Passwords Are Evil

Post Reply
XiongChangnian
New member
Posts: 7
Joined: Sun Dec 30, 2018 13:04

Passwords Are Evil

by XiongChangnian » Post

Passwords are a known evil. Most people have difficulty remembering dozens of them, which immediately leads to frustration and shortly to resorts such as weak passwords, password reuse, and writing down in insecure locations. This leads to a round of server-side attempts to patch these issues... which open new holes and widen others. Next thing you see, a hundred million accounts are exposed and it's on local broadcast teevee.

This isn't just stupid; it's evil. Because all rationales for password authentication boil down to laziness and, in some cases, a desire to keep the user vulnerable.

The obviously better authentication methods rely on public-key encryption. Mature, robust libraries exist with suitable implementations; I should not need to school a professional. However for the benefit of outraged laymen...

First the user generates a public/private key pair. This need not be a technical process; the client can handle details. The private key is stored on the machine and never revealed.

When meeting a server, the client identifies its user and offers the public key. The server uses the public key to encrypt a challenge to the client. Only the client with access to the private key can answer the challenge correctly.

No malicious actor can masquerade as the legitimate user during this authentication: he lacks the private key. No malicious server can steal user credentials; the private key is never transmitted. Storing the correct answer to a challenge is futile; it contains nothing useful to impersonate the user in any future round of challenge.

As a bonus, the same system allows a server to offer its own public key and meet a challenge coming from the client. So both parties enjoy security!

Professionals do know this system is imperfect. However it has been gamed out thoroughly. The private key can be stolen by someone with access to the user's machine... and the key can itself be locked. The user can switch to a new machine... and copy his key to it, all under direct control. Here is not the place to lecture for hours on security.

One significant point is that when a server and client meet for the first time, there is no method (discussed above) for either party to know the true human identity of the other. This leads to thoughts of central registries, which contain demons of their own. But in most cases, true identity is unimportant; and it's a slippery concept anyway.

What most of us want to know most is that the trust we are building over time with another party online is valid: that whoever is on the other end is the same one a week or a year later. This is true for individual users and large corporations. When the latter desire true identity, the wise user smells intention to misuse that information.

The main fact is that public/private key authentication is better than a password: easier, faster, more secure. I cannot understand how, at this late date, an honest professional can refuse to discard server/client passwords.

Simple introduction:
https://en.wikipedia.org/wiki/Public-key_cryptography

User avatar
Lejo
Member
Posts: 717
Joined: Mon Oct 19, 2015 16:32
GitHub: Lejo1
In-game: Lejo

Re: Passwords Are Evil

by Lejo » Post

The idea is known and not bad but it has some bad things:

Minetest already uses salted hashes(SRP) which are as far as I know one of the safest way to store normal passwords.
How do you thing about coping the private key? It must be always secured with a passphrase which is not user friendly.
I would realy hate it if I could not connect to a server without having my Key Example:
+ Spoiler
Nice to remeber right?
So the main Problem is just that exporting a private key to another PC is insecure and absolutely not user friendly.
The Passphrase will be so short as the password now, so it's not sure if it will help a lot.

Astrobe
Member
Posts: 330
Joined: Sun Apr 01, 2018 10:46

Re: Passwords Are Evil

by Astrobe » Post

You are right, the Minetest developers are not professionals. If you want a professional game made by professionals, pick Minecraft. Because it is owned by a company who pays programmers that do their job for a paycheck. All we have for Minetest are contributors that have to rely on a day job to pay their rents. They are not less competent, but they have less time.

That said, you forget a couple of things that many security advisors overlook.

The first thing is that cyber-security should be analyzed as three components: assets, threat and vulnerability.

What are the assets in Minetest? As far as I know, no server does micro-transactions or paid-for access. So there's no real money in the game. The only valuable thing players put in a Minetest server is their free time.

What are the threats? Given that there is no money to be stolen, the threat is mainly kids looking for pranks and perhaps advanced griefers.

What are the vulnerabilities? Assuming the passwords are not sent in plain text, the vulnerabilities are mainly weak passwords and perhaps "brute force attacks" (if Minetest doesn't have some sort of cooldown after a failed login attempt).

So the risk is that some kid/teen perform a brute force attack or guess a password in order to ruin the experience of someone else.

You suggest public-private key authentication. But it breaks as easily as password based authentication with regard to your concerns. Here is how:
"<blackwarrior667>: Hey Progamer123, I'm actually blackwarrior666. I forgot my password/my PC broke so I had to make a new account. Can you share with me your protected area again?
<Progamer123> Ok"

The good old social engineering attack. It's even easier than spending X hours to try to guess a password. People who fall for this are also likely to use weak passwords.

