Save password for multiplayer games

Post your ideas and suggestions how to improve the game.

Moderator: ickputzdirwech

pagep
Burner Inserter
Burner Inserter
Posts: 8
Joined: Mon Jun 20, 2016 2:42 pm
Contact:

Save password for multiplayer games

Post by pagep »

Hi everyone

We have our server password protected. We are connecting to the server multiple times per day and always have to enter the password - would be nice if the password could be saved (as in the browser) :)

Thanks
User avatar
ssilk
Global Moderator
Global Moderator
Posts: 12889
Joined: Tue Apr 16, 2013 10:35 pm
Contact:

Re: Save password for multiplayer games

Post by ssilk »

I know, not helpful, but - really - saving a password non-encrypted is nearly the same as placing a reserve key under the doormat. :)

If you save a password, it's not longer a password, cause if you save it, it's ... saved. And not longer a secret. So you need to encrypt it somehow. Which brings us back: Cause for save encryption you need a secret. A password or so.
Instead of saving password we should use professional (and already existing) authorization mechanisms (using rsa- (or whatever) keys).
Cool suggestion: Eatable MOUSE-pointers.
Have you used the Advanced Search today?
Need help, question? FAQ - Wiki - Forum help
I still like small signatures...
Nidhoegger666
Burner Inserter
Burner Inserter
Posts: 15
Joined: Wed Dec 13, 2017 6:15 pm
Contact:

Save password field when joining a server

Post by Nidhoegger666 »

I have a private factorio server for me and some friends. What bugs me a bit is that we all have to enter the password every time. I would suggest adding a "Save password" checkbox underneath the password field.
CapriciousSage
Manual Inserter
Manual Inserter
Posts: 2
Joined: Fri Jan 04, 2019 5:30 am
Contact:

Re: Save password field when joining a server

Post by CapriciousSage »

+1...

I'm getting really sick of typing in the darn password to my mate's server :-P
Koub
Global Moderator
Global Moderator
Posts: 7784
Joined: Fri May 30, 2014 8:54 am
Contact:

Re: Save password field when joining a server

Post by Koub »

From a security standpoint saving passwords is a bad practice (I'm talking about the apps that store passwords for ease of use, not the apps designed as password safes).
Koub - Please consider English is not my native language.
ikarikeiji
Long Handed Inserter
Long Handed Inserter
Posts: 98
Joined: Sun Jul 12, 2015 6:28 pm
Contact:

Re: Save password field when joining a server

Post by ikarikeiji »

Koub wrote: Fri Jan 04, 2019 12:43 pm From a security standpoint saving passwords is a bad practice (I'm talking about the apps that store passwords for ease of use, not the apps designed as password safes).
Doesn't make this a bad suggestion, we're talking about a password that stops someone griefing a game server, not one that protects your money or sensitive information.
Darinth
Filter Inserter
Filter Inserter
Posts: 323
Joined: Wed Oct 17, 2018 12:17 pm
Contact:

Re: Save password field when joining a server

Post by Darinth »

ikarikeiji wrote: Fri Jan 04, 2019 1:28 pm
Koub wrote: Fri Jan 04, 2019 12:43 pm From a security standpoint saving passwords is a bad practice (I'm talking about the apps that store passwords for ease of use, not the apps designed as password safes).
Doesn't make this a bad suggestion, we're talking about a password that stops someone griefing a game server, not one that protects your money or sensitive information.
That's actually why it's a bad idea. Most people use the same password for their money and sensitive information that they use for their games.

Does factorio servers support any other kinds of authentication to resolve these kinds of issues? As an example, the ability to authorize a particular client to the server so that client can connect to the server without password would effectively resolve the issue without exposing major security issues.
Jap2.0
Smart Inserter
Smart Inserter
Posts: 2378
Joined: Tue Jun 20, 2017 12:02 am
Contact:

Re: Save password field when joining a server

Post by Jap2.0 »

Darinth wrote: Fri Jan 04, 2019 3:27 pm
ikarikeiji wrote: Fri Jan 04, 2019 1:28 pm
Koub wrote: Fri Jan 04, 2019 12:43 pm From a security standpoint saving passwords is a bad practice (I'm talking about the apps that store passwords for ease of use, not the apps designed as password safes).
Doesn't make this a bad suggestion, we're talking about a password that stops someone griefing a game server, not one that protects your money or sensitive information.
That's actually why it's a bad idea. Most people use the same password for their money and sensitive information that they use for their games.
First: that's dumb. At least have two or three passwords, distributed among accounts based on how much you care about what they're protecting. Second: if this is something they implement, there might be some better way to do it than storing it in plain text in a config file like it currently is for setting up servers?
There are 10 types of people: those who get this joke and those who don't.
Nidan
Filter Inserter
Filter Inserter
Posts: 270
Joined: Sat Nov 21, 2015 1:40 am
Contact:

Re: Save password field when joining a server

Post by Nidan »

Jap2.0 wrote: Sat Jan 05, 2019 2:13 am [...]

