Jump to content
  • Announcements

    • Hisagi

      Rules for Ingame | Forums   04/28/2016

      Welcome to PokeMMO! This is the PokeMMO Code of Conduct, which states how we moderate the various services provided by us (Forums, In-Game, IRC). You are required to follow this Code of Conduct while using our Forums and playing the Game: 1. Rules related to "Chat" and communication with other users: a. You may not harass, threaten, embarrass or cause distress and/or unwanted attention to other persons using our Service (Players and PokeMMO's Staff). This includes posting insulting, offensive, or abusive comments about people, repeatedly sending unwanted messages, reporting players maliciously, attacking a player based on race, sexual orientation, religion, heritage, etc. b. You may not spam, flood, or repeatedly make duplicate posts. Messages composed of gibberish ("fjdklasjfld" "asdfsafdsa" "uiouoiuoiuoi") are considered spam. c. You may not impersonate any PokeMMO staff (volunteer or employed.) d. You may not solicit, advertise, or promote any services other than PokeMMO via PokeMMO's services (forums, in game, irc, etc). e. You may not upload, attempt to distribute files, or facilitate the distribution of files that contain viruses, corrupted data, or any other malicious software. f. You may not distribute or facilitate distribution of any pirated or illegal software while using PokeMMO's Services. g. You may not transmit, distribute, or facilitate distribution of any person's personal information (name, account name, telephone number, address, etc.) h. You may not transmit, post, link to, or facilitate distribution of any sexually explicit, harmful, threatening, abusive, defamatory, infringing, obscene, hateful, vulgar, racially or ethnically offensive imagery or content. i. You will follow the instructions of PokeMMO's Staff while using PokeMMO's Services.   2. Rules related to Gameplay: In addition to all rules defined by Section 1 of the Code of Conduct: a. You may not exploit errors in design, features which have not been documented, or "bugs" to gain access which is otherwise not available, or to gain an advantage over other players. b. You may not communicate any exploitable issues (defined in Section 2 Paragraph A of the Code of Conduct) either directly or through public posting, to any other users of PokeMMO. c. While participating in Player vs Player (PvP) gameplay, You may not participate in any form of match manipulation. Match manipulation is defined as any action taken to manipulate the outcome of a match, or alter or manipulate any official rankings. d. You may not use cheats, automation software (bots), macros, hacks or any third-party software which can be detrimental to other users' experience, nor will you relay or store any items for other users who are using these processes. e. You may not exploit the game or any of its parts for any commercial purpose, including without limitation: I. Gathering in-game currency, items or resources for sale outside the Game (commonly known as "Real Money Trading") II. Performing in-game services in exchange for payment outside the game. III. For use at a cyber cafe, computer gaming center or any other location-based site without the express written consent of PokeMMO.   3. Rules related to Usernames: When you choose a character name or a username or otherwise create a label which can be seen by other users when using our Services, you must abide by the following guidelines. You may not use any Username which: a. Belongs to another person with the intent to impersonate that person, including PokeMMO's Employees, Volunteers and any other user of PokeMMO's Services; b. Incorporates offensive racial, ethic, national, or cultural connotations; c. Is sexually suggestive or pornographic; d. References any form of criminal activity or drugs; e. Makes inappropriate references to the human anatomy or bodily functions; f. Uses misspellings or alternative spellings of any of the above guidelines.   These guidelines may not cover all inappropriate or disallowed names. PokeMMO reserves the right to reject any name it concludes, at its sole discretion, to be indecent, obscene, offensive, or otherwise violates the naming guidelines. 4. Miscellaneous Rules: In addition to all rules defined by Sections 1 and 2 of the Code of Conduct: a. You may not attempt to or facilitate any attempts to bypass any restrictions set in place against user accounts or characters. b. Exploits (as defined by Section 2, Paragraph A of this document) must be communicated to PokeMMO's Staff within a reasonable timeframe either via PokeMMO's Website or the e-mail address: [email protected] c. You may not use any unauthorized third-party software that intercepts or otherwise collects information from or through the Game or Service, including without limitation any software that reads areas of RAM used by the game, any program which reads and attempts to manipulate network traffic between your Game Client and the Game Server. d. You agree that You will not, under any circumstances violate any applicable law or regulation in connect with Your use of the Game or PokeMMO's Services. e. You may not disrupt or assist in the disruption of: I. Any computer used to support the Services (each "Server") II. Any other player's Game experience   5. Forum-specific policies: The rules in this section apply specifically to the forums at https://forums.pokemmo.eu/ a. You are required to use the English language when using the PokeMMO forums. Posts written in other languages are required to have an English translation appended to the post.     6. Violation Reports: If you find a player who is violating the Code of Conduct on these forums, please take the time to report it to us by using the Report button under their post, or the Report button in their profile. If you find a player in-game who you suspect is violating this code of conduct, please take the time to report it to us in the Player Reports section of this forum: https://forums.pokemmo.eu/index.php?/forum/28-player-reports/   7. Notes: Certain passages of the PokeMMO Code of Conduct have been simplified in this version. These simplifications include: The term "PokeMMO's Employees" and "PokeMMO's Volunteers" are encompassed by the term "PokeMMO's Staff"     You may find the full, legally binding version of this document at http://pokemmo.eu/code_of_conduct/ This document was last updated on June 30th, 2013.
    • Kyu

