PlaneShift
Announcements => PlaneShift News and Rules => Topic started by: weltall on October 29, 2011, 01:21:56 pm
-
Planeshift has been using md5sum for a long time (just like most of the internet still does) but as it's well known md5 suffers from collisions and other issues which could even allow to identify the original password ( http://en.wikipedia.org/wiki/Md5#Security ) so we are going to migrate the game server passwords to sha256.
As we cannot just take the md5 and convert them to sha256 we will do a slow migration by having users input again the data so it will be possible to get these new hash to be used for account login.
These are the steps I plan to take in order to proceed on this migration:
1) registration and password recovery functionalities will start recording both md5sum and sha256sum hash in the server database
1.5) Game server will start accepting an additional field during login containing an unsalted sha256sum, around the same time svn clients will start sending these unsalted sha256sum (it's a tradeoff between security and ease. I'll explain more on the bottom). The server will store these unsalted sha256sum in it's database.
2) 0.5.8 release - Release clients will start sending unsalted sha256sum (same thing as 1.5), authentication is still done through the salted md5sum
2.5) The server starts accepting salted sha256sum for authentication, while retaining the previous authentication system when not provided the new data.
3) if there will be a 0.5.9 release clients will stop sending unsalted sha256sum and will start sending only salted ones, additionally md5sum will not be sent anymore. servers will use the sha256sum to authenticate if available else it will behave like with 0.5.8 clients and will store the unsalted sha256sum in it's database, if the client logging in is 0.5.8 or earlier md5sum will be used for autentication
4) 0.6.0 release sha256sum only will be used for autentication. clients earlier than 0.6.0 will be network incompatible (also for other reasons).
5) myplane will start using sha256 for autentication
6) registration of md5sum data will be halted in the registration/password recovery forms
7) the md5sum data will be deleted from the databases
8) migration complete
The risk of unsalted sha256sum is that it allows a man in the middle attack to your client.
In other words someone could listen to your communications between the client and the server and save for future use your sha256sum which is all someone needs to login, even though it's entirely useless to get back the original plain text password. Because of this fact using this easy method to convert password is *NOT* suggested on unsafe networks and an option will be provided in the login dialog to disable it (it will be enabled by default). If you know that your network is unsafe you are warmly suggested to untick this box and use the password recovery form from a safe location to add your sha256sum for the future, If you don't know or you know you are in a safe network you can untick it to increase security after the first login which will send your new password hash to the server (notice that till you don't rewrite your password in the box with a new client it won't be sent).
As an additional note: if your username is not a valid email anymore you are suggested during the migration period to correct this by contacting developers.
Enjoy playing planeshift. If you don't understand something of this please ask.
Currently step 1 is complete.
-
Did I understand it right that clients, who didn't log in between now and step 7 won't be able to log in afterwards?
-
actually step 4.
They will need to use the password recovery function in the registration page in order to be able to login again. (accounts not clients)
Also logging in is not enough you need to input again the password in your client so the client can do the sha256sum, till this won't be done just the md5sum password will be sent like now (and the server won't add the record for the new password sum hash)
-
svn is at step 1.5 servers will follow soon
I'd like to add as a side note that anyone who registered or recovered the password after 7 july 2011 has already the new hash stored in the database so doesn't need to send it to the server again.
-
Sorry, Weltall, but I didn't understand any of it. Could you translate to layman's terms?
Sanrai
-
Briefly said: The currently used algorithm of password checksums is not most secure anymore (but still would require a remarkable effort to capture and crack them). The next version will use a much more secure algorithm but requires some small efforts ... in ideal case, staying active during the next months and regularly logging in.
-
Basically ... log in with all your alt accounts -- especially the ones with email addresses that are no longer valid -- or create headaches for yourself and the administrators.
What is going to happen down the line with accounts that do not get updated?
-
Thank you, LigH and bilbous, for shedding some light on this. I just want to have fun with the game, not change parts of the program (e.g. find file"X" and do this and that). Makes me very nervous . . . .
And I echo the question of bilbous ...
