Loading...
  OR  Zero-K Name:    Password:   

Password change?

31 posts, 3006 views
Post comment
Filter:    Player:  
Page of 2 (31 records)
sort
Is there any way to change your account password? I'm feeling EXTREMELY uncomfortable having one of my strong passwords shown (and saved!) in unencrypted form by the lobby.

If there's a button for it that i'm missing please tell me, but even then it was apparently too hard to find (and others couldn't tell me either).

PS: Ofcourse i could've just used another password, but i would've never remotely expected that ZKL (or any kind of software) would be so careless about passwords. I mean, seriously? You need to step your game up in that regard (no pun intended).
+0 / -0
11 years ago
err theres no email feild for the loby, so even if someone was to steal your pasword i am uncertain what they could do with it...
+0 / -0


11 years ago
Due to the way infrastructure is setup (shared with other lobbies), we cannot make password-changing application. Admins could change it manually though.
+0 / -0
Still, why does the ZKL not care about it? I really don't know a single other application that would show the password to everyone. I've come across plaintext saving, but only with warnings! The key problem here is that at the moment of chosing the password, the player doesn't know that his password is not securely saved.

@[V]ddabaeqepp: Surely my ingame name is nowhere to be found in other games. No google search will ever return information about me. I'm completely anonymous by using a gamer tag, right? /sarcasm

And if i care about the password being visible, i apparently care about other people reading it. If those people obtained access to my PC (and plan malicious things), they'll no doubt find my email (or other crucial access stuff) before the lobby. Even if it's friends or so, i still like being the only one to know my passwords. Nobody will ever care if somebody screwed you up because of a leaked password.

Not even speaking of trojans or whatever other crap you might happen to come across in and around the internet.


But yes, i'd like to change my password. Should i contact the admins in the lobby or is there some sort of PM feature i'm missing?
+0 / -0


11 years ago
Zero-K is open source. Any security we would add (like symmetrical encryption) is false one because anyone could simply look at code or slightly modify it to read your password back.

(Encrypting is basically as good as writing your password backwards and noting that on a notepad next to it..)


If some evil people who would steal your password have access to your pc i would recommend switching to another account (we can link them together so that you retain progress form old one)
+0 / -0

11 years ago
A lot of the best open-source project have small close-source sections around user security. Would it really be a bad idea to close off the password protection code?
+0 / -0
the fact is if "evil people" have acsess to your computer, they can install a key logger, and then just let you type in your pasword in for them.

or take 5-10 minutes to hack your "strong" password composed of 8-10 values using brute force :D

:P people use "s@12tAp" as a pasword, an computer can hack that easily
poeple that use "purple apple cerries" as a pasword are unhackable through brute force...

i hate to say it, but "internet security" is an obsurdity because the internet isnt secure, and any determined person can hack your conection through 1009 diffrent ways

ok rant over TLDR: there is no such thing as secure intenet
+0 / -0


11 years ago
Still, password stored as plaintext in an easily visible area is a hopelessly low bar for security. Any completely-ignorant-of-cryptography noob can steal your account that way (even if such people are likely underrepresented among the people who'd compromise your account for malicious purposes).
+0 / -0
CZrankAdminLicho: So you can easily read MD5 or other hashes and recover the original? Interesting. Also, Firefox is open source and it still manages to store my passwords in a way that can be considered secure.

@[V]ddabaeqepp: My passwords are strong enough not to get broken by some noob brute force stuff. The argument "everything can be broken with enough dedication" is not an excuse for not implementing security. Having a password saved in plaintext should never happen.
I don't want to derail this thread into a discussion what could happen to my computer and why it would be my fault if the security of my data is compromised, so could we stop that? Yes, there's 1009 ways to obtain my passwords, but few are as easy as reading them in an application.
And at least post the xkcd link with it if you're citing it. (How many bits of entropy do you want to add for not basing your pw off a word but a sentence?).

Can we agree that plaintext saving of passwords (and showing them in the lobby settings!!) is below any level of modern security?
+0 / -0
Firepluk
11 years ago
Yeah guys, thats hilarious.
You store passwords as plain text, but pass them to springrts:8200 as hashes. Thats completly wrong. The only place when you need hashes - is database, you need to pass them as plain text in packets and use packet encryption for the whole protocol(tls for example)
But who cares...
+0 / -0
Firepluk
11 years ago
Also that silly /port/ip/lobby name/version/other garbage/ ban check in first login packet, made me giggle.
+0 / -0
Indeed, protocol was made by amateurs some time ago. It's all wrong and provides no actual security. But we cannot change it easilly now.

@MauranKilom yes, MD5 of password in itself provides no good security, most can be insta broken using rainbow tables.

