Oh, boy. Password handling.
I love this stuff. Part of how I earn a living.
I don’t know much of the details of CCP’s implementation, but for various reasons I suspect it’s quite sound.
In general the process would be:
The launcher handles the submission of the players credentials to the authentication service over TLS and gets a session token that it can pass to the game client. I know (from issues in Wine library mapping) that the launcher is reliant on calls to crypto-libraries.
The authentication engine will be some form of LDAP/Kerberous type operation using a salted & hashed password store - these are all nice standard components for handling this kind of thing (an MS AD would do the job, but there are others). The trick in security is “use a well tested existing bit of software - don’t roll you own”. Unless you really know what you are doing, inventing your own is going to have flaws in it, and why waste time re-inventing the wheel anyway.
When you save the account details in the launcher those details are held in the Windows Key Management Service on your PC (for better or worse). CCP used to have their one Key Storage thing in the launcher but migrated that over a couple of months back (“don’t roll your own!” - though it probably was as good as Windows KMS, but it requires support from your in-house developers and that’s wasteful). We know that because it broke Wine and took some development to get the launcher working again on Linux.
That CCP are moving away from “roll your own” is a good sign.
There are good reasons to be comfortable with the way CCP are handling account credentials: they are a fairly large operation and, since they hold Credit Card details, are going to be subject to some external scrutiny - such as PCI DSS, which while not infallible is at least a hurdle. They also have dedicated security people - rather than just “developers wearing a security funny hat”.
Us security people bring our own funny hats.
Adobe’s idiocy of “we hold the passwords encrypted” was stupid. One indicator of how a company treats credentials is how they do password resets. If they can send you your password when you have forgotten it, or they send you a confirming e-mail which copies your password back to you, then they are definitely doing it wrong. Hashing means “only you can know your password” (which is why it can be used to authenticate).
I also get nervous when a company makes “we encrypt passwords” claims - either they are genuinely doing encryption not hashing (bad) or they don’t know what they are talking about but want to make the right noises (not good). I’ll take the phrase “we one-way encrypt passwords” as “we hash but don’t think the public understand what Hash means”.
I’ve seen one, subtle, bit of not-perfect practice with CCP handling authentication - it’s around the 2FA shared secret processes - but it’s a relatively minor flaw which shouldn’t cause an issue for most people who do sensible things like “delete data from phones before recycling them”.
Basically: I’m happy trusting CCP with handling the details they need to handle for the service they provide me. But that’s a “just trust me” argument.
Don’t add too much salt if making hash: the corned beef has enough in it already.