The second thing you are overlooking is cost. It's not just about using some library. It also probably will require some GUI work (inform users that password authentication is not accepted on the server), it will require that users to copy/backup their private keys, it will require additional translations, it will require additional documentation.

Why refuse to discard password-based authentication? Because the risk is too low with regard to the cost of its mitigation. Moreover, it also has significant drawbacks: it makes it harder to switch machines (remember Minetest has Android and PC versions), and you lose access to you account if your device/PC burns (because in reality few people make backups).

User avatar
rubenwardy
Moderator
Posts: 6455
Joined: Tue Jun 12, 2012 18:11
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy
Location: United Kingdom
Contact:

Re: Passwords Are Evil

by rubenwardy » Post

Public key authentication does not make sense in such an application. It is overkill and not user-friendly. Passwords are not evil, and are here to stay

User avatar
twoelk
Member
Posts: 1427
Joined: Fri Apr 19, 2013 16:19
GitHub: twoelk
IRC: twoelk
In-game: twoelk
Location: northern Germany

Re: Passwords Are Evil

by twoelk » Post

Astrobe wrote:...
Moreover, it also has significant drawbacks: it makes it harder to switch machines (remember Minetest has Android and PC versions), and you lose access to you account if your device/PC burns (because in reality few people make backups).
one of the most important issues for me as I use some half-a-dozen devices on a fairly regular basis and do access a minetest server on most now and then. One of the reasons I prefer portable versions of software.
I did break my android based tablet lately though so I guess that two of the Windows-PCs now make up about 80% of my Minetest related internet traffic. I did sort of inherit an old I-Phone recently so that I might widen my scope of platforms I try to run Minetest on. :-)

With the current fast paced development in the digital technic industry I consider any binding of an identification system to a single device very unpractical.

sofar
Developer
Posts: 2132
Joined: Fri Jan 16, 2015 07:31
GitHub: sofar
IRC: sofar
In-game: sofar

Re: Passwords Are Evil

by sofar » Post

Lejo wrote: I would realy hate it if I could not connect to a server
This functionality is planned for mt2fa - it would allow you to reset your password to a server through an email confirmation. This wouldn't need any public-private key encryption, instead, it's more 2-factor like.

User avatar
Lejo
Member
Posts: 717
Joined: Mon Oct 19, 2015 16:32
GitHub: Lejo1
In-game: Lejo

Re: Passwords Are Evil

by Lejo » Post

Cool!
But it should be optional because not everybody wants to give his number.

sofar
Developer
Posts: 2132
Joined: Fri Jan 16, 2015 07:31
GitHub: sofar
IRC: sofar
In-game: sofar

Re: Passwords Are Evil

by sofar » Post

Lejo wrote:But it should be optional because not everybody wants to give his number.
The mt2fa mod doesn't dictate whether registration or logins are required, this is up to the server that deploys the mod. They can either require nothing, require registration, or require 2fa confirmation on each login.

User avatar
RajMahal
Member
Posts: 10
Joined: Wed Jan 16, 2019 20:56

Re: Passwords Are Evil

by RajMahal » Post

rubenwardy wrote:Public key authentication does not make sense in such an application. It is overkill and not user-friendly. Passwords are not evil, and are here to stay
That was a good read, thank you.

yw05
Member
Posts: 124
Joined: Tue May 07, 2019 12:59

Re: Passwords Are Evil

by yw05 » Post

Some problems here.
XiongChangnian wrote:Most people have difficulty remembering dozens of them, which immediately leads to frustration and shortly to resorts such as weak passwords, password reuse, and writing down in insecure locations.
If you have problems with passwords, write them down. If you don't know where to put them, put them somewhere private (e.g. ina phone with biometrics or something like that).
Also, I don't consider memory a problem - many Christians can remember the whole Bible.
XiongChangnian wrote: This leads to a round of server-side attempts to patch these issues... which open new holes and widen others. Next thing you see, a hundred million accounts are exposed and it's on local broadcast teevee.
I fail to see why weak passwords result in this - weak password are users' fault, not the servers'. The server only has the responsibility to keep passwords safe (that's another problem), not to magically make passwords stronger.
XiongChangnian wrote: This isn't just stupid; it's evil. Because all rationales for password authentication boil down to laziness and, in some cases, a desire to keep the user vulnerable.
Why?
XiongChangnian wrote: The obviously better authentication methods rely on public-key encryption. Mature, robust libraries exist with suitable implementations; I should not need to school a professional.
I fail to see why this solves any of the problems mentioned above.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests