Storage of Passwords

Um, just wondering how the passwords are stored. It’s common nowadays to do something like this, user makes a password, fancy math is done, and a hash is created that is stored on the server. When the user logs in, he enters password on the client, fancy math is done, then the server checks the hash with the stored value. If there was a leak of the password hash file, there is no worries since you can’t get someone’s password even if you know the hash.

Several years ago there was a leak from Adobe where it turned out they encrypted their user’s passwords instead of hashing them. Then someone released the file of the encrypted passwords on the internet. Which means anyone who gets the key now has access to all the passwords.

EVE does hashing not encrypting right? Surely everyone learned from Adobe’s mistake. And if not, well, a patch can fix things.

They aren’t likely to tell you exactly what is done but its probably a salted hash, there are numerous libraries available for generating them these days

Mmm, I do love me some salted hash…

1 Like

In a used Tesco bag under the fridge.

Oh, boy. Password handling.
I love this stuff. Part of how I earn a living.

I don’t know much of the details of CCP’s implementation, but for various reasons I suspect it’s quite sound.

In general the process would be:
The launcher handles the submission of the players credentials to the authentication service over TLS and gets a session token that it can pass to the game client. I know (from issues in Wine library mapping) that the launcher is reliant on calls to crypto-libraries.
The authentication engine will be some form of LDAP/Kerberous type operation using a salted & hashed password store - these are all nice standard components for handling this kind of thing (an MS AD would do the job, but there are others). The trick in security is “use a well tested existing bit of software - don’t roll you own”. Unless you really know what you are doing, inventing your own is going to have flaws in it, and why waste time re-inventing the wheel anyway.

When you save the account details in the launcher those details are held in the Windows Key Management Service on your PC (for better or worse). CCP used to have their one Key Storage thing in the launcher but migrated that over a couple of months back (“don’t roll your own!” - though it probably was as good as Windows KMS, but it requires support from your in-house developers and that’s wasteful). We know that because it broke Wine and took some development to get the launcher working again on Linux.
That CCP are moving away from “roll your own” is a good sign.

There are good reasons to be comfortable with the way CCP are handling account credentials: they are a fairly large operation and, since they hold Credit Card details, are going to be subject to some external scrutiny - such as PCI DSS, which while not infallible is at least a hurdle. They also have dedicated security people - rather than just “developers wearing a security funny hat”.
Us security people bring our own funny hats.

Adobe’s idiocy of “we hold the passwords encrypted” was stupid. One indicator of how a company treats credentials is how they do password resets. If they can send you your password when you have forgotten it, or they send you a confirming e-mail which copies your password back to you, then they are definitely doing it wrong. Hashing means “only you can know your password” (which is why it can be used to authenticate).
I also get nervous when a company makes “we encrypt passwords” claims - either they are genuinely doing encryption not hashing (bad) or they don’t know what they are talking about but want to make the right noises (not good). I’ll take the phrase “we one-way encrypt passwords” as “we hash but don’t think the public understand what Hash means”.

I’ve seen one, subtle, bit of not-perfect practice with CCP handling authentication - it’s around the 2FA shared secret processes - but it’s a relatively minor flaw which shouldn’t cause an issue for most people who do sensible things like “delete data from phones before recycling them”.

Basically: I’m happy trusting CCP with handling the details they need to handle for the service they provide me. But that’s a “just trust me” argument.

Don’t add too much salt if making hash: the corned beef has enough in it already.

1 Like

Yeah, I read about the Adobe case and it got me worried and I started going around asking things. For example, Bank of America thankfully does it the correct way, although it took me a surprising amount of time to find out. And after 7 days I worked my way to here and asked “uh… we’re doing it correctly with hashing not encrypting right?”

Realistically it shouldn’t matter anyway, because YOU shouldn’t be re-using passwords on multiple sites to begin with, so even if they were to gain access to your EVE password all they get is your EVE account :stuck_out_tongue:

1 Like

There’s a reason I went to BoA first, but someone getting my EVE account is something I’d rather not have happen.

If anyone doesn’t feel too attached to their characters, how about just giving them to me for a week? I’ll give them back I promise.

You’ve been a lot more diligent than most in actually checking - I’m (because of my work) very aware of the red flags, and some of the tell-tails of things being done right. But it still irritates me when some large organisations get the basics wrong.

I’d not like anyone to gain access to my Eve account - I’d rather not loose the virtual assets and relationships I’ve accumulated over the years (the latter being the more important to me).

1 Like

I’d rather not either, and I wasn’t asking for anyone’s account. But someone was like “well, it’s only your EVE account” and I’m like “well, if you’re not that attached, I won’t even ask for that account, but a character you use on it, and I’ll give it back after 170 hours”

Well the fact that it would please you would be a reason not to.

Not everything is abouta person’s own happiness, the unhappiness or lessening of the happiness of most others is often anyone’s goal in life.

reported for account sharing

I thought character trading was allowed but account sharing was forbidden?

All I know is that the pop-up keeps trying to tell me that using MrEpeen as my password with my acct name MrEpeen is not secure. It’s been fine for the last dozen years and I think I’ll stick with it, thank you very much.

Mr Epeen :sunglasses: