Save password for multiplayer games
Moderator: ickputzdirwech
Save password for multiplayer games
Hi everyone
We have our server password protected. We are connecting to the server multiple times per day and always have to enter the password - would be nice if the password could be saved (as in the browser)
Thanks
We have our server password protected. We are connecting to the server multiple times per day and always have to enter the password - would be nice if the password could be saved (as in the browser)
Thanks
Re: Save password for multiplayer games
I know, not helpful, but - really - saving a password non-encrypted is nearly the same as placing a reserve key under the doormat.
If you save a password, it's not longer a password, cause if you save it, it's ... saved. And not longer a secret. So you need to encrypt it somehow. Which brings us back: Cause for save encryption you need a secret. A password or so.
Instead of saving password we should use professional (and already existing) authorization mechanisms (using rsa- (or whatever) keys).
If you save a password, it's not longer a password, cause if you save it, it's ... saved. And not longer a secret. So you need to encrypt it somehow. Which brings us back: Cause for save encryption you need a secret. A password or so.
Instead of saving password we should use professional (and already existing) authorization mechanisms (using rsa- (or whatever) keys).
Cool suggestion: Eatable MOUSE-pointers.
Have you used the Advanced Search today?
Need help, question? FAQ - Wiki - Forum help
I still like small signatures...
Have you used the Advanced Search today?
Need help, question? FAQ - Wiki - Forum help
I still like small signatures...
-
- Burner Inserter
- Posts: 15
- Joined: Wed Dec 13, 2017 6:15 pm
- Contact:
Save password field when joining a server
I have a private factorio server for me and some friends. What bugs me a bit is that we all have to enter the password every time. I would suggest adding a "Save password" checkbox underneath the password field.
-
- Manual Inserter
- Posts: 2
- Joined: Fri Jan 04, 2019 5:30 am
- Contact:
Re: Save password field when joining a server
+1...
I'm getting really sick of typing in the darn password to my mate's server
I'm getting really sick of typing in the darn password to my mate's server
Re: Save password field when joining a server
From a security standpoint saving passwords is a bad practice (I'm talking about the apps that store passwords for ease of use, not the apps designed as password safes).
Koub - Please consider English is not my native language.
-
- Long Handed Inserter
- Posts: 98
- Joined: Sun Jul 12, 2015 6:28 pm
- Contact:
Re: Save password field when joining a server
Doesn't make this a bad suggestion, we're talking about a password that stops someone griefing a game server, not one that protects your money or sensitive information.
Re: Save password field when joining a server
That's actually why it's a bad idea. Most people use the same password for their money and sensitive information that they use for their games.ikarikeiji wrote: ↑Fri Jan 04, 2019 1:28 pmDoesn't make this a bad suggestion, we're talking about a password that stops someone griefing a game server, not one that protects your money or sensitive information.
Does factorio servers support any other kinds of authentication to resolve these kinds of issues? As an example, the ability to authorize a particular client to the server so that client can connect to the server without password would effectively resolve the issue without exposing major security issues.
Re: Save password field when joining a server
First: that's dumb. At least have two or three passwords, distributed among accounts based on how much you care about what they're protecting. Second: if this is something they implement, there might be some better way to do it than storing it in plain text in a config file like it currently is for setting up servers?Darinth wrote: ↑Fri Jan 04, 2019 3:27 pmThat's actually why it's a bad idea. Most people use the same password for their money and sensitive information that they use for their games.ikarikeiji wrote: ↑Fri Jan 04, 2019 1:28 pmDoesn't make this a bad suggestion, we're talking about a password that stops someone griefing a game server, not one that protects your money or sensitive information.
There are 10 types of people: those who get this joke and those who don't.
Re: Save password field when joining a server
Sensible advice, but laziness and/or ignorance usually wins.
As long as logging into the server involves sending the password (or its hash) over the network, it must be possible to recover that password (or the hash) from whatever is stored on disk, which, as result, is essentially plain text as well. Note: I don't know how factorio handles server password checking.Second: if this is something they implement, there might be some better way to do it than storing it in plain text in a config file like it currently is for setting up servers?
I can suggest an alternative, but note that:
a) Implementing cryptography should be left to cryptography experts
b) I'm not an cryptography expert
c) Anyone stealing the file can log into the servers stored inside the file (you could encrypt the file, but at that point we're implementing a password manager)
With that said, here's an alternative that avoids storing plain passwords (and plain hashes) and also doesn't send credentials over the network.
1) When the user enters a server password, derive some key from it (at least a salted hash, with the salt provided by the server), store {server address, key} in the password file (*)
2) When logging into a server, use the key for a symmetric cipher (e.g. AES) (**), have both sides (client and server) ask each other to encrypt a random text with that cipher and check the result (keywords: zero knowledge, challenge-response). If both sides provide the correct result continue logging in, otherwise client shows "wrong password" dialog.
