jakj Posted April 15, 2012 Posted April 15, 2012 Benefits? Well lets see... Automated farming, Industrial-To-Buildcraft energy with electrical engines, Biogas Engine, and Biofuel. Pretty much a role in the renewable items of Technic. And you cannot just use the IC2 Mass Fabricator for everything. I know you can get the farm items with EE, but magic is stupid. I enjoy the most realistic renewable parts of Technic. All of this can be done with other mods, admittedly with much more effort. Someone here will eventually come up with replacements for some of the little bits, like item-specific backpacks, and the rest will just be done with other things like RP frames.
nekosune Posted April 15, 2012 Posted April 15, 2012 LastLogin is NOT a one way hash, but a EASILLY decrypted file, I have posted about this on reddit and on the getsatisfaction, only to get people having a go at me about how it is not a problem. and using a hash would solve nothing. I can prove this privately also by telling where to find the code that does the decryption.
Pilchard123 Posted April 15, 2012 Posted April 15, 2012 You don't even need to work out how to decrypt it, just use the launcher's decrypter. I won't specify how to do it, but I've managed to get the launcher to tell me the password - in cleartext - from whatever lastlogin file is given to it. Hashing could help, although I can still think of a way to steal a username/password pair without raising any suspicion, even if lastlogin was hashed. I could even cover my tracks by making the mod edit itself to not have the malicious code in it while you were playing Minecraft. Of course, as with anything written in Java, it's easy enough to decompile, but that requires that you know to look for it. If you don't look at it until it's run once, there isn't anything there to find. Mind you, if this isn't a problem, then I'm sure they won't mind posting their lastlogin files. Since, you know, it's not a problem.
nekosune Posted April 15, 2012 Posted April 15, 2012 You don't even need to work out how to decrypt it, just use the launcher's decrypter. I won't specify how to do it, but I've managed to get the launcher to tell me the password - in cleartext - from whatever lastlogin file is given to it. Hashing could help, although I can still think of a way to steal a username/password pair without raising any suspicion, even if lastlogin was hashed. I could even cover my tracks by making the mod edit itself to not have the malicious code in it while you were playing Minecraft. Of course, as with anything written in Java, it's easy enough to decompile, but that requires that you know to look for it. If you don't look at it until it's run once, there isn't anything there to find. Mind you, if this isn't a problem, then I'm sure they won't mind posting their lastlogin files. Since, you know, it's not a problem. Hashes would help in that, although a hash could be used to use another person's account in game, it would not give you the password, the same password that would likely be used on forums or for email
nekosune Posted April 15, 2012 Posted April 15, 2012 By the way, i am not posting this as a ha ha, your wrong, more that you DO have to be carefull, and it is sloppy code like this that means you have to use different passwords for everything.
Pilchard123 Posted April 15, 2012 Posted April 15, 2012 By the way, i am not posting this as a ha ha, your wrong, more that you DO have to be carefull, and it is sloppy code like this that means you have to use different passwords for everything. Don't worry - I didn't take it that way. The weak link is the password box. If you can intercept the data in there before it is dealt with, then you can do whatever you want to it. Java has a JavaCompiler class that will take a .java file and output a .class file. I'm pretty certain it is also possible to unpack/repack.jar files at runtime. I'll leave the rest to your imagination.
nekosune Posted April 15, 2012 Posted April 15, 2012 yeah, I am not saying a hash would be perfect, but at least it would have been a REASONABLE level of protection. ie to get round you would have had to go to that rather extreme level, and even with your idea, with a hash, it would have shown some suspicious behaviour (to grab password when the hash was saved, would have to clear the hash so they input password again). but just to encrypt the password is rediculous.
jakj Posted April 15, 2012 Posted April 15, 2012 Yes, I've been informed already that I was wrong and it is not indeed hashed. Which is just ridiculous and painful, since hashed passwords have been in use since Arpanet. I think this is the final true proof that Notch is a guy who had a good idea but is absolutely shit at programming and shouldn't've ever been let near a compiler. It's not even my opinion anymore: It's objective fact.
nekosune Posted April 15, 2012 Posted April 15, 2012 I posted a getsatisfaction and a reddit thread over this, and all it got was people saying "Well hashes wouldnt solve it either" ignoring the fact that hashes is a LOT better then what have, even if it doesnt solve it.
