Login

russian armor

Server Encryption

meh
17 Apr 2015, 04:16 AM
#1
avatar of meh

Posts: 59

You probably should consider getting some type of server encryption on your forums considering user name and passwords are out in the open. I'm going to start trying various passwords and user names on steam accounts, might get lucky :) Maybe somebody is using the same password on their account, that might be fun.


That's Sarcasm btw, for those who can't tell, if I was serious, would I even be posting this? But yes the usernames and passwords are all out in the open :oops:
17 Apr 2015, 05:19 AM
#2
17 Apr 2015, 07:01 AM
#3
avatar of Blalord

Posts: 742 | Subs: 1

MP an admin if you think you have found a security problem ! :)

Cheers.
17 Apr 2015, 08:41 AM
#4
avatar of Nuclear Arbitor
Patrion 28

Posts: 2470

if this is the case (i'm going to assume it is) they really should be using hashes...

although my understanding of cryptography is pretty meh.
17 Apr 2015, 13:19 PM
#5
avatar of Inverse
Coder Red Badge

Posts: 1679 | Subs: 5

They're not "out in the open", they're hashed and salted on the server, they're just posted in plaintext from the browser to the server. Which is not good practice, agreed, but it's nowhere near the level of vulnerability you claim it is. The main implication of this is if someone is sniffing packets from your machine (because they're on the same network as you or you're connecting over an insecure access point), they will be able to see the password you send to the server when you login.

Regardless, the appropriate people have been made aware of this. I haven't worked with the code in a long time, so I'm not in a position to fix it.
17 Apr 2015, 18:54 PM
#6
avatar of Stafkeh
Patrion 14

Posts: 1006

Thanks for making us aware :)

Changed password.
17 Apr 2015, 19:11 PM
#7
avatar of JHeartless

Posts: 1637

And this is why I dont universalize passwords and why your told not too.
17 Apr 2015, 19:24 PM
#8
avatar of Nuclear Arbitor
Patrion 28

Posts: 2470

yeah but remembering 15+ passwords is asking for something to get screwed up and if you're writing them down you're creating a security risk that way. i have one password for most things and then separate ones for anything with money, which i do write down because i know i won't always remember them.
17 Apr 2015, 19:48 PM
#9
avatar of JHeartless

Posts: 1637

yeah but remembering 15+ passwords is asking for something to get screwed up and if you're writing them down you're creating a security risk that way. i have one password for most things and then separate ones for anything with money, which i do write down because i know i won't always remember them.


I dont remember 15! You just create password 1 for shit you dont give a ratsass about and a stronger password for the things that you do. 90% of passwords fall into the I dont give a crap bucket so they can have at it.

Things like Steam, Bank, Itunes etc are all you need to remember to keep different. And its not hard to have a phrase. Such as one I used to use GOFUCKYOURSELFAPPLE(12
17 Apr 2015, 20:07 PM
#10
avatar of MajorBloodnok
Admin Red  Badge
Patrion 314

Posts: 10665 | Subs: 9

Or you could try something like this,which napalm usefully suggested:

https://lastpass.com/
17 Apr 2015, 20:55 PM
#11
avatar of Nuclear Arbitor
Patrion 28

Posts: 2470

Or you could try something like this,which napalm usefully suggested:

https://lastpass.com/


firefox has something like that built in but it's also a security weakness.
17 Apr 2015, 21:06 PM
#12
avatar of elchino7
Senior Moderator Badge

Posts: 8154 | Subs: 2

yeah but remembering 15+ passwords is asking for something to get screwed up and if you're writing them down you're creating a security risk that way. i have one password for most things and then separate ones for anything with money, which i do write down because i know i won't always remember them.


Create a single password and then add a word according to the site/game/whatever.
17 Apr 2015, 23:04 PM
#13
avatar of Nuclear Arbitor
Patrion 28

Posts: 2470



Create a single password and then add a word according to the site/game/whatever.
f

that is a compromise between lots of passwords and using the same one and is thus easier to crack then the former and harder then the later and easier to remember then the former and harder then the latter.
17 Apr 2015, 23:09 PM
#14
avatar of CieZ

Posts: 1468 | Subs: 4

Looks like some one was watching my stream last night :P

As Inverse said, it isn't a huge a risk, although it also isn't great practice - but CoH2.org isn't the only website that posts this sort of information in clear text. Start sniffing your network, you might be surprised.

Hell even some banks are using outdated/weak cipher suites for ALL of their online transactions. You should be much more worried about that than the lack of encryption in coh2.org's authentication process.

