PSA: Pick good passwords, armathentication not super-secure

What do you want to see here? Some more categories, forums, and mods? Hmm...
Word
Reverse Adjust Outside Corner Grinder
Posts: 4159
Joined: Wed Jan 07, 2009 6:13 pm

Re: PSA: Pick good passwords, armathentication not super-sec

Post by Word » Tue Sep 01, 2015 6:50 am

Lucifer wrote:If Catholic myth is to be believed, I'm *obviously* on the side of Lucifer and his rebels
You know what they say: Those who believe in the devil do so because they believe in god, even though they blame him for their failures and misery. :P

User avatar
Lucifer
Project Developer & Local Moonshiner
Posts: 8610
Joined: Sun Aug 15, 2004 3:32 pm
Location: Republic of Texas
Contact:

Re: PSA: Pick good passwords, armathentication not super-sec

Post by Lucifer » Tue Sep 01, 2015 7:07 am

Word wrote:
Lucifer wrote:If Catholic myth is to be believed, I'm *obviously* on the side of Lucifer and his rebels
You know what they say: Those who believe in the devil do so because they believe in god, even though they blame him for their failures and misery. :P
God = Hitler

I lose, Godwins law.
Image

Be the devil's own, Lucifer's my name.
- Iron Maiden

User avatar
ConVicT
Shutout Match Winner
Posts: 1004
Joined: Fri Feb 17, 2012 2:33 am

Re: PSA: Pick good passwords, armathentication not super-sec

Post by ConVicT » Tue Sep 01, 2015 4:41 pm

Z-Man wrote:
ConVicT wrote:
Z-Man wrote: Disable auto-login and only authenticate when you need to, on servers you trust.
Not so sure about that. You should probably take your GID out of player settings altogether.
I've always had auto login disabled. I just entered a server to be greeted with this: Image
Oh. Right... It's probably a convenience feature on that server. The client code has to react the way it does to support a standard feature. We may have to break that.
Which server was that, by the way?
The server was "Unnamed Servercg ,d;". I think it's gone now. It also had a player on the players list (called "Some F**k" all day but there was nobody in.

User avatar
Phytotron
Formerly Oscilloscope
Posts: 5041
Joined: Thu Jun 09, 2005 10:06 pm
Location: A site or situation, especially considered in regard to its surroundings.
Contact:

Re: PSA: Pick good passwords, armathentication not super-sec

Post by Phytotron » Wed Sep 02, 2015 12:51 am

Rotten damn community.

Lucifer wrote:Ack! Word! How dare you suggest that you might try to elevate me to some part of the Holy Trinity? WTF were you thinking? If Catholic myth is to be believed, I'm *obviously* on the side of Lucifer and his rebels, and not Yahweh and his fascist league of angels.
Have you seen the series Dominion?
Lucifer wrote:God = Hitler
If we're gonna make such comparisons, I think I much prefer "Celestial Kim Jong-il."

User avatar
ConVicT
Shutout Match Winner
Posts: 1004
Joined: Fri Feb 17, 2012 2:33 am

Re: PSA: Pick good passwords, armathentication not super-sec

Post by ConVicT » Wed Sep 02, 2015 4:12 am

Play that funky complex, God-boy. ('cause of the God complex).

User avatar
Z-Man
God & Project Admin
Posts: 11220
Joined: Sun Jan 23, 2005 6:01 pm
Location: Cologne, Jabber: [email protected]
Contact:

Re: PSA: Pick good passwords, armathentication not super-sec

Post by Z-Man » Sat Sep 05, 2015 5:43 pm

ConVicT wrote:The server was "Unnamed Servercg ,d;". I think it's gone now. It also had a player on the players list (called "Some F**k" all day but there was nobody in.
I have "Unnamed Servercf.d;" that was active a couple of hours, hosted by /dev/null. That would also explain the profanity. Probably harmless.

User avatar
sinewav
Graphic Artist
Posts: 6198
Joined: Wed Jan 23, 2008 3:37 am
Contact:

Re: PSA: Pick good passwords, armathentication not super-sec

Post by sinewav » Sat Sep 05, 2015 7:45 pm

Phytotron wrote:If we're gonna make such comparisons, I think I much prefer "Celestial Kim Jong-il."
Source, for those who are interested.

User avatar
ConVicT
Shutout Match Winner
Posts: 1004
Joined: Fri Feb 17, 2012 2:33 am

Re: PSA: Pick good passwords, armathentication not super-sec

Post by ConVicT » Sat Sep 05, 2015 8:54 pm

Z-Man wrote:
ConVicT wrote:The server was "Unnamed Servercg ,d;". I think it's gone now. It also had a player on the players list (called "Some F**k" all day but there was nobody in.
I have "Unnamed Servercf.d;" that was active a couple of hours, hosted by /dev/null. That would also explain the profanity. Probably harmless.
Yes, that was the one. I think I said Server'cg' because I could only remember the end reminded me of .cfg.