Synthetica Posted April 15, 2012 Posted April 15, 2012 Yes, I've been informed already that I was wrong and it is not indeed hashed. Which is just ridiculous and painful, since hashed passwords have been in use since Arpanet. I think this is the final true proof that Notch is a guy who had a good idea but is absolutely shit at programming and shouldn't've ever been let near a compiler. It's not even my opinion anymore: It's objective fact. But a custom launcher could store the password encrypted if I'm correct? Or could, for example, if Linux was detected, store the password in the keychain instead of in the lastlogin file...
nekosune Posted April 15, 2012 Posted April 15, 2012 But a custom launcher could store the password encrypted if I'm correct? Or could, for example, if Linux was detected, store the password in the keychain instead of in the lastlogin file... The problem is it would STILL be encrypted and not hashed, Mojang's servers do not accept a hash, only the plaintext password. while allowing me to log in while I write my mods, is still rediculously unsafe/
jakj Posted April 15, 2012 Posted April 15, 2012 For the less technical, a quick summary: Encryption means encoding the password. This is a two-way process: You put it in, and you can get it back out. If someone gets the encrypted version, they won't be able to get anything back out of it unless they break the encryption (obviously not trivial). Downside means you either need a password as the encryption key, or an encryption key stored on the computer (which can be stolen so no point). Far too much for the average Minecraft user to deal with. True secure login would require public-key encryption, where your password is stored on your computer with Mojang's public key so only their private key can open it, and transmitted the same way so it can't be intercepted halfway across the line. Hashing means converting the password to a shadowed form. This is a one-way process: You put it in, but you can't get it back out again. If someone gets the hashed version, they can use it to log in, but they can't get the password from it directly. The technique to break a hashed password is just a dictionary attack: They hash common passwords until they get a hash that matches your hash. If you use a good password that's random letters and numbers, it's basically as secure as an encrypted password. Even shorter summary: Way it should be done = public-key cryptography (requires Minecraft and Mojang's auth servers to be rewritten); Way it should be done barring that = hashing (requires a couple lines added to Minecraft and a couple lines added to auth servers...very easy).
Beer Posted April 15, 2012 Posted April 15, 2012 As I understand it, the latest algorithm used to try and get passwords has evolved to include numbers. At least that's the explanation I was given when asking why I noticed an increase in website passwords accepting special characters. Figured I'd bring it up for verification since you seem to know what you're talking about and I clearly don't.
jakj Posted April 15, 2012 Posted April 15, 2012 Well yes, as computers get faster, and exploiters are more able to take advantage of stupid people and make botnets, it suddenly becomes feasible to brute-force passwords that you could never have before. It's like how you see them do it on television, where the magic password-cracker box chooses random characters until it matches. Adding special characters just increases the possibilities, making it take much longer to brute-force it. All lowercase = 26 per character Any letter = 26*2 per character Add digits = 26*2 + 10 per character Add some specials = 26*2 + 10 + X per character So, if you allow A-Z a-z 0-9 and `~!@#$%^&*()-_=+[{]}\|;:'",<.>/? you get 94 choices per character. 8-char passwords give 6 * 10^15 passwords, and then you have to add in how many 1-7 char passwords there are. By comparison, 8-char passwords without specials is only 2 * 10^14 plus the 1-7 char passwords, so less than a tenth as many.
Synthetica Posted April 15, 2012 Posted April 15, 2012 Well yes, as computers get faster, and exploiters are more able to take advantage of stupid people and make botnets, it suddenly becomes feasible to brute-force passwords that you could never have before. It's like how you see them do it on television, where the magic password-cracker box chooses random characters until it matches. Adding special characters just increases the possibilities, making it take much longer to brute-force it. All lowercase = 26 per character Any letter = 26*2 per character Add digits = 26*2 + 10 per character Add some specials = 26*2 + 10 + X per character So, if you allow A-Z a-z 0-9 and `~!@#$%^&*()-_=+[{]}\|;:'",<.>/? you get 94 choices per character. 8-char passwords give 6 * 10^15 passwords, and then you have to add in how many 1-7 char passwords there are. By comparison, 8-char passwords without specials is only 2 * 10^14 plus the 1-7 char passwords, so less than a tenth as many. We're drifting way of, man. This tread was about 'the benefits of forestry'. Whatever.
