Advertisement
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Discussion] New way to login

Comments in 'Plugin Development' started by MyNameIsTriXz, Sep 9, 2016.

  1. MyNameIsTriXz
    Offline

    MyNameIsTriXz Notable Member

    Joined:
    Aug 17, 2015
    Posts:
    538
    Minecraft User:
    MyNameIsTriXz
    After leet.cc and lifeboat were hacked and over 13.000.000 passwords were stolen, the trustment of MCPE servers has suffered. And other servers even steal your servers, by looking in their non-hashed database *cough* MiniBoxPE.de *cough*, I really think we should try to attempt to find a new way to login, my thought is a pin alike login system. It's working like this: You enter a server and are teleported to a room where 3×4 signs are, representing 1 - 9, confirm, 0, back. You need to type in your pin code which has 4 - 12 letters. I'd prefer it since it doesnt use your real password and isnt dangerous at all. What do you think about it? If you like the idea, would you like to help at the project? Or do you think it is hard for newbies to understand the system?
    archie426 and XShockinFireX like this.
  2. CraftYourBukkit
    Offline

    CraftYourBukkit Notable Member Plugin Developer

    Joined:
    Jan 20, 2015
    Posts:
    1,022
    Plugins:
    2
    Minecraft User:
    CraftYourBukkit
    Why signs though?
    I wouldn't like to click on signs everytime I join. Rather use /pin 1234
    applqpak likes this.
  3. JackboyPlay
    Offline

    JackboyPlay Active Member

    Joined:
    Apr 25, 2015
    Posts:
    507
    Minecraft User:
    JackboyPlay
    *cough* MiniboxPE.de bullshit *cough*
    jasonwynn10 and MyNameIsTriXz like this.
  4. JackboyPlay
    Offline

    JackboyPlay Active Member

    Joined:
    Apr 25, 2015
    Posts:
    507
    Minecraft User:
    JackboyPlay
    Maybe made it that people must to use XBox
    jasonwynn10 and Primus like this.
  5. Muqsit
    Offline

    Muqsit Active Member

    Joined:
    Sep 9, 2015
    Posts:
    175
    Minecraft User:
    Muqsit
    Passwords > PIN codes.
    As 'integer > 4' is > 'integer = 4'
    PIN code idea is bullshit. We need face recognition authorization.
    Yeah it was a joke, you dumb ****

    All you need is 'trust'. Even Google is capable of stealing your data. If you have a Google account, you've already exposed all your data (incl. passwords) to Google.

    You can find out a player's password easily, don't even need to unhash it (I don't know why mini box is that dumb to unhash passwords...if it even does that).

    You can't have a 'un-hackable-password-database'. Doesn't matter however much you contribute to your server's security, it'll still remain breachable. Just like DDos attacks cannot be stopped (but can be migrated).
    Last edited: Sep 9, 2016
    dktapps, applqpak and Survingo like this.
  6. Legoboy0215
    Offline

    Legoboy0215 Notable Member

    Joined:
    Nov 1, 2014
    Posts:
    1,724
    Minecraft User:
    Legoboy0215
    I believe the word is mitigation, as you try to mitigate the attack. Now back on topic. I personally like the XBox live system, but one problem is that a lot of players may not have the ability to create one. The auth plugins we use now are not perfect too. The best way is to use a salted hash, which would help a lot. But say, if the user has a keylogger malware installed on their device, what can you do? Anyways, plain text passwords are obviously worst. Also, you should prevent users from entering really bad passwords like password123 etc. To summerize, nothing is perfect. Some day XBox Live will be hacked too.
  7. Primus
    Offline

    Primus Notable Member

    Joined:
    Apr 7, 2015
    Posts:
    1,470
    Minecraft User:
    PrimusLV
    The worst of all in passwords is that users tend to use same passwords everywhere else. Current best way to handle authentications is XBox Live accounts and it will be for long time.
    applqpak likes this.
  8. MyNameIsTriXz
    Offline

    MyNameIsTriXz Notable Member

    Joined:
    Aug 17, 2015
    Posts:
    538
    Minecraft User:
    MyNameIsTriXz
    XBox live is in my opinion not good, maybe its service and security is great, but not the way how to set it up... My friend has an Xbox live account which he used to pay applications, so he will use it as his main account, unfortunately he has a space in his name, so he cant use it in MCPE -> trash. And the next problem is the setup, everyone just wants to play, not fill text fields. And the setup takes way to long to load, because it's a web view. Thats why I would prefer a better Xbox authentication or the authentication like on PC. And its choosabilty is not a good idea. And what I meant by sign login, its a way to protect your real passwords (because it has to be numberic) and its faster because you dont have to open the chat which laggs on servers with a lot of messages.
  9. MyNameIsTriXz
    Offline

    MyNameIsTriXz Notable Member

    Joined:
    Aug 17, 2015
    Posts:
    538
    Minecraft User:
    MyNameIsTriXz
    Mcpe users with bad phones will probably prefer the sign method because opening the chat on big servers can lagg (typing in too).
  10. MyNameIsTriXz
    Offline

    MyNameIsTriXz Notable Member

    Joined:
    Aug 17, 2015
    Posts:
    538
    Minecraft User:
    MyNameIsTriXz
    Yes, but its choosability and that that the client doesnt send any Xbox Live packets make Xbox live useless for servers...
  11. MyNameIsTriXz
    Offline

