re: PSA: Pick good passwords, armathentication not super-sec
Well, we've been aware of it for a bit, my secret plan was to add a better mechanism into 0.4... With the negative free time I have right now, the delay turned out to be too much. Back when the authentication was implemented, or even further back when the basic client/game server protocol was created (Arount 2001ish), rainbow tables where the state of the art when it came to reversing hashes. Salt and nonce kill those. And you have to compare the security to the basic PHPBB security where the password goes over the net in plaintext so everyone on your LAN can read it and where (as of phpbb 2) it's stored as a plain md5 hash.