Dear NGD, me is sorry

Snoid · 03-26-2009, 04:57 PM

Quote:

Originally Posted by antowen

Oh come on, this is just an excuse to rant an NDG for someone else's stupidity. Logging into the forum and the main page is via http and not https and that doesn't appear to have bothered enough people to kick up a fuss.

If anyone is stupid enough to type their password into a chat window, then it doesn't really matter how NGD stores it.

Apart from that, what makes you say its not stored encrypted? Its fairly trivial to compare a word against an encrypted password and then return a true or false if there's a positive match.

Excuse? what have i to excuse?
I dont bother about https or http login, as they store passwords in a safe. I keep safe my own lan. Do they? I dont know. I bother about how they store my info. Do you?

It's trivial to compare ONE password, but it seems they are comparing every chatline, to see if it contains the valid password. Do they crypt all the chunks between spaces before to compare it to a hash of the password? i doubt it. And that's not trivial.

This is not about stupid persons, it's about stupid security implementations.

who needs a warning about "you typed you password"?. I can only think in a bruteforce attacker. I know i typed my password. Im not stupid.

If, as is implied in you message, this is a feature only for stupid people, well, maybe they get scared, or they just have a nice confirmation, or they just ignore any RED WARNING MESSAGE.

But this system is not avoiding anything. And they can get this information privately, anyway.

Zodar · 03-27-2009, 12:59 AM

Quote:

Originally Posted by Snoid

It's trivial to compare ONE password, but it seems they are comparing every chatline, to see if it contains the valid password.

I would imagine they would only compare the text you type against your own password, not everyone's.

Quote:

Do they crypt all the chunks between spaces before to compare it to a hash of the password? i doubt it. And that's not trivial.

That's assuming the password doesn't contain a space. As far as hashing it is concerned, it really is quite trivial. For example, I can generate a 150+character SSHA encrypted password in a fraction of a second (actually using the OpenLDAP password tool called slappasswd) and that's with pasting a password in at the console prompt or using an expect script. It would be even faster using something custom written that didn't wait for keyboard interaction. We're only talking about a few 100 bytes each time, so the overhead is miniscule.

Quote:

who needs a warning about "you typed you password"?. I can only think in a bruteforce attacker. I know i typed my password. Im not stupid.

I'm not suggesting that you are, but clearly there are *some* people stupid enough to type their passwords into a chat window. What happens if they do it in public chat?

With regards to a brute force attack, even if the system is only checking your own password, I will agree that this might be possible, but only if the user is already logged in and is dumb enough to leave their terminal in a public place, without locking it. If that's the case then, quite frankly, they're asking for trouble. Its still more secure than web browsers offering to remember passwords.

Quote:

But this system is not avoiding anything. And they can get this information privately, anyway.

Yes they can and that's completely out of NGD 's control. However, if someone is using NGD's system, then NGD have every right to implement any security feature they see fit. I scan everyone's email in work for executable attachments, viruses and inappropriate words - it doesn't mean I need to read everyone's email to do it, I have installed software and written scripts to take care of it for me. These spit out warnings, either to the I.T staff or to the user, depending on what's detected.

I can't see it being any different to that to be perfectly honest.

iteomagazu · 03-27-2009, 11:01 AM

Quote:

Originally Posted by antowen

I scan everyone's email in work for executable attachments, viruses and inappropriate words

?? Huh... Againt inappropriate words too? This is frightening...

I don't want NGD to encrypt everything, since i guess everything would slow down then - and hell, it is slow enough!

Just do not give away your passwords - i think that is much more dangerous than unencrypted chats...

Quote:

Originally Posted by Snoid

who needs a warning about "you typed you password"?. I can only think in a bruteforce attacker. I know i typed my password. Im not stupid.

As we can see by this thread (and some more on the other servers) it works by scaring the users that want to give away their password.

Snoid · 03-27-2009, 11:37 AM

Quote:

Originally Posted by antowen

I would imagine they would only compare the text you type against your own password, not everyone's.
...

Yes, my tests say that they are comparing every chat word you type, against your password. I dont really know how they do it. But it's one of two:
1. they compare plain text with plain text password.
2. they hash every word (every string between spaces) and then compare every result with your hashed password.

And yes, i guess they asume that there are no spaces in the password, and that it's not finished but a dot (.)

In any case, i dont like it.

Regards!

arlick · 03-27-2009, 12:01 PM

Quote:

Originally Posted by Snoid

1. they compare plain text with plain text password.
2. they hash every word (every string between spaces) and then compare every result with your hashed password.

1 and 2 are not important, because the comparation is made on client side, so they dont know about your password (you can't know it ever, you just have to believe it), and the server will not get worst doing comparations (so no lag consequences, etc).

Snoid · 03-27-2009, 12:22 PM

Quote:

Originally Posted by arlick

1 and 2 are not importante, because the comparation is made on client side, so they dont know about your password (you can't know it ever, you just have to believe it), and the server will not get worst doing comparations (so no lag consequences, etc).

did you make tests to confirm that? I always asumed that the server was receiving the data, and giving the response, but i never really checked this.

arlick · 03-27-2009, 12:27 PM

Quote:

Originally Posted by Snoid

did you make tests to confirm that? I always asumed that the server was receiving the data, and giving the response, but i never really checked this.

Well a friend had the problem with the red letters and i asked to kailer about it. I'm not sure but i think he said something similar

. A mix of it a suppositions.

Snoid · 03-27-2009, 12:30 PM

Quote:

Originally Posted by arlick

Well a friend had the problem with the red letters and i asked to kailer about it. I'm not sure but i think he said something similar

. A mix of it a suppositions.

so, your friend was using a common word as password, and RO was warning him all the time?

i will make my own tests (mythbusters style)
[lang=es]wireshark al ataque![/lang]

surak · 03-27-2009, 12:44 PM

Quote:

Originally Posted by Snoid

did you make tests to confirm that? I always asumed that the server was receiving the data, and giving the response, but i never really checked this.

As arlick says, the password check is client-side only.

Snoid · 03-27-2009, 12:52 PM

Quote:

Originally Posted by surak

As arlick says, the password check is client-side only.

Confirmed.
Password is stored in memory while the game is running. I didnt see any network trace of the password check.

hint: scan your memory for text "Charactername:" (upper/lower case matters)

Forget everything i said before (in this thread only)

PD: Thanks Surak! Tell Kailer to answer my PM, or i will spam your inbox!