      Rules for Suggestion Box - Read Before Posting!   04/29/2016

      Welcome to the Suggestions Forum, where you may make your ideas known to the developers of PokeMMO. Before you make a thread or reply to a post, please read through this post so you might better understand how the Suggestions forum works: The universal rules, which can be found here also apply in this subforum. Stay on-topic. Off-topic posts will be removed You must have 10 posts on other parts of the forums before you're able to post in Suggestions. +1, -1, yes, no, and anything similar are not acceptable posts. Do not leave posts that state your agreement/disagreement with the Original Post without providing an explanation, or critique; These posts will be removed. You can simply like a post to state your agreement or post as a reason why you do not. Provide only one suggestion per thread and make the title a clear and concise indicator of the suggestion. If you do not provide a suitable title to your thread, we will change it. Do not post download links. If the item being linked has a thread in Client Customization, feel free to link the thread only, otherwise it should not be posted.     If you have questions as to why your post has been removed please PM one of the Suggestion Box moderators: XelaKebert and Munya. Making posts asking why your post has been removed publicly will result in that post being removed as well.   We are always open to suggestions towards the game, and as long as they are reasonable, they will be looked over.
  • 8
Roundabout

Make multi-factor authentication optional

Question

14 answers to this question

Recommended Posts

redspawn   

Although it should be your own responsability, and with that I agree with you, I believe having it forced, is a nice way to prevent younger people who are less informed of disabling it and risking their accounts.

Share this post


Link to post
Kite   

Honestly, I won't bother logging into the game as long as it is mandatory. Too much work for me to try to log in to go to my email and input some code thing. 

Share this post


Link to post
IDKPRO   
1 hour ago, Kizhaz said:

Stop downloading mmo on every pc in the school and you should be ok

So true.. 

Share this post


Link to post

The 2FA was wierd/buggy.
It locked me out of my account for a bit, then I logged in (and no e-mail received?) then randomly a few mins later it let me login.
As odd as it seems I'd actually support being able to disable this 2FA system until a more reliable improvement can be implemented.

We're always responsible for our own accounts even if we have 2FA so not much to change.  Use a strong password and a password manager instead of reusing passwords.

Share this post


Link to post
Desu   
46 minutes ago, Daedalus007 said:

The 2FA was wierd/buggy.
It locked me out of my account for a bit, then I logged in (and no e-mail received?) then randomly a few mins later it let me login.
As odd as it seems I'd actually support being able to disable this 2FA system until a more reliable improvement can be implemented.

We're always responsible for our own accounts even if we have 2FA so not much to change.  Use a strong password and a password manager instead of reusing passwords.

Your account is not yet enforcing 2fa. Are you sure you were actually prompted for 2fa? Did the prompt include your email address?

Share this post


Link to post
Posted (edited)
On 3/14/2018 at 1:36 AM, Desu said:

Your account is not yet enforcing 2fa. Are you sure you were actually prompted for 2fa? Did the prompt include your email address?

I'd greatly prefer an option to not be bothered with '2FA' at all unless it can be done through a proper method (TOTP aka Time-Based One Time PassCode).

 

My previous post was referring to a 'glitch' involving 2FA.  I wasn't prompted for anything during the time the glitch occurred.  I was merely unable to login (stuck in a logging in stuck-loop and unable to login) and I was worried I'd been stealth-banned (which I wasn't) or had internet issues (which I didn't).  Eventually it resolved itself after a few minutes so I wasn't terribly worried about it overall.

