Security in SL , disaster waiting to happen

Security in SL is way to slack , how to get a user login;

Login;
well you already know their login name, just use any avatar name

Password;
then just guess away on password wich can be found out if you keep a password creator on it long enough, even with 25208xcqh23toA as login password it would find it prob would take a year to try tho : P , you can set up a macro to try diffrent passwords about trillion times.

Then what could happen, oh... lets say someone has alot of money suddenly get 0L$ and this isnt small money they can loose either.

This is a disaster waiting to happen, ~.o;

Does this work, oh you bet it does me and my ex thought we'd try it, so i set up my other pc to try alot of passwords and kept it on for awhile (yes this took frigging forever) but it did work and i logged in on his account.
(eh like i didnt already knew it but then again was for a test -.- ; )


Dear LL ,
give us diffrent Login names/something , SL is getting griefed more and more and this is one that will be around any time now if something isnt done, yes you can revert any actions that would happen if they did, but the trust would be plummeted to zero.

Asked for this twice already. Waiting for any answer on the post I made on the Answers forum.

I want this. I noticed it when I first signed up but kept forgetting to bring it up until recently.

it's always a good idea no matter what to change your password frequently. but i agree it is dangerous flaw, it would be nice to have a log in with a secondary verification, exmaple alot of websites you have to enter the random visual code to enter so a program bot can't just keep running and searching.

Barring a separate login, accounts should be locked after 5 or so password attempt failures.

I mean, duh.

Edit: Actually, maybe not duh. Some idiot could lock my account for me just by trying to log in as me. Maybe a given IP should be locked out of accessing a given account if they fail 5 logins in a row to that account, then.

It's not really a flaw, but yes, it would be helpful if accounts were locked after 5 attempts.


Hell no.

This is what's known as a "brute force" attack. Show me a service that isn't vulnerable to it... The best thing for LL to implement that would help alleviate this problem would be throttling after a certain amount of failed logins. Doesn't get rid of the problem, it just takes longer.

Yes, actually, that's better than locking. After maybe 3 failed attempts ... on each future attempt from that IP, delay 3 to 5 minutes before telling whether or not the password is correct. Reset when a successful login is achieved from that IP.

"This is what's known as a "brute force" attack. Show me a service that isn't vulnerable to it."

A setup that isnt as crap as SL's yes you can get up anything if you do it long enough but..

That is not the point, we should not know a user login, SL uses your avatar First/Lastname so you dont have to guess that one, wich just leave a password.

SL is
Login ; known
password ; unknown
security ; very bad,
you only need to guess the last piece, wich dont really take to long

This is however up to how you make your password, something like

693nvw2oaq1249n5mkae9692m

Would take forever to guess, and NEVER use anything you can find in a dictionary!


SL should be ;
Login ; unknown
password ; unknown
security ; alot harder to do as you dont know half of whats required to login, a attacker trying to find both login and password will be there for a loooong time

+ a option to reset password when you forget it /info/mail user , link thing, most online do use this now.
(does this exsist on SL? i never searched for it -.-)

Thili, you have very good points here. We don`t to have a mess invasion of breakin due to the lack of lack fail safe options. I just hope sooner of later well get this feature.

Usagi

Even with brute force, the unknown login + unknown password approach is more secure.

It's more secure by a huge factor.

The breakin probability is as if the length of the username and the length of the password are added together, the increase is exponential as each additional character multiplies the possibilities by 36.

An alternative would be to increase the password length but this has disadvantages because the username is still known and thus minor annoyances like password change attempt messages will still arrive.

Plenty of online services have a visible username... it's not an unforgivable breach of security. Do you want to explain to a bunch of non-computer-savvy SLers why they suddenly have to choose a username that's different from their av name and provide the username, av first name, av last name, and password all just to log in? There'd be tons of people bitching to get rid of the username and just log in with your av name.

That said, throttling/locking would be a very good way to avert the possibility of a brute force attack.

I agree with throttling and locking as part of the measure.

As for those who want to use their Av name? That can be set as an option.

For me? I want a login username different from my Av name.

I hear an email is sent when someone tries to change your password, be it successful or not. To do that all they need is your username.

Why is an unknown name better? Think like a criminal.

There is this person in SL with a lot of money. If I wanted to get his money all I need to do is crack his password.

Whereas if there were an unknown username, knowing the person's SL name is not enough to even get close to his account.

Assuming only letters and numbers in the username and password, each additional character increases the difficulty of cracking by a factor of 36.

A 16 character username + a 16 character password is like having the strength of a 32 character password with one important difference: you can't target a specific person if the username is unknown.

All an "unknown login" does is effectively increase the length of the password by the length of the login name.

Let's say you had a 6 character login name and a 6 character password. You get the same level of security from a 12 character password. In fact you get a higher level of security:

6 character password - 782 billion possible combinations of ASCII characters
6 character login name - 464 billion possible combinations of letters and numbers
Total: 363 * 10^18 possibilities.

12 character login name - 612 * 10^18 possible combinations of ASCII characters
Account name - 300,000 possible account names
Total: 183 * 10^27 possibilities.