    MyNameIsTriXz Notable Member

    Joined:
    Aug 17, 2015
    Posts:
    538
    Minecraft User:
    MyNameIsTriXz
    No xbox live packets....
  12. MyNameIsTriXz
    Offline

    MyNameIsTriXz Notable Member

    Joined:
    Aug 17, 2015
    Posts:
    538
    Minecraft User:
    MyNameIsTriXz
    If MCPE would just send a packet like $player->isXboxLiveAuthenticated()... just one boolean...:(
  13. CraftYourBukkit
    Offline

    CraftYourBukkit Notable Member Plugin Developer

    Joined:
    Jan 20, 2015
    Posts:
    1,022
    Plugins:
    2
    Minecraft User:
    CraftYourBukkit
    It'd lagg at walking as well then. :p
    LoginPacket should have some data.
    applqpak likes this.
  14. Extreme_Heat
    Offline

    Extreme_Heat Active Member

    Joined:
    Apr 19, 2016
    Posts:
    76
    Minecraft User:
    Extreme_Heat
    Implementing your own authentication when there already is an authentication mechanism implemented is pretty redundant.

    Xbox Live authentication works fine when properly implemented -- there's no annoying hassle of opening chat, registering, typing out passwords, etc. every single time a player needs to join.

    Spaces in MCPE usernames are only a problem with PocketMine. PocketMine doesn't allow them because they mess with command syntax when you need to target a player. Someone mentioned in another thread that converting spaces to underscores internally wouldn't be feasible because the game allowed you to include underscores in usernames as is, leading to collisions. This however shouldn't be an issue if you only allow Xbox Live authenticated users since underscores are illegal in gamer tags.

    This is a really bad idea -- in fact, it wouldn't work at all. If the client simply tells the server "hey, I'm authenticated" then how can you verify this? You should never trust the client. You need some sort of "secure" way to figure out if the client is authenticated, and the client sends this "secure" information in the LoginPacket as mentioned. The server has to cryptographically verify the client's authentication data to make sure that it came from a trusted entity. It's "complicated" for your own good.

    Sanely implementing Xbox Live authentication will require changes to the PocketMine core and external dependencies like OpenSSL so don't expect a simple plugin to come along and implement this. While this *could* be done with a plugin (I have a plugin that can do this) it requires hijacking all inbound packets, checking for a login packet, and implementing your own decoder, then changing user data accordingly so PocketMine can continue with the login sequence.
  15. JackboyPlay
    Offline

    JackboyPlay Active Member

    Joined:
    Apr 25, 2015
    Posts:
    507
    Minecraft User:
    JackboyPlay
    Ehm moving laaging too an you can hide all another players if the player isnt authenticated
  16. EdwardAllington
    Offline

    EdwardAllington Active Member

    Joined:
    Jan 29, 2015
    Posts:
    78
    Minecraft User:
    Edwardthedog2
    We all have to admit that better security makes for a better server, yes. But what difference would it make to use this "sign auth" instead of a standard auth plugin that works, by typing your password into chat? It could still be hacked, either way. Besides, if opening chat and sending a message, has too much lag, than those players in question, probably couldn't walk, jump, break/place blocks, ect. without getting at least as much (if not a ton more) lag. The best thing to do would be to just go through Xbox Live. Even that however isn't complete security. Infact, if someone was to gain access to another player's Xbox Live account, then they would be able to play on all servers as them.
    applqpak and XShockinFireX like this.
  17. applqpak
    Offline

    applqpak Active Member Plugin Developer

    Joined:
    Dec 16, 2015
    Posts:
    284
    Plugins:
    1
    Minecraft User:
    applqpak
    Ahem, that's why you don't buy $20 Android phones.
    Muqsit, Vaivez66 and EdwardAllington like this.
  18. Legoboy0215
    Offline

    Legoboy0215 Notable Member

    Joined:
    Nov 1, 2014
    Posts:
    1,724
    Minecraft User:
    Legoboy0215
    I like @Extreme_Heat's point about the core changing stuff. Where does this problem come back to? Inactive developers :(. A spoon dev already has successfully done that on the spoon. Something off topic, but as all security experts say, never use the same password for any account. The only reason was when we first touched our e-devices, people told us to use the same password so we can remember it.
    Last edited: Sep 12, 2016
    applqpak likes this.
  19. dktapps
    Offline

    dktapps Active Member

    Joined:
    Jul 25, 2016
    Posts:
    101
    @Legoboy0215 actually it wasn't me, it was Tatsuyuki. I can't claim credit for everything. :p

    But the core changes weren't major, although OpenSSL is required for XBL auth to work. If the extension isn't present, auth will automatically be disabled. It's also configurable via ’online-mode’ in server.properties.
    applqpak and Legoboy0215 like this.
  20. Legoboy0215
    Offline

    Legoboy0215 Notable Member

    Joined:
    Nov 1, 2014
    Posts:
    1,724
    Minecraft User:
    Legoboy0215
    Changed my post ;) Is OpenSSL required because of the 'cryptography' that is involved? XBox live auth is interesting but I think still traditional auth is going to stay very strong. Off-topic: Don't make your password Harambe, everyone has that down now in their attack dictionary :D
    applqpak likes this.

Share This Page

Advertisement