 

The idea of 2FA is admirable, however the implementation leaves much to be desired.

Having it enabled by default is acceptable as a precautionary security measure, however the end-user should have the option (at their own risk) to disable 2FA.

 

I want to give both you and @Kyu kudos on the password system though.  Being able to use (at least) 100+ character passwords with not just the typical alphanumeric stuff but also any symbols on the keyboard, any brackets, both forward AND backslashes in addition to both underscore AND spaces (!); having a password system this flexible is quite uncommon to see.

 

I'm uncertain whether PokeMMO stores a hash of the password or the password itself.  I've expressed deep concerns about underlying core security issues such as storing the username and password in PLAIN TEXT in the Windows Registry when enabling the 'Save Password' option.  Java as a framework also presents some troubling aspects, however that is an issue that I'm confident that you and @Kyu can work out.

 

So I'd hope that the 2FA system can be default-enabled and also allow the end-user the option to disable it completely while accepting the risks inherent with such a decision.

Perhaps something like those who disable 2FA are ineligible for 'hacked' account support or something.

Edited by Daedalus007

Share this post


Link to post
Desu   
45 minutes ago, Daedalus007 said:

I'd greatly prefer an option to not be bothered with '2FA' at all unless it can be done through a proper method (TOTP aka Time-Based One Time PassCode).

You're unlikely to be bothered by it unless you change devices super frequently.

 

45 minutes ago, Daedalus007 said:

I'm uncertain whether PokeMMO stores a hash of the password or the password itself.  I've expressed deep concerns about underlying core security issues such as storing the username and password in PLAIN TEXT in the Windows Registry when enabling the 'Save Password' option.  Java as a framework also presents some troubling aspects, however that is an issue that I'm confident that you and @Kyu can work out.

We store all passwords hashed with a strong hash function (bcrypt)

 

45 minutes ago, Daedalus007 said:

So I'd hope that the 2FA system can be default-enabled and also allow the end-user the option to disable it completely while accepting the risks inherent with such a decision.

Perhaps something like those who disable 2FA are ineligible for 'hacked' account support or something.

Nobody thinks things will happen to them until they do. This makes me uncomfortable with the idea of letting players assume full risk.

 

An opt-out functionality isn't completely off the table, but even if it gets implemented, I would probably reserve it for the most extreme circumstances.

Share this post


Link to post
Posted (edited)
On 3/15/2018 at 12:05 AM, Desu said:

You're unlikely to be bothered by it unless you change devices super frequently.

We store all passwords hashed with a strong hash function (bcrypt)

Nobody thinks things will happen to them until they do. This makes me uncomfortable with the idea of letting players assume full risk.

An opt-out functionality isn't completely off the table, but even if it gets implemented, I would probably reserve it for the most extreme circumstances.

If a TOTP-based 2FA system was implemented with a 'remember this IP for a week' option then I feel that would make a nice middle-ground between security and convenience.

I'm glad the hashes are stored securely server-side.  Still not too thrilled with the password being stored in plaintext client-side in the Windows Registry.

If you and Kyu can work together to take care of that plaintext-registry issue, that would likely do a lot to mitigate 'hacked' accounts as well.

Thank you again for your time and responses on this issue.  I know how busy you and Kyu are.  :)

Edited by Daedalus007

Share this post


Link to post
Kyu   
6 minutes ago, Daedalus007 said:

I'm glad the hashes are stored securely server-side.  Still not too thrilled with the password being stored in plaintext client-side in the Windows Registry.

If you and Kyu can work together to take care of that plaintext-registry issue, that would likely do a lot to mitigate 'hacked' accounts as well.

Thank you again for your time and responses on this issue.  I know how busy you and Kyu are.  :)

Authentication tokens are stored in the game client's config directory and look like this:

Quote

client.saved_credentials.keys=9DpsOcicN+R61NiZ84jIcNgQUoGxLObDdsvgww8cz9c\=

They're not a representation of your password. I'm not sure where you got this idea, but it's wrong.

Share this post


Link to post
Posted (edited)
39 minutes ago, Kyu said:

Authentication tokens are stored in the game client's config directory and look like this:

They're not a representation of your password. I'm not sure where you got this idea, but it's wrong.