*) In the file the keys (or everything) could be xor'ed or encrypted with a constant (e.g. username used for checking for updates) as a (weak) protection against leaking a copy of the file
**) in the proposed scheme a cryptographic hash would suffice as decryption isn't needed
Re: Save password field when joining a server
I mean... I agree... you're talking to the guy who maintains an encrypt document full of passwords to various accounts... but that doesn't change how people work as a whole and factorio still has to protect user's passwords. This, at a minimum, means no reversible encryption on any passwords stored on the system.Jap2.0 wrote: ↑Sat Jan 05, 2019 2:13 amFirst: that's dumb. At least have two or three passwords, distributed among accounts based on how much you care about what they're protecting. Second: if this is something they implement, there might be some better way to do it than storing it in plain text in a config file like it currently is for setting up servers?Darinth wrote: ↑Fri Jan 04, 2019 3:27 pmThat's actually why it's a bad idea. Most people use the same password for their money and sensitive information that they use for their games.ikarikeiji wrote: ↑Fri Jan 04, 2019 1:28 pmDoesn't make this a bad suggestion, we're talking about a password that stops someone griefing a game server, not one that protects your money or sensitive information.
I'm not a 'crytography expert' either, but the basics of securing passwords actually isn't all that difficult. The short answer is that there is no good method of securing a weak password on a system, but there are methods of securing strong passwords. Your method is pretty good honestly. Out of an abundance of security, I'd hash multiple pieces of data together with a salt (username, password, server-provided salt, etc... I don't know what data points factorio tracks for this. Really, once you're salting the hash with a few pieces of consistent data, you're doing about the most that can be done.) You've got the right idea by not transmitting the key and instead just encrypting a challenge-response. If you're going to be storing passwords on a system, you're doing about as much as you can to protect users at that point. But it's all a moot point, there's no reason to store passwords on the computer.Nidan wrote: ↑Sat Jan 05, 2019 4:16 amSensible advice, but laziness and/or ignorance usually wins.As long as logging into the server involves sending the password (or its hash) over the network, it must be possible to recover that password (or the hash) from whatever is stored on disk, which, as result, is essentially plain text as well. Note: I don't know how factorio handles server password checking.Second: if this is something they implement, there might be some better way to do it than storing it in plain text in a config file like it currently is for setting up servers?
I can suggest an alternative, but note that:
a) Implementing cryptography should be left to cryptography experts
b) I'm not an cryptography expert
c) Anyone stealing the file can log into the servers stored inside the file (you could encrypt the file, but at that point we're implementing a password manager)
With that said, here's an alternative that avoids storing plain passwords (and plain hashes) and also doesn't send credentials over the network.
1) When the user enters a server password, derive some key from it (at least a salted hash, with the salt provided by the server), store {server address, key} in the password file (*)
2) When logging into a server, use the key for a symmetric cipher (e.g. AES) (**), have both sides (client and server) ask each other to encrypt a random text with that cipher and check the result (keywords: zero knowledge, challenge-response). If both sides provide the correct result continue logging in, otherwise client shows "wrong password" dialog.
*) In the file the keys (or everything) could be xor'ed or encrypted with a constant (e.g. username used for checking for updates) as a (weak) protection against leaking a copy of the file
**) in the proposed scheme a cryptographic hash would suffice as decryption isn't needed
After authorization, the server sends back a randomly generated string that the client can use for future logins. The server stores that string with some additional information to know it's authorized. If we really want to get fancy, send the string back via symetric encryption using the server password. At that point, no user passwords are actually stored. Ever. The worst thing that could happen is someone hacks their way on to the server... nobody's ever going to get access to someone's sensitive information because Factorio stored someone's password for ease of use. That's the important part.
-
- Fast Inserter
- Posts: 209
- Joined: Mon Jan 08, 2018 4:54 pm
- Contact:
Re: Save password field when joining a server
Probably it would be better to have "Remember me" option on the server.
So player after entering server with password would be allowed to enter without password.
I'm not expert in security so just think about it.
So player after entering server with password would be allowed to enter without password.
I'm not expert in security so just think about it.
Re: Save password field when joining a server
My second method is the effective implementation of this, and is how many websites implement their 'remember me' schemes. Website gives a cookie to the browser and then the website remembers the cookie as method of keeping the browser remembered. Thus is why when you clear out cookies, the sites that were remembering you suddenly forget you.Sad_Brother wrote: ↑Mon Jan 07, 2019 5:04 pmProbably it would be better to have "Remember me" option on the server.
So player after entering server with password would be allowed to enter without password.
I'm not expert in security so just think about it.
Re: Save password for multiplayer games
Just make game remember passwords used to connect to different game servers ok?
How about some quality of life improvements? Slap a big unencrypted warning and show password while typing. Whatever just make it work?
How about some quality of life improvements? Slap a big unencrypted warning and show password while typing. Whatever just make it work?
Re: Save password for multiplayer games
I hope server passwords are not sent in clear text to the server.
Normally you'd hash the password and send that hash. Only the server should be able to decrypt the passwords.
There shouldn't be any problem storing that hash locally.
Normally you'd hash the password and send that hash. Only the server should be able to decrypt the passwords.
There shouldn't be any problem storing that hash locally.
My Mods: mods.factorio.com
Multiplayer server access password caching
For those who utilize multiple servers using Clusterio and are having download speed issues with the server select mod, jumping between servers is made lengthy with the necessity of inputting a password each time. A "Save password" option would be a great benefit in this use case, as well as for those prone to forgetting passwords.
Re: Save password for multiplayer games
[Koub] Merged into older thread with same suggestion.
Koub - Please consider English is not my native language.