AuthMe / AuthMeReloaded

The best authentication plugin for the Bukkit/Spigot API!
https://www.spigotmc.org/resources/authmereloaded.6269/
GNU General Public License v3.0
640 stars 511 forks source link

Security Improvement: password blacklist #1088

Open Eyremba opened 7 years ago

Eyremba commented 7 years ago

To many accounts are using to weak passwords, which makes them easy to crack.

AuthMe should contain a (hardcoded-)list of the 1000 most used passwords, and a config option with "block-common-passwords: true" in the config. (Default-value: true).

This would improve the security very much because to many admins are lazy and don't add passwords to the blacklist in the config, and then, so many players are using "123456" or "minecraft" and their accounts get hacked easily.

sgdc3 commented 7 years ago

Should we include the file as resource or download it at runtime?

Eyremba commented 7 years ago

I thought about hardcoding it directly into a class, but it would also be possible to use it as an external file. (The file could be downloaded at the runtime, or it could be in the jar of AuthMe and AuthMe can extract it to the plugins folder when it is loaded.)

janvostry commented 7 years ago

To appropriately measure one password's security, you would have to attempt to crack them. Blacklisting X most used password is not good enough. You would have to generate an enormous list of possible weak passwords (see: hashcat's attack types), counting billions of items.

I don't think it's even possible to protect user's from their laziness and having lazy admins is on itself a very dangerous to overall server's security and reputation. It's basic computer security to use strong passwords and keeping them private. There are even handy tools for that (password managers).

I think AuthMe already meets it's obligations towards security (salted bcrypt, autokicking, tempbanning).

I don't think AuthMe should be (or even can be) avoiding bad security decisions of users/admins/developers/owners/sysadmins/etc...

sgdc3 commented 7 years ago

Yeah, i agree with you.

sgdc3 commented 7 years ago

@ljacqu what do you think?

Eyremba commented 7 years ago

Blacklisting X most used password is not good enough.

But it is 1000 times better than doing nothing!

You would have to generate an enormous list of possible weak passwords

A 15kb file with the 10.000 most password would be enough.

I think AuthMe already meets it's obligations towards security (salted bcrypt, autokicking, tempbanning).

Such things like sated BCrypt do NOT slow down a hacker when the password is "123456" or "password"....

ljacqu commented 7 years ago

I don't think it's even possible to protect user's from their laziness and having lazy admins is on itself a very dangerous to overall server's security and reputation.

Agree 100% on this; when it boils down to it it's a server owner's job to properly educate at least his staff.


Regarding this issue: we already have a configuration that disallows certain passwords. I think maybe extracting this list into its own file would be a compromise here: we might not deliver a list of "easy passwords" with AuthMe but whoever wishes to do so could easily download one.

janvostry commented 7 years ago

But it is 1000 times better than doing nothing!

Educating users about basic computer/internet security is much more effective, compared to this. It is in user's best interest and can protect bigger security scope (phishing, mitm, keylogging malware, etc.).

A 15kb file with the 10.000 most password would be enough.

Says who? Based on what data? I think you just pulled those numbers from your posterior.

Such things like sated BCrypt do NOT slow down a hacker when the password is "123456" or "password"

Actually, it is designed to slow them down. The other two features I mentioned too.

I think, if the user wants to use weak password, then we shouldn't be preventing it. Minecraft is not a service where enforcing such thing is meaningful. In my experience, forcing user to use "strong" password is unnecessary and counterproductive. All it does is annoy people and make them do more mistakes (like using their already strong password they use from another service, like email).

I think AuthMe is just authentication plugin, not a security plugin. I think it should be as simple as possible. If you don't agree, feel free to fork this plugin and renaming it to authD.

Or you can move the registration part to the web and feel free to enforce NIST's password rules there.

Eyremba commented 7 years ago

I think maybe extracting this list into its own file would be a compromise here.

Yes, this would be nice. So a good admin can simply just copy the list of the top 10.000 most known passwords to this file.

janvostry commented 7 years ago

I think maybe extracting this list into its own file would be a compromise here

I think moving it into database engine would be better for server performance. From a NIST's suggestion, the blacklist should have at least 100k items, which would slow things down.

Eyremba commented 7 years ago

I think moving it into database engine would be better for server performance. From a NIST's suggestion, the blacklist should have at least 100k items, which would slow things down.

There is no 100k list on the internet as far as I know. Only a 10k list. So this would/should be enough.

janvostry commented 7 years ago

There is no 100k list on the internet as far as I know. Only a 10k list. So this would/should be enough.

https://wiki.skullsecurity.org/Passwords

Eyremba commented 7 years ago

https://wiki.skullsecurity.org/Passwords

Yes I know this site, but who would use a password blacklist with a size of 150MB?

The 10.000 most common list has only about 15kb.