First: that's dumb. At least have two or three passwords, distributed among accounts based on how much you care about what they're protecting.
Sensible advice, but laziness and/or ignorance usually wins.
Second: if this is something they implement, there might be some better way to do it than storing it in plain text in a config file like it currently is for setting up servers?
As long as logging into the server involves sending the password (or its hash) over the network, it must be possible to recover that password (or the hash) from whatever is stored on disk, which, as result, is essentially plain text as well. Note: I don't know how factorio handles server password checking.

I can suggest an alternative, but note that:
a) Implementing cryptography should be left to cryptography experts
b) I'm not an cryptography expert
c) Anyone stealing the file can log into the servers stored inside the file (you could encrypt the file, but at that point we're implementing a password manager)
With that said, here's an alternative that avoids storing plain passwords (and plain hashes) and also doesn't send credentials over the network.
1) When the user enters a server password, derive some key from it (at least a salted hash, with the salt provided by the server), store {server address, key} in the password file (*)
2) When logging into a server, use the key for a symmetric cipher (e.g. AES) (**), have both sides (client and server) ask each other to encrypt a random text with that cipher and check the result (keywords: zero knowledge, challenge-response). If both sides provide the correct result continue logging in, otherwise client shows "wrong password" dialog.
*) In the file the keys (or everything) could be xor'ed or encrypted with a constant (e.g. username used for checking for updates) as a (weak) protection against leaking a copy of the file
**) in the proposed scheme a cryptographic hash would suffice as decryption isn't needed
Darinth
Filter Inserter
Filter Inserter
Posts: 323
Joined: Wed Oct 17, 2018 12:17 pm
Contact:

Re: Save password field when joining a server

Post by Darinth »

Jap2.0 wrote: Sat Jan 05, 2019 2:13 am
Darinth wrote: Fri Jan 04, 2019 3:27 pm
ikarikeiji wrote: Fri Jan 04, 2019 1:28 pm
Koub wrote: Fri Jan 04, 2019 12:43 pm From a security standpoint saving passwords is a bad practice (I'm talking about the apps that store passwords for ease of use, not the apps designed as password safes).
Doesn't make this a bad suggestion, we're talking about a password that stops someone griefing a game server, not one that protects your money or sensitive information.
That's actually why it's a bad idea. Most people use the same password for their money and sensitive information that they use for their games.
First: that's dumb. At least have two or three passwords, distributed among accounts based on how much you care about what they're protecting. Second: if this is something they implement, there might be some better way to do it than storing it in plain text in a config file like it currently is for setting up servers?
I mean... I agree... you're talking to the guy who maintains an encrypt document full of passwords to various accounts... but that doesn't change how people work as a whole and factorio still has to protect user's passwords. This, at a minimum, means no reversible encryption on any passwords stored on the system.
Nidan wrote: Sat Jan 05, 2019 4:16 am
Jap2.0 wrote: Sat Jan 05, 2019 2:13 am [...]

First: that's dumb. At least have two or three passwords, distributed among accounts based on how much you care about what they're protecting.
Sensible advice, but laziness and/or ignorance usually wins.
Second: if this is something they implement, there might be some better way to do it than storing it in plain text in a config file like it currently is for setting up servers?
As long as logging into the server involves sending the password (or its hash) over the network, it must be possible to recover that password (or the hash) from whatever is stored on disk, which, as result, is essentially plain text as well. Note: I don't know how factorio handles server password checking.