Anyways, as an end-user you should never have the same password for more than one system. You also don't want a password that is in any way/shape or form predictable or related to yourself(statistically I can crack 91% of passwords using a list of only 10,000 different passwords and running a dictionary attack against you).


Do yourself a favor and get a password management app - I suggest KeePass 2.

Oh if any coh2.org admins read this, I'd be willing to volunteer some part-time services helping administer the security side of the coh2.org server. Can provide certification upon request.
18 Apr 2015, 02:38 AM
#15
avatar of Mr. Someguy

Posts: 4928

I don't trust any password management site. Why would I want all my passwords kept on some third party server? You're better off hiding a written note in your home. What if someone just attacks that server instead, then they have all your passwords instead of just one of them.
18 Apr 2015, 03:06 AM
#16
avatar of CieZ

Posts: 1468 | Subs: 4

I don't trust any password management site. Why would I want all my passwords kept on some third party server? You're better off hiding a written note in your home. What if someone just attacks that server instead, then they have all your passwords instead of just one of them.


Not sure if you're talking about lastpass, or if you thought keepass2 was a web-based password management app buttttttttttt I'll try and ease your mind a little/enlighten you...

As long as the database in which your password(s) are stored on any given web server, even if that server is compromised, your passwords (in the environment of a properly managed database) will be secure. Part of this is your responsibility to make a strong password, no realistic amount of help is going to fix a weak password.

In simple terms this is what is going to happen: you give mywebsite.com your user name/password, they shouldn't need that information for anything other than authentication, therefore they will hash the password (preferably with some sort of salt), and store the hashed value of your password. When you authenticate in the future, they only compare the hash your browser sends them, to the hash they have stored - if they match, congrats you entered the same password and you're let in. Without going into the details of attacking something like this, suffice it to say that if your password is weak and the database is compromised, it will be trivial to crack your password. But if it strong, odds are your password is safe from anyone other than a state-backed actor.

Not to mention that it'll be exponentially more difficult to attack a properly hardened webserver than most people's local machines/home networks.

Now... I haven't done my research on lastpass because I don't use it but I'd be willing to bet that your passwords are safe there...

As for KeePass - all the passwords are only ever stored locally on your machine. You set up a master password and have the option of adding a key file and OS user account as additional layers of authentication to access your password database. You then get to set up your list of passwords, which KeePass will randomly generate for you if you'd like (yay copy/pasta) and never have to worry about remembering anything other than 1) your master password and 2) the location of your key file.

In order to compromise this an attacker would need full access to your local machine, they'd have to know where your key file is located, and they'd have to be logged in as you (well I guess that part is easy if your Windows/Linux/OS X password sucks). Anyways, the point being... the odds of this happening are incredibly low unless you derp up.

Edit: https://blog.lastpass.com/2010/07/lastpass-gets-green-light-from-security.html/

^ If lastpass is good enough for Steve Gibson, it's good enough for me. I'll stick with KeePass because I already have it set up, but there's some more reading material for those interested.
18 Apr 2015, 22:40 PM
#17
avatar of Ace of Swords

Posts: 219

Actually writing down your passwords on a pc you consider safe and then bring it over on your pc and copy - paste passwords from there is the safest way.

If you think someone could use your computer and steal them you can always encrypt the file, better than using these online services.
19 Apr 2015, 16:26 PM
#18
avatar of Hogman512

Posts: 168

https://www.youtube.com/watch?v=xH53pQJX_Oc

This video about sums up my initial reaction...
19 Apr 2015, 17:56 PM
#19
avatar of CieZ

Posts: 1468 | Subs: 4

Actually writing down your passwords on a pc you consider safe and then bring it over on your pc and copy - paste passwords from there is the safest way.

If you think someone could use your computer and steal them you can always encrypt the file, better than using these online services.


Ummmmm.... no...

Okay, let's assume for a minute that you store all of your passwords on a computer that you have disabled ALL network/internet access in, so there's absolutely no way other than physical access that an attacker could gain access to said machine. That might be mildly better than saving them in an encrypted database on your actual machine... but you'd still need to randomly generate your passwords, and then you'd have to type them all in manually. For example, the first few characters of my coh2.org password are:

"wQGNX8zJUY" (go ahead, try and brute-force the rest, it's 64 characters long in my database although CoH2.org truncates after a certain amount - so it isn't truly 64 characters long). It'd take computer somewhere in the realm of 40 untrigintillion years @ 4 billion guesses per second to crack my coh2.org password.

Do you really want to type that out every time you log in somewhere? Probably not.