I'll send you a PM shortly with the details of what I mean with regards to plaintext passwords being stored in the Windows Registry and how it happens.
I'd rather not post it publicly here ;)


UPDATE

Ok I stand corrected.  Likely another benefit of the 27-Feb-2018 update that I was unaware of, but plaintext credentials are NO LONGER stored in the registry.  I noticed a new file in my PokeMMO\config directory named 'savedcredentials.properties' and the username and hashed password are both present in the file.  Very nice indeed :)

I've gone ahead and done strikethrough text on my previous inaccurate statements.  I think I'll be ok with 2FA as-is until some time can be spent improving it.  :)

Edited by Daedalus007

Share this post


Link to post
Kyu   
1 hour ago, Daedalus007 said:

Ok I stand corrected.  Likely another benefit of the 27-Feb-2018 update that I was unaware of, but plaintext credentials are NO LONGER stored in the registry.  I noticed a new file in my PokeMMO\config directory named 'savedcredentials.properties' and the username and hashed password are both present in the file.  Very nice indeed :)

I'm not trying to dog on you for this, but just to be clear for the sake of everyone's knowledge/safety: We have never offered a plaintext credential storage using the "Remember Me" function. You're mistaken. This is how it has always worked, since the system's initial implementation in 2014.

 

The hashes which are stored in savedcredentials.properties aren't real- they're just session tokens which are sent from the server when you request an authentication ticket. They do not represent your password in any way shape or form. Infact, if you copy them over to another computer or you try to login from a different network, you'll notice that they become invalid and your login will be rejected (this is to protect you against having your client stolen) because they're just session tokens.

Share this post


Link to post
Posted (edited)
On 3/16/2018 at 7:40 PM, Kyu said:

I'm not trying to dog on you for this, but just to be clear for the sake of everyone's knowledge/safety: We have never offered a plaintext credential storage using the "Remember Me" function. You're mistaken. This is how it has always worked, since the system's initial implementation in 2014.

 

The hashes which are stored in savedcredentials.properties aren't real- they're just session tokens which are sent from the server when you request an authentication ticket. They do not represent your password in any way shape or form. Infact, if you copy them over to another computer or you try to login from a different network, you'll notice that they become invalid and your login will be rejected (this is to protect you against having your client stolen) because they're just session tokens.

*snipped*

The hashes are not hashes but session tokens.  Awesome.  I gotcha and I appreciate the clarification.

 

Update:  Someone went through the trouble of removing my forum posts on the issue as well as cleaning out the PokeMMO discord of mentions of the plaintext thing, so unless I have some screenshots I will be seen as a 'liar'.  GG.  I don't want to risk my game account over this so you win Kyu.  You win.  Have fun with it.

Edited by Daedalus007

Share this post


Link to post
Kyu   
Posted (edited)
On 3/18/2018 at 1:35 PM, Daedalus007 said:

 

Update:  Someone went through the trouble of removing my forum posts on the issue as well as cleaning out the PokeMMO discord of mentions of the plaintext thing, so unless I have some screenshots I will be seen as a 'liar'.  GG.  I don't want to risk my game account over this so you win Kyu.  You win.  Have fun with it.

 

That's alright. I'll help you out.

 

Here's a screenshot from my PTS folder from last July with the same savedcredentials.properties file and the same style of session token (omitting my username):

 

QAsKEMC.png

 

Now, I'm sure that we all know that "The Devs" are leet hackers and can change timestamps on a filesystem, but to be quite honest, if you believe that's what I'm doing here, then you're beyond hope. Anyone who participated in the last Public Test Server who turned on "Remember Me" can go look in their config folder and they'll find the same type of file.

 

We didn't find any Forums posts regarding plaintext passwords in the registry (deleted topics are actually kept for 60 days before they're permanently deleted) but we didn't look that hard. The only Discord messages I saw from you regarding the Windows Registry are from January 30th in #support, before I even joined Discord. You can go look at them by searching for "registry."

 

I don't really understand where this narrative of " 'The Devs' are trying to coverup something and turn everyone against Daedalus" is coming from, but I will say this: If I wanted you gone, I would have just banned you, because that's a shitload easier than faking things and letting you be a jerk on the forums. We have a lot better things to do with our time than conspire against forum trolls, so please stop with that. It's really obnoxious.

 

Since the OP's question has been answered by @Desu and there doesn't seem to be more to add, I'm closing this now.

Edited by Kyu

Share this post


Link to post
Guest
This topic is now closed to further replies.

×

Important Information

By using this site, you agree to our Terms of Use and Privacy Policy.