Looks like increasing your password length from 6 to 10 characters would make you 54
times as safe as having a 6 character account name and a 6 character password. And that's neglecting the fact that you can eliminate account names quickly by scripting the first step of account creation. How about compromising, increase the minimum password length by a couple of characters?

And, in any case, a "brute force" attack is really only practical if there's a mechanism to attempt a large number of logins a second. If there is one (is there?) limiting it to one attempt every few seconds would largely eliminate the value of brute force attacks.

This is assuming that non alphanumeric characters will not be allowed as a username. But allowing such characters is possible.

Sure, but even in the extreme case you're still 300,000 times less secure than with a password of the same combined length.

Besides: I'm assuming case-sensitive names, which allows for a 62 character set rather than the 36-character set you suggested.

Nah not 300,000. The usual limitation is only for the first character being a literal.

If both username and password allow full typable ascii then the difference is not 300,000. They'll only differ due to the limitation of the username's first character. But the username field can be made waive those limitations.

The main reason for a username/password combo separate of the avatar name has nothing to do with password strength. It's the fact that with the username/password combo, the thief can't target a specific person.

So with password-only if said thief wants to target Argent Stonecutter ... he has your username already. He can keep slogging away trying to break in. He is sure that if he succeeds someday, it's your account he's got.

Whereas with a separate username he can't aim at you. He'll be hitting random targets if he gets anything at all. With the login screen saying only "wrong username or password" he won't know if he got anything right. Password changing defence becomes more effective because there's no hint of the username being correct.

The "300,000" has nothing to do with the character set. Let me try this again:

"Even if the username allows ALL the same characters as the password, a private username and a password of 'n' and 'm' character apiece will be 300,000 times less secure than a public name and a password of 'n+m' characters." This is because a private username and a password is cryptologically equivalent to a password of the combined length. If a public name is also used, you need to provide one of the 300,000 names *as well as* the password.
The difficulty of breaking into my account with an n+m-letter password is identical to the difficulty of breaking into ALL accounts with an n-letter user-name and an m-letter password. Also, if he *does* get my user name (say by sniffing email, or social engineering) he's got the first 'n' letters of my effective password.

There are other advantages of having a separate user name (for example you could log in and switch between your alts under the same user name more easily) but if you're worried about security just make your password longer.

For example, if I wanted to have the same security as I would with the user name "secret" and the password "g0rilla2", I could make my password "secretg0rilla2". The attacker has to make just as many attempts to get my account and password either way, *and* he wouldn't pick up a hundred thousand or so other people's passwords on the way.

In that case, I do want a either a username/password setup or longer password.

It's also a personal preference that a thief can't aim at me. Hence my prefernce for separate username.

Regardless of which system they'd change to, it's better than the 16 char password we have now. The password's not enough for me.

Does the password field accept unicode characters?

It's actualy a crappy situation. The reason for SL's two names is to allow people to have identical first names. One problem with MMO's is user names. When people have to pick obscure account names (because more desirable names are taken), they are much harder to remember.

Some services solve this account name problem by using the users email address as the account name. This approuch has the same problem as above. If the email address is publicly known then the account can be attacked.

Some solutions are better then others. Generaly the stronger the security the more difficult it is for the user.

The compromise with the best security would involve authorizing the computer to login for that user. If a client did not have the certificate for that user it would request it and the user would be prompted to answer a set of security questions. Then it is up to the user to keep their computer secure so that the certificate doesn't get compromised. The user would still need a password to login. Anyone who wanted to login as that user would need to get past the security questions or steal the certificate.

Of course wait on failure is a great way of detering brute forcing accounts (with only a minimal effect on users). Contacting a user when their account is being attacked can help secure the account as the security questions & password can be changed or an alternative login route can be established.

I routinely use three different computers for SL. Having to juggle security certificates would be an unreasonable burden, and completely out of proportion to the threat.

I ask again, is there a mechanism for people to automatically attempt to login the hundreds or thousands of times a second it would require to brute-force reasonably good passwords? Are y'all referring to something libsecondlife might enable (the web site is not responsive enough for good brute-forcing)?

LL needs to simply delay a second before accepting a login (they don't even need anything as sophisticated as delay-on-failure, given how long the login gets delayed later n in the process) if that's the case.

I like the system that is used in another game I play. Esentially, you can buy a cardreader using your ingame credits. The card and reader are linked to your avatar and then sent to you. Everytime you log in you put the card in the reader and a new code is generated.

This seems to keep the accounts pretty secure.

I will say, it is a bit shocking that the level of security is not more in Second Life.

I was thinking of allowing the user to carry the certificates around on a keychain usb drive. Since certificates aren't very large the usb device doesn't need any large capacity. Meaning low cost. Could also make it opt-in. Some people want more security while others don't need or want to deel with the hastle.

Yep, sever side delay is the way to go. A login request would lock the account from any other requests for as you suggest a second; and growing longer with repeat attempts.

LibSL poses a greater threat then you might think (which isn't LibSL's fault).