Nphyx Posted April 16, 2012 Posted April 16, 2012 They call them one-way hashes for a reason. But fuck: I just realized that having someone's lastlogin file does let you access their account until they change their password. Jesus. We have to think of some defense against this. Any mod could access that file. If it were me I'd salt the password before creating the hash with something procedurally generated by the client machine (and reasonably unique). Then an authentication request would consist of hash + salt. I don't know whether Notch thought that far ahead, but any crypto junkie or security professional would. (Granted you could steal the salt too if you knew the procedure) Well yes, as computers get faster, and exploiters are more able to take advantage of stupid people and make botnets, it suddenly becomes feasible to brute-force passwords that you could never have before. It's like how you see them do it on television, where the magic password-cracker box chooses random characters until it matches. Adding special characters just increases the possibilities, making it take much longer to brute-force it. All lowercase = 26 per character Any letter = 26*2 per character Add digits = 26*2 + 10 per character Add some specials = 26*2 + 10 + X per character So, if you allow A-Z a-z 0-9 and `~!@#$%^&*()-_=+[{]}\|;:'",<.>/? you get 94 choices per character. 8-char passwords give 6 * 10^15 passwords, and then you have to add in how many 1-7 char passwords there are. By comparison, 8-char passwords without specials is only 2 * 10^14 plus the 1-7 char passwords, so less than a tenth as many. Brute force password cracking is trivial to prevent. You just limit the number of requests per time interval to something reasonably slow (say 1 per 10 seconds). Then the power of the client machine doesn't matter. Precomputation is a bigger problem with (relatively) unlimited computing power but there are plenty of hashing algorithms for which no rainbow tables exist, and again you can use a salt to prevent that. A one-way hash can't be decrypted no matter how much juice you have so that doesn't matter.
ErusPrime Posted April 16, 2012 Posted April 16, 2012 Well yes, as computers get faster, and exploiters are more able to take advantage of stupid people and make botnets, it suddenly becomes feasible to brute-force passwords that you could never have before. It's like how you see them do it on television, where the magic password-cracker box chooses random characters until it matches. Adding special characters just increases the possibilities, making it take much longer to brute-force it. All lowercase = 26 per character Any letter = 26*2 per character Add digits = 26*2 + 10 per character Add some specials = 26*2 + 10 + X per character So, if you allow A-Z a-z 0-9 and `~!@#$%^&*()-_=+[{]}\|;:'",<.>/? you get 94 choices per character. 8-char passwords give 6 * 10^15 passwords, and then you have to add in how many 1-7 char passwords there are. By comparison, 8-char passwords without specials is only 2 * 10^14 plus the 1-7 char passwords, so less than a tenth as many. You've read the posts by the people on these forums. How many are going to understand the entropy of secure passwords?
jakj Posted April 16, 2012 Posted April 16, 2012 Brute force password cracking is trivial to prevent. You just limit the number of requests per time interval to something reasonably slow (say 1 per 10 seconds). Then the power of the client machine doesn't matter. Precomputation is a bigger problem with (relatively) unlimited computing power but there are plenty of hashing algorithms for which no rainbow tables exist, and again you can use a salt to prevent that. A one-way hash can't be decrypted no matter how much juice you have so that doesn't matter. First, we're talking about a stolen lastlogin file, which means there is no limit to requests per time interval. Second, care to calculate the odds that Notch even knows what the words "rainbow table" and "salt" mean in this context? (Not to mention that it's not even hashed, as it turns out.) You've read the posts by the people on these forums. How many are going to understand the entropy of secure passwords? Smart people either understand it, or know how to ask the right questions to come to that understanding. Stupid people see NERDWORDS and go "okay, whatever you say".
Nphyx Posted April 16, 2012 Posted April 16, 2012 First, we're talking about a stolen lastlogin file, which means there is no limit to requests per time interval. Second, care to calculate the odds that Notch even knows what the words "rainbow table" and "salt" mean in this context? (Not to mention that it's not even hashed, as it turns out.) Smart people either understand it, or know how to ask the right questions to come to that understanding. Stupid people see NERDWORDS and go "okay, whatever you say". Yeah I saw the notes re: not hashing later. Brute forcing a known hash is essentially the same thing as precomputation in terms of prevention - use salts and multiple hashing passes to solve that problem. I wouldn't put it beyond Notch to roll his own hashing algorithm, rofl, but I don't know why they're resistant to using hashes. That's just mind-boggling. You just call the relevant hashing method before writing to file (MD5 or SHA would be fine...). Saying "we don't have time to implement hashing" is like saying "I don't have time to not point this gun at my own foot and pull the trigger". Whuh? Creating a machine-dependent salt (say, by looking at the Java environment) would also be trivial and create a further barrier to entry to skiddies. Though honestly I doubt anybody would put the time and effort into creating a great Minecraft mod just so he could use it to steal account info. Maybe if a mod author turned malicious at a later date, but that's just an invitation for a SWAT raid since by the time the mod is popular enough to be a risk it's nearly impossible to hide the author's identity from authorities (even using TOR and other privacy guards he'll likely have slipped up enough just in discussion threads and correlative data to narrow him down; it's surprising how few data points you need to get a positive identity match). Also other than pure assholeitis not much incentive. You can ebay accounts for a few bucks maybe but they'll just get shut down. I doubt the biggest hoard of goodies on the biggest MC server out there is worth more than a few bucks at auction.