Sanrai :sorcerer:
-
I was taking a break from the game (deleted it).Will my chars vanish into the black hole of data if I do not log in regularly.
-
you'll have to input again your password in the client if it was saved else the new one won't be sent. We are talking of the next released client not the current one (or self built clients when i say we are at step 1.5)
who loses this occasion will need to use the password recovery function from the registration page. That requires a still valid email to work.
Either methods are required only one time. So if you want to go easy just do the password recovery procedure and input your current (or a new one) password and you'll be fine.
All The new accounts and accounts which used the password recovery procedure since 7 july have already the new password storage type employed.
-
You might want to put a notice on the game login screen as not everyone checks the forum.
-
after release
-
How does one do the password recovery thing? And what if I have a new e-mail....? I don't want to lose my character..... sorry for needing simple answers......
Sanrai
-
RP Server (http://62.173.168.9/register/)
non RP (http://planeshift.ezpcusa.com/register/)
The first one is the one you most likely want to use.
If you cannot access the old email address you likely need to contact the administrator but someone might jump in with better information.
Aside to web admin: the side links to the password recovery and server on the zeroping register page link to fragnetics. I didn't check the others but they might be the same.
-
you'll need access to the email which registered the account in order to accomplish the recovery procedure.
thanks for noticing that problem going to fix it by redirecting to the same page as the main site
-
Has anyone considered implementing an accessible function for changing email address associated to the account before implementing this change? Surprised this thread hasn't erupted yet, maybe nobody is paying attention.
-
no and i don't plan to for now
-
So just to re-iterate, as I understand it, once the 0.5.8 client is released we will need to log in with all our accounts, freshly inputting our passwords in order to update the password encryption. If we do not do this before the 0.5.8 client is subsequently updated any accounts we have that have not had this encryption updated will need to have this done before we update our clients to 0.5.9 if it is offered. This client will use the new encryption and require the use of the password recovery service and any accounts that are associated with defunct email addresses will become a problem to renew as they will take manual effort on the part of the server admin. Once the 0.6.0 client is released not updating will not be an option and password recovery will be the only way to access accounts that have not had their password updated. Is that a fair reading of the situation?
Can we expect that 0.5.8 will stick around for at least a month or possibly two to give us a fair chance of updating our passwords painlessly? I know I have several accounts where the email address is no longer valid and it seems to me that they are already problematic to change the password for. Fortunately that has not been a problem for me as I do not need to change their passwords.
Are the myplane passwords the same hash file as the game passwords or will we need to repeat the procedure there as well?
-
yes that's sorta it.
I expect 0.6.0 to take several months to be done (up to a year even) as combat will be merged, char creation and quest will have a major rework, prolly npcclient changes will be merged too and compatibility with previous clients will be broken.
-
I'd like to point out that we have 1,6% of the accounts already migrated.
If we consider only accounts which logged in since january this percentual increases to 32%. (it seems some migrated accounts never logged in the game ever... i wonder if it's a problem with the email)
-
I have a couple accounts with email addresses which are gone and will not be back, I have a couple more for which the domain is under my control and could be returned to service. You suggest in the original post that
As an additional note: if your username is not a valid email anymore you are suggested during the migration period to correct this by contacting developers.
and I am wondering if this is best done by pm on the forums or directly on irc -- perhaps on the #planeshift-build or #planeshift-gmtalk channel on IRC. Are you, weltall, the only one who has the proper server authority to do this or are there others you can name who we can look for to share the burden and assist us? I realize you are a busy person but if you alone have the ability, perhaps others you trust can take user details to pass along to you.
I am curious about that 32% does that indicate that that percentage of "current" accounts have had their password reset or have registered since July of this year?
Also I gather that this will affect both servers.
-
I have a couple accounts with email addresses which are gone and will not be back, I have a couple more for which the domain is under my control and could be returned to service.
:offtopic:
Not meaning to derail the thread, so just a quick yes or no will do. Are multiple accounts allowed?
- Nova
-
Last i knew you could but that was back in 2009 or so.
