• Welcome to Valhalla Legends Archive.
 

Logon Sequences for Battle.net

Started by shout, July 29, 2004, 05:08 PM

Previous topic - Next topic

ChR0NiC

Quote from: Maddox on July 29, 2004, 08:25 PM
Why do you require accounts at all? Why don't you just open it to the public and make an optional login for privileged users? At least allow people to stay logged in for weeks at a time.

I agree, it may not take much to login, but sometimes it drives me crazy that I have to type in my password :P

UserLoser.

Quote from: ChR0NiC on July 29, 2004, 09:26 PM
Quote from: Maddox on July 29, 2004, 08:25 PM
Why do you require accounts at all? Why don't you just open it to the public and make an optional login for privileged users? At least allow people to stay logged in for weeks at a time.

I agree, it may not take much to login, but sometimes it drives me crazy that I have to type in my password :P

Get Mozilla Firefox.  You won't ever have to type in a password again.

Spht

Quote from: UserLoser. on July 29, 2004, 09:45 PM
Quote from: ChR0NiC on July 29, 2004, 09:26 PM
Quote from: Maddox on July 29, 2004, 08:25 PM
Why do you require accounts at all? Why don't you just open it to the public and make an optional login for privileged users? At least allow people to stay logged in for weeks at a time.

I agree, it may not take much to login, but sometimes it drives me crazy that I have to type in my password :P

Get Mozilla Firefox.  You won't ever have to type in a password again.

It has voice recognition?

Banana fanna fo fanna

Now that's truly a great way to input your password. Someone could listen in...and you can't say weird ones like xkJ867Z

Arta

#19
If someone can suggest a secure way to do it then I'll add a 'remember my logon' checkbox. It can't:

- Store password in cookie
- Keep session open forever

Eli_1

shout -- I have no idea. I saw storm say it in a previous thread, and I just had to use it as my sig. I was crackin' up.

Arta -- Thanks.  :D

shout

I still can't get to bnetdocs...

Adron

#22
Quote from: Arta[vL] on July 29, 2004, 10:34 PM
If someone can suggest a secure way to do it then I'll add a 'remember my logon' checkbox. It can't:

- Store password in cookie
- Keep session open forever

Make a cookie consisting of user name, time, and secret. Something like this:

Adron:12345678:b95d5bbba7e84699ab9286d7a686be00

The secret is calculated in this way:

H:\>echo Adron:12345678:artassecret|md5sum
b95d5bbba7e84699ab9286d7a686be00 *-


"artassecret" could either be a fixed secret value for your application, or a unique secret for each user. It shouldn't be the password, because it mustn't be brute-forceable. A 128-bit random number would be good. You can reset the cookie with a new logon time each time the user visits bnetdocs, or you can set it just once and then the user will have to relogon after a certain time.

Spot any weaknesses here?

Edit: This is the way I made the user name information transfer from the forum to the radio station btw.

ChR0NiC

#23
Quote from: Adron on July 30, 2004, 11:38 AM
It shouldn't be the password, because it mustn't be brute-forceable. A 128-bit random number would be good.

Spot any weaknesses here?

Uh? No offense but any idiot who is lame enough to try and brute force a BNET Docs password seriously needs a life. I don't get what "BAD" they could do with it anyways, other than logging in and viewing the documents that Arta has provided, which can be done by registering their own account.

Arta

Adron: That's how I store session cookies already. I don't want to keep sessions open for extended periods of time. The only other option is to automatically log people on, which requires a usable saved password. Even if that method were used, the old problem that having a hash of a password is the same as having the password itsself still applies.

Chronic: None of this applies to normal users.

UserLoser.

#25
Quote from: ChR0NiC on July 30, 2004, 12:09 PM
I don't get what "BAD" they could do with it anyways, other than logging in and viewing the documents that Arta has provided, which can be done by registering their own account.

Viewing information that certain users do not want to be revealed to other people who they may not trust or know.

Kp

Quote from: Arta[vL] on July 30, 2004, 12:19 PMI don't want to keep sessions open for extended periods of time.

Why not?  It's not exactly a high level of overhead to save a few extra cookies serverside. :)
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Arta

It exposes the system to session theft.

Banana fanna fo fanna

If you can bruteforce a 160-bit number, get back to me.

BinaryzL

Quote from: $t0rm on July 30, 2004, 04:02 PM
If you can bruteforce a 160-bit number, get back to me.

I could..with my quantum computer.

|