Furthermore, storing them on that completely air-gapped machine does absolutely nothing to protect your own home network, nor does it do anything to protect you from social engineering/conscious password guessing and it does nothing to prevent an attacker from capturing your password in transit in clear text (assuming the server supports no encryption - like coh2.org's) or the hash of said password if the server won't establish an SSL/TLS connection for authentication (like community.companyofheroes.com - your browser sends the hash of your password to the server, no encryption). Therefore, if your password is at all weak, even on that air-gapped machine - you have an inherent vulnerability.

Realistically the user name/password system sucks, and we'll probably see a major shift in authentication mechanisms in the next ten years but there are a lot of steps that can be taken to provide enough protection that no one short of a state-backed actor can compromise your password (unless you let some nasty malware on your system, and even the NSA isn't going to enjoy cracking a 64-character long password). The safest password is one that you do not know. It is nearly impossible for us, as humans, to generate a truly random password - and we have a hard time remembering them all. Most people (~73%) make the mistake of using the same few passwords (usually very similar) for everything. Think of that for a minute. I, as an attacker, get access to one of your passwords - it'll probably be extremely easy to get access to everything you protect with a password.

Also, systems like LastPass do all decryption locally meaning the only thing they ever store is the encrypted version of your password (aka useless/meaningless to them). They use PBKDF2 with thousands of iterations to further increase the strength of the encryption/protect against brute-force attacks and you can add multi-factor authentication...

There's just no way you can easily beat something like that on your own...
19 Apr 2015, 17:58 PM
#20
avatar of Sarantini
Honorary Member Badge
Donator 22

Posts: 2181

jump backJump back to quoted post19 Apr 2015, 17:56 PMCieZ


Ummmmm.... no...

Okay, let's assume for a minute that you store all of your passwords on a computer that you have disabled ALL network/internet access in, so there's absolutely no way other than physical access that an attacker could gain access to said machine. That might be mildly better than saving them in an encrypted database on your actual machine... but you'd still need to randomly generate your passwords, and then you'd have to type them all in manually. For example, the first few characters of my coh2.org password are:

"wQGNX8zJUY" (go ahead, try and brute-force the rest, it's 64 characters long in my database although CoH2.org truncates after a certain amount - so it isn't truly 64 characters long). It'd take computer somewhere in the realm of 40 untrigintillion years @ 4 billion guesses per second to crack my coh2.org password.

Do you really want to type that out every time you log in somewhere? Probably not.

Furthermore, storing them on that completely air-gapped machine does absolutely nothing to protect your own home network, nor does it do anything to protect you from social engineering/conscious password guessing and it does nothing to prevent an attacker from capturing your password in transit in clear text (assuming the server supports no encryption - like coh2.org's) or the hash of said password if the server won't establish an SSL/TLS connection for authentication (like community.companyofheroes.com - your browser sends the hash of your password to the server, no encryption). Therefore, if your password is at all weak, even on that air-gapped machine - you have an inherent vulnerability.

Realistically the user name/password system sucks, and we'll probably see a major shift in authentication mechanisms in the next ten years but there are a lot of steps that can be taken to provide enough protection that no one short of a state-backed actor can compromise your password (unless you let some nasty malware on your system, and even the NSA isn't going to enjoy cracking a 64-character long password). The safest password is one that you do not know. It is nearly impossible for us, as humans, to generate a truly random password - and we have a hard time remembering them all. Most people make the mistake of using the same few passwords (usually very similar) for everything. Think of that for a minute. I, as an attacker, get access to one of your passwords - it'll probably be extremely easy to get access to everything you protect with a password.

Also, systems like LastPass do all decryption locally meaning the only thing they ever store is the encrypted version of your password (aka useless/meaningless to them). They use PBKDF2 with thousands of iterations to further increase the strength of the encryption/protect against brute-force attacks and you can add multi-factor authentication...

There's just no way you can easily beat something like that on your own...

How do you access this site (or any other site) from places you do not have that program installed?
0 user is browsing this thread:

Ladders Top 10

  • #
    Steam Alias
    W
    L
    %
    Streak
Data provided by Relic Relic Entertainment

Replay highlight

VS
  • U.S. Forces flag cblanco ★
  • The British Forces flag 보드카 중대
  • Oberkommando West flag VonManteuffel
  • Ostheer flag Heartless Jäger
uploaded by XXxxHeartlessxxXX

Board Info

1072 users are online: 1072 guests
1 post in the last 24h
9 posts in the last week
27 posts in the last month
Registered members: 50008
Welcome our newest member, Goynet40
Most online: 2043 users on 29 Oct 2023, 01:04 AM