Security Questions

[Djinnii]

Hi All,

I'm wondering... a few of my users seem to have had their accounts hacked recently, so I wanted to know what I could do and how to help them avoid it happening in future.

My main question today is, is it possible for a minecraft (modded, emulated or otherwise) server to harvest a users minecraft name and password?

[D3matt]

No, it is not possible for a minecraft server to harvest usernames and passwords, because you don't authenticate with the server. You authenticate with Mojang's login servers, which then exchange session keys with the minecraft server. If they are getting their accounts stolen, its their fault, not yours.

[Djinnii]

Wasn't so much wondering if it was my fault More, if they are connecting to other peoples servers who seem to me anyway a little... dubious... weather it was possible for them to steal the session keys and collect the password from that.. much in the same way you would steal a WEP key... (There is no need to transmit the actual password to a device past the initial handshake... but WEP does it anyway.)

[D3matt]

No, you cannot get the password from a session key. Session keys are randomly generated when you log in (to Mojang) and are unrelated to the password beyond the fact that you need your password to get one. It's possible they are all using some rogue client or other software that's stealing their passwords, or they all just have weak passwords.

[Jay?]

Are you sure that they're getting their accounts hacked? Or are they just coming in and griefing, then claiming to have their account hacked when you go to ban them? I just ask because that's almost always bullshit.

[Djinnii]

No, fortunately there's no griefing, just a case of them going from being on every day, then suddenly nothing for a week, followed by a message on my skype saying they can't log in anymore and their accounts have been hacked.