jakj Posted April 16, 2012 Posted April 16, 2012 Your doubt is unrealistic. Just look at Minecraft USERS, and think what kinds of people might be lurking out there, just waiting to be pissed off. My doubt is that Notch probably isn't resistant to hashing: He's one of 1) oblivious, 2) lazy, 3) stupid. Take your pick.
Synthetica Posted April 16, 2012 Posted April 16, 2012 You've read the posts by the people on these forums. How many are going to understand the entropy of secure passwords? I'ts not that hard... Your doubt is unrealistic. Just look at Minecraft USERS, and think what kinds of people might be lurking out there, just waiting to be pissed off. My doubt is that Notch probably isn't resistant to hashing: He's one of 1) oblivious, 2) lazy, 3) stupid. Take your pick. 2nd!
Beer Posted April 16, 2012 Posted April 16, 2012 Well yes, as computers get faster, and exploiters are more able to take advantage of stupid people and make botnets, it suddenly becomes feasible to brute-force passwords that you could never have before. It's like how you see them do it on television, where the magic password-cracker box chooses random characters until it matches. Adding special characters just increases the possibilities, making it take much longer to brute-force it. All lowercase = 26 per character Any letter = 26*2 per character Add digits = 26*2 + 10 per character Add some specials = 26*2 + 10 + X per character So, if you allow A-Z a-z 0-9 and `~!@#$%^&*()-_=+[{]}\|;:'",<.>/? you get 94 choices per character. 8-char passwords give 6 * 10^15 passwords, and then you have to add in how many 1-7 char passwords there are. By comparison, 8-char passwords without specials is only 2 * 10^14 plus the 1-7 char passwords, so less than a tenth as many. Awesome. Thanks for the answer. For the record, I do understand the mathematics you're stating here and that's pretty great. Almost sounds like a quadratic equation or at the very least an very lengthy exponential one. Haven't dealt with this kind of stuff since Matrix Algebra, which was mostly breaking down lengthy equations and about one week out of sixteen doing actual matrices.
Pilchard123 Posted April 16, 2012 Posted April 16, 2012 I doubt the biggest hoard of goodies on the biggest MC server out there is worth more than a few bucks at auction. Something that a friend pointed out to me earlier - you can get the person's email address, and people also often use the same password for lots of different accounts. Given a username/password/email address combo, you can get into a lot of things.
Nphyx Posted April 16, 2012 Posted April 16, 2012 Something that a friend pointed out to me earlier - you can get the person's email address, and people also often use the same password for lots of different accounts. Given a username/password/email address combo, you can get into a lot of things. Granted. But if you do that it's your own stupid fault <.< Also, due to hash collisions, there's not a 100% guarantee that the password you generate is actually the one the person used in plaintext form, although better quality algorithms will not produce collisions on a dictionary attack. I don't know how many times people have to be told not to use stupid passwords and not to reuse them in important places. If one thing doesn't steal one of your passwords another thing will - insecure website, virus (if you're using Windows or, occasionally, Mac), phishing attack, etc. I had to reset a half dozen throw-away passwords thanks to the stupid Gawker attack last year and I'm generally uber-paranoid and secure. At least I'm smart enough to not have used the same password on bank accounts, game accounts, etc. Anyway yeah points well taken. Maybe someone ought to demonstrate an attack to (hopefully) force Mojang into action.
jakj Posted April 16, 2012 Posted April 16, 2012 Anyway yeah points well taken. Maybe someone ought to demonstrate an attack to (hopefully) force Mojang into action. You don't change the law by breaking the law, unless the law is such a fundamental violation of human rights that there's no other alternative. (Minecraft password security does not fit this description.) The best thing we can hope for is educating smart people and tsk-ing at dumb ones.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now