User avatar
/dev/null
Shutout Match Winner
Posts: 820
Joined: Sat Sep 04, 2004 6:28 pm
Location: Chicago-ish

Re: PSA: Pick good passwords, armathentication not super-sec

Post by /dev/null » Mon Sep 07, 2015 2:46 am

Ive never logged into a tron server for just these reasons. Its been a blatantly easy hole forever. Its sad that you guys are just now realizing the results of this (im assuming you knew it was an issue) because someone took advantage of it.

Logging into tron does nothing useful but protect your ladder score, I dont give a **** about my ladder score, most people didnt until they could claim thier own little piece of bullshitting hell.

User avatar
echo.bot
On Lightcycle Grid
Posts: 24
Joined: Mon Mar 24, 2014 9:59 pm
Location: Fairfield, IA
Contact:

Re: PSA: Pick good passwords, armathentication not super-sec

Post by echo.bot » Mon Sep 07, 2015 5:25 pm

I think a good future feature for servers may be to have a private key that is issued to anyone who wants to host one. Also, do not allow the end user (player) to see what ip address and port are associated with each server. This would eliminate a lot of DDoS issues. :ghost:

User avatar
aP|Nelg
Match Winner
Posts: 542
Joined: Wed Oct 22, 2014 10:22 pm
Contact:

Re: PSA: Pick good passwords, armathentication not super-sec

Post by aP|Nelg » Mon Sep 07, 2015 11:53 pm

/dev/null wrote:Ive never logged into a tron server for just these reasons. Its been a blatantly easy hole forever. Its sad that you guys are just now realizing the results of this (im assuming you knew it was an issue) because someone took advantage of it.

Logging into tron does nothing useful but protect your ladder score, I dont give a **** about my ladder score, most people didnt until they could claim thier own little piece of bullshitting hell.
Servers like Happy Fun Time or Merlin's Tower can benefit from logging in too...

For example, your stats could potentially be automatically deleted if you do not log in (if you're a low enough level). Someone else could steal your items from logged out people, and it would be a lot harder with logged in people.

You could create another account, however, with a completely different password, at a place like lightron.org for just logging in with tron, and keep your forums account safe by never logging in.

User avatar
Jip
Round Winner
Posts: 397
Joined: Sat Sep 26, 2009 5:32 pm

Re: PSA: Pick good passwords, armathentication not super-sec

Post by Jip » Tue Sep 08, 2015 12:43 pm

echo.bot wrote:Also, do not allow the end user (player) to see what ip address and port are associated with each server. This would eliminate a lot of DDoS issues. :ghost:
How will you be able to connect to a server when you don't know the address?

User avatar
Z-Man
God & Project Admin
Posts: 11220
Joined: Sun Jan 23, 2005 6:01 pm
Location: Cologne, Jabber: [email protected]
Contact:

Re: PSA: Pick good passwords, armathentication not super-sec

Post by Z-Man » Tue Sep 08, 2015 8:33 pm

Jip: There are services that let you hide your real server behind powerful network infrastructure that can withstand DDoSes and filter out attacks so they don't reach you (well, provided they correctly identify them as attacks). You can already use them for your servers, you just need to set SERVER_DNS to the IP of that infrastructure or better, a DNS name resolving to it. Costs start around 100$ per months, though, so... not really an option.
/dev/null wrote:Ive never logged into a tron server for just these reasons.
Good! So we can all blame you for this mess because you did not tell us earlier.

User avatar
Light
Reverse Outside Corner Grinder
Posts: 1638
Joined: Thu Oct 20, 2011 2:11 pm

Re: PSA: Pick good passwords, armathentication not super-sec

Post by Light » Tue Sep 08, 2015 8:53 pm

Z-Man wrote:Good! So we can all blame you for this mess because you did not tell us earlier.
Hash harvesting wasn't an obvious hole? It was one of the first things I thought about when it came to account security. Just tended to avoid throwing it in public to avoid talking people into trying it. Brute forcing an MD5 hash is pretty damn simple given it ain't an extremely tough password. Most people use alpha-numeric and don't go over 8 characters. GPU processing kind'a lets that not be enough anymore.

Still .. It's not much IMO. If someone gets your forum account, they can't do too much more than make garbage posts or log in as you. Usually a simple IP check will confirm the account to get it back to them. Rarely that changes before you care enough to say something.

User avatar
Z-Man
God & Project Admin
Posts: 11220
Joined: Sun Jan 23, 2005 6:01 pm
Location: Cologne, Jabber: [email protected]
Contact:

Re: PSA: Pick good passwords, armathentication not super-sec

Post by Z-Man » Wed Sep 09, 2015 6:49 pm

Well, we've been aware of it for a bit, my secret plan was to add a better mechanism into 0.4... With the negative free time I have right now, the delay turned out to be too much. Back when the authentication was implemented, or even further back when the basic client/game server protocol was created (Arount 2001ish), rainbow tables where the state of the art when it came to reversing hashes. Salt and nonce kill those. And you have to compare the security to the basic PHPBB security where the password goes over the net in plaintext so everyone on your LAN can read it and where (as of phpbb 2) it's stored as a plain md5 hash.

Post Reply