-
http://www.hydlaaplaza.com/smf/index.php?topic=25815.msg288252#msg288252
-
I have a couple accounts with email addresses which are gone and will not be back, I have a couple more for which the domain is under my control and could be returned to service. You suggest in the original post that As an additional note: if your username is not a valid email anymore you are suggested during the migration period to correct this by contacting developers.
and I am wondering if this is best done by pm on the forums or directly on irc -- perhaps on the #planeshift-build or #planeshift-gmtalk channel on IRC. Are you, weltall, the only one who has the proper server authority to do this or are there others you can name who we can look for to share the burden and assist us? I realize you are a busy person but if you alone have the ability, perhaps others you trust can take user details to pass along to you.
I am curious about that 32% does that indicate that that percentage of "current" accounts have had their password reset or have registered since July of this year?
Also I gather that this will affect both servers.
leaving a petition from the account with the destination email is the best way to verify it easily.
yes it does.
i see no issues with multiple accounts.
-
ok today we reached stage 1.5 on both servers. If you've an svn client you can start sending your converted password with that.
-
(http://psps.psde.de/images/g6671.png)
-
Haha Love It!
-
I see you got the point, Boeven! ;D
-
Talad doesn't want the option in the login window so there will be no graphical way to disable the password conversion. if you wish to disable it open the planeshift.cfg in the same folder of log and change this option (or add it if missing):
PlaneShift.Connection.ConvertPass
in this way
PlaneShift.Connection.ConvertPass = false
you could also restore visibility of the option by removing visible="false" in the definition of the widget in the loginwindow.xml
-
Is 0.5.8 fairly immanent? I understand we are at the point where self-compiled clients are already making the password upgrade.
-
It should be imminent.
-
Congratulations on the release of 0.5.8, now that it is here is there any way for us to tell that the password migration for our accounts has been successfully achieved? I spent a while earlier logging in with a bunch of my accounts with the save password option unselected so I am expecting that they have been successfully migrated.
I choose to do this method because I have more defunct email addresses than I have available unused ones and I didn't want to create a bunch of webmail accounts that I'll never use for any other purpose and which would be deleted by the webhost for lack of use.
-
if you disable password saving there is no way to know if it worked
-
Are you suggesting that if I save the password and the second time I login it succeeds I can assume that the stronger encryption is in place?
I just turned off the password saving to ensure I had to input the password instead of using the previously saved one.
Thank you for your responses.
-
when you delete the password field and write it again it will save two options the md5sum and the sha256sum in the config file, when this happens it's surely migrated
-
ok, even though i didn't list it, we are currently at step 2.5
This means the server will start accepting sha256 only authentication and, if it fails, it will attempt to do md5 authentication and storing of sha256 hash if provided. so just like step 3, only we didn't release the client yet. For who uses 0.5.8.1 nothing changes, for who uses svn clients it will mean they will start using the sha256 salted authentication.
-
accounts with login in last 3 months which are converted
88.5%
accounts with login in last year which are converted
47.2%
-
step3:
now clients will only login with sha256sum and won't update anymore the password. If you cannot login you'll have to do password recovery or use an older client (0.5.8[.1]) and input again the login details from scratch and get in game. After 10 minutes after logout you should be able to login with the new client.
-
(http://imgs.xkcd.com/comics/incident.png)
-
How do I do "password recovery" then, please.
If I go to http://planeshift.subhosting.net//register/index.php and do "forgot password", I never get a verification email.
I clicked on an earlier link for "password recovery" (can't remember where) but got "404 page not found".
Thanks.
-
check your spam folder
-
I've run into the same issue, trying three times. I've checked spam, etc.
-
Some email providers delete the verififcation mail instantly. Googlemail works.
-
I'm with Yahoo, which doesn't delete emails, yet I receive no password reset emails, not even in the Spam/Junk folder.
Also, if I set up my profile email for gmail, I get "No validated account with that e-mail found".
-
Just in time, folks...
Google proudly presents: the first SHA-1 collision (https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html)
See also: https://SHAttered.it (https://shattered.it)
-
We use SHA256, which is secure ... for now.