I plan to add symmetrical encryption of password to ZKL .. its rather trivial change if you want to do it feel free to help.

In PC there is basically just one way to provide at least decent security - RSA and other assymetrical encryptions. Best with hardware chip which stores private key and performs actual encryption.

Any software form of "remember my password" means huge compromise of security and means password cna be retrieved trivially (even if its not in human readable form it is in machine readable form..)
+0 / -0
They are called salts.

And who said that the password (once saved on your pc) needs to be readable for humans? Saving a salted md5 (or whatever other hash) would be completely sufficient, wouldn't it?
+0 / -0


11 years ago
quote:
Zero-K is open source. Any security we would add (like symmetrical encryption) is false one because anyone could simply look at code or slightly modify it to read your password back.

Linux is opensource, and so is OpenSSH stack. Evaluating your claim (opensource = insecure) with 'linux' and 'openssh' results in linux and openssh being inherently absolutely insecure. :P

Also there are things like keystores and such.

quote:
They are called salts.

Salt is inapplicable on client as such.
+0 / -0


11 years ago
We are not talking about securing transfer .. we are talking about storing key to cipher in the client itself which has nothing to do with openssh ...

I claim nothing about open source in general being insecure. I claim any sort of symmetrical encryption of password on client - which means key to cipher is stored in code, is insecure and with open source its trivially insecure.

To use keystore we would need to use certificates -> we cannot change what we have now.
+0 / -0


11 years ago
quote:
To use keystore we would need to use certificates -> we cannot change what we have now.

Maybe that's harder on some platforms than others >.>
+0 / -0


11 years ago
Well if the keystore does not work like that and app is capable of accessing it it means its easy to hack again..

there are no shorcuts here..
+0 / -0

11 years ago
You can't protect your account here. Don't even try, but you can cry.

Now that this is said, what you can do is protect spring lobby/zkl/website from compromising your overall security, ie. your other accounts.

So my advice on selecting a password for this totally insecure protocol is:
1) don't use the same password anywhere else (obvious, but useful reminder)
2) don't use the same password generation rules that you use anywhere else (unless you use "pwgen -s" or similar)
3) why not pick a very bad password and have fun with it? its not so often that you can be careless when picking a password (because a strong password wouldn't protect you)

Showing the password in cleartext (instead of bullet/asterisks) is something that should be fixed, even if protocol and website are vulnerable. Maybe there should just be a simple fix that allows zkl to never persist password and request it everytime (when it is started, or when it connects). It won't fix all the protocol/website brokenage, but for some use cases it may help.

RSA doesn't help in any way to help secure storage of the password. Unless you encrypt the secret key and request a password. In which case, symmetric encryption would be just as good. But since you would be asking for a password, why go through that extra hoop and not request the lobby password instead of the password to unlock the lobby password...

quote:
err theres no email feild for the loby

The was none.
http://springrts.com/dl/LobbyProtocol/ProtocolDescription.html#REGISTER:client
http://springrts.com/dl/LobbyProtocol/ProtocolDescription.html#CHANGEEMAIL:client

I'm too frightened to check whether clients and server have been updated to handle it. Reading code may be bad for your health.

quote:
we cannot make password-changing application

Me not understand.
http://springrts.com/dl/LobbyProtocol/ProtocolDescription.html#CHANGEPASSWORD:client

quote:
Saving a salted md5 (or whatever other hash) would be completely sufficient, wouldn't it?


No.
Salt only helps to prevent precomputed/rainbow tables. When properly implemented.

(Salted) md5 is supposedly one-way (stop laughing). Server is expecting an unsalted md5 hash from client. So, saving a salted md5 wouldn't work. Unless you really want to troll and use md5 as an obfuscation mechanism and use rainbow tables lookup to actually reverse the saved password, then hash it again before sending it to server.

You could store the unsalted hash. The real secret is not the password anyway, its the hash itself. So you would be saving the real secret in cleartext. It looks more gibberish, but its still the unencrypted secret, which is the only thing required to login. Actually, we can consider that the "cleartext" password is actually an obfuscated version of the real secret (the hash). So enjoy, there is obfuscation built-in!

Now, if protocol had specified a salt (or salting mechanism), it would have prevented leet haxxors from using publicly available precomputed rainbow tables. Yay.
+0 / -0


11 years ago
ChangePassword does not exist AFAIK.
This protocol description does not match reality.

What exists is admin command to change password of any user. I wanted to make this available for admins to reset password of other people, but it was deemed to be a too big security risk.
+0 / -0

11 years ago
so who can do this beside yourself @licho ? i hope you have at least one stand-in...
+0 / -0
Page of 2 (31 records)