I can suggest an alternative, but note that:
a) Implementing cryptography should be left to cryptography experts
b) I'm not an cryptography expert
c) Anyone stealing the file can log into the servers stored inside the file (you could encrypt the file, but at that point we're implementing a password manager)
With that said, here's an alternative that avoids storing plain passwords (and plain hashes) and also doesn't send credentials over the network.
1) When the user enters a server password, derive some key from it (at least a salted hash, with the salt provided by the server), store {server address, key} in the password file (*)
2) When logging into a server, use the key for a symmetric cipher (e.g. AES) (**), have both sides (client and server) ask each other to encrypt a random text with that cipher and check the result (keywords: zero knowledge, challenge-response). If both sides provide the correct result continue logging in, otherwise client shows "wrong password" dialog.
*) In the file the keys (or everything) could be xor'ed or encrypted with a constant (e.g. username used for checking for updates) as a (weak) protection against leaking a copy of the file
**) in the proposed scheme a cryptographic hash would suffice as decryption isn't needed
I'm not a 'crytography expert' either, but the basics of securing passwords actually isn't all that difficult. The short answer is that there is no good method of securing a weak password on a system, but there are methods of securing strong passwords. Your method is pretty good honestly. Out of an abundance of security, I'd hash multiple pieces of data together with a salt (username, password, server-provided salt, etc... I don't know what data points factorio tracks for this. Really, once you're salting the hash with a few pieces of consistent data, you're doing about the most that can be done.) You've got the right idea by not transmitting the key and instead just encrypting a challenge-response. If you're going to be storing passwords on a system, you're doing about as much as you can to protect users at that point. But it's all a moot point, there's no reason to store passwords on the computer.

After authorization, the server sends back a randomly generated string that the client can use for future logins. The server stores that string with some additional information to know it's authorized. If we really want to get fancy, send the string back via symetric encryption using the server password. At that point, no user passwords are actually stored. Ever. The worst thing that could happen is someone hacks their way on to the server... nobody's ever going to get access to someone's sensitive information because Factorio stored someone's password for ease of use. That's the important part.
Sad_Brother
Fast Inserter
Fast Inserter
Posts: 209
Joined: Mon Jan 08, 2018 4:54 pm
Contact:

Re: Save password field when joining a server

Post by Sad_Brother »

Probably it would be better to have "Remember me" option on the server.
So player after entering server with password would be allowed to enter without password.
I'm not expert in security so just think about it. ;)
Darinth
Filter Inserter
Filter Inserter
Posts: 323
Joined: Wed Oct 17, 2018 12:17 pm
Contact:

Re: Save password field when joining a server

Post by Darinth »

Sad_Brother wrote: Mon Jan 07, 2019 5:04 pm Probably it would be better to have "Remember me" option on the server.
So player after entering server with password would be allowed to enter without password.
I'm not expert in security so just think about it. ;)
My second method is the effective implementation of this, and is how many websites implement their 'remember me' schemes. Website gives a cookie to the browser and then the website remembers the cookie as method of keeping the browser remembered. Thus is why when you clear out cookies, the sites that were remembering you suddenly forget you.
User avatar
cpy
Filter Inserter
Filter Inserter
Posts: 839
Joined: Thu Jul 31, 2014 5:34 am
Contact:

Re: Save password for multiplayer games

Post by cpy »

Just make game remember passwords used to connect to different game servers ok?
How about some quality of life improvements? Slap a big unencrypted warning and show password while typing. Whatever just make it work?
User avatar
Optera
Smart Inserter
Smart Inserter
Posts: 2920
Joined: Sat Jun 11, 2016 6:41 am
Contact:

Re: Save password for multiplayer games

Post by Optera »

I hope server passwords are not sent in clear text to the server.
Normally you'd hash the password and send that hash. Only the server should be able to decrypt the passwords.
There shouldn't be any problem storing that hash locally.
riley234
Manual Inserter
Manual Inserter
Posts: 1
Joined: Wed Oct 20, 2021 11:08 am
Contact:

Multiplayer server access password caching

Post by riley234 »

For those who utilize multiple servers using Clusterio and are having download speed issues with the server select mod, jumping between servers is made lengthy with the necessity of inputting a password each time. A "Save password" option would be a great benefit in this use case, as well as for those prone to forgetting passwords.
Koub
Global Moderator
Global Moderator
Posts: 7784
Joined: Fri May 30, 2014 8:54 am
Contact:

Re: Save password for multiplayer games

Post by Koub »

[Koub] Merged into older thread with same suggestion.
Koub - Please consider English is not my native language.
Post Reply

Return to “Ideas and Suggestions”