These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
12Next page
 

How does it know?

First post
Author
Previous Topic Next Topic
Blind Melon Chitlin
Imperial Academy
Amarr Empire
#1 - 2015-08-03 11:06:38 UTC
When I launch the launcher, and EvE is offline, how does it know if my password is correct? Does it authenticate to a different server? Is the password stored locally? (eek!)
Archibald Thistlewaite III
The Royal Society for the Prevention of Miners
#2 - 2015-08-03 11:08:32 UTC
CCP has installed cameras in all of our homes Mom's basements and they watch us type the password in.

User of 'Bumblefck's Luscious & Luminous Mustachio Wax'
Pytria Le'Danness
Placid Reborn
#3 - 2015-08-03 11:23:17 UTC
Blind Melon Chitlin wrote:
When I launch the launcher, and EvE is offline, how does it know if my password is correct? Does it authenticate to a different server? Is the password stored locally? (eek!)


Authentification is checked against different servers, most likely totally unrelated to the TQ servers.

Proof: you can access your account settings while TQ is down.


Also: brb, clearing my mom's basement.
Arline Kley
PIE Inc.
Khimi Harar
#4 - 2015-08-03 11:26:31 UTC
Depending on the method that CCP is using, it would send your password towards the authentication server, which would then request the server holding the password to send the value that it holds back. If those values match, it lets you in. If there is anything different about them, the authentication server declines your request to log on stating that they do not match.

The values are (should be) stored in a format that is readable by the machine, but not to a human (other than appearaning as random letters and numbers). This would also extend that your local machine would not save a copy of your password locally unless you have written it down somewhere on your machine.

The server being offline would prevent the system allowing you to connect anyway - the server will not respond in a certain amount of time and the connection will not be established. Any password that has been sent to the authentication server should be automagically be deleted (although will still appear filled in on the password box)

"For it was said they had become like those peculiar demons, which dwell in matter but in whom no light may be found." - Father Grigori, Ravens 3:57
Blind Melon Chitlin
Imperial Academy
Amarr Empire
#5 - 2015-08-03 11:34:18 UTC
Arline Kley wrote:
Depending on the method that CCP is using, it would send your password towards the authentication server, which would then request the server holding the password to send the value that it holds back. If those values match, it lets you in. If there is anything different about them, the authentication server declines your request to log on stating that they do not match.

The values are (should be) stored in a format that is readable by the machine, but not to a human (other than appearing as random letters and numbers). This would also extend that your local machine would not save a copy of your password locally unless you have written it down somewhere on your machine.

The server being offline would prevent the system allowing you to connect anyway - the server will not respond in a certain amount of time and the connection will not be established. Any password that has been sent to the authentication server should be automagically be deleted (although will still appear filled in on the password box)


I know what "best practices" are, (it is my professional business) which is why I am asking the question.

As a user concerned with security, it would be nice to know.

As for the Game Server "letting me in or not", that is irrelevant. There are many "servers" in their "farm", it seems, such as one that hosts the forums, etc.

Authentication is obviously removed from the Game Server proper, but where does it actually reside?
Brian Harrelstein
Science and Trade Institute
Caldari State
#6 - 2015-08-03 11:45:45 UTC
With eve doing SSO, it'll be on its own server, probably on the same rack as all the other web stuff, or at the least, in the same data center... which I believe is in the UK. (but don't hold me to that last detail)
Chribba
Otherworld Enterprises
Otherworld Empire
#7 - 2015-08-03 11:53:21 UTC  |  Edited by: Chribba
How are you able to log in to the forums when TQ is offline... same way the launcher can log you in, the login servers are not tied to TQ itself, they are merely servers for authenticating you.

If you look at the EVE process after you launch the client from the launcher you will see that it is started with a "token" or authentication cookie that TQ will use to verify that you are already logged in. Hence the login-servers are separate from the game servers.

And shameless plug for my own site, but you can check http://eve-offline.net/ and you will see if the Game Servers, Login servers, account servers and so on are online. So one can be down while the other is up.

/c

★★★ Secure 3rd party service ★★★

Visit my in-game channel 'Holy Veldspar'

Twitter @ChribbaVeldspar
Blind Melon Chitlin
Imperial Academy
Amarr Empire
#8 - 2015-08-03 12:08:13 UTC
Chribba wrote:
How are you able to log in to the forums when TQ is offline... same way the launcher can log you in, the login servers are not tied to TQ itself, they are merely servers for authenticating you.

If you look at the EVE process after you launch the client from the launcher you will see that it is started with a "token" or authentication cookie that TQ will use to verify that you are already logged in. Hence the login-servers are separate from the game servers.

And shameless plug for my own site, but you can check http://eve-offline.net/ and you will see if the Game Servers, Login servers, account servers and so on are online. So one can be down while the other is up.

/c


First, let me say thank you for responding. You are legendary in the community, and the services you provide are invaluable at times.

That being said, I understand the "token" system, but the question remains:

Where is the password stored?

Locally, (again, EEEK!) or on the authentication server?
Tippia
Sunshine and Lollipops
#9 - 2015-08-03 12:16:05 UTC
Blind Melon Chitlin wrote:
That being said, I understand the "token" system, but the question remains:

Where is the password stored?

Locally, (again, EEEK!) or on the authentication server?

How does the question remain when it was answered in full?
Chribba
Otherworld Enterprises
Otherworld Empire
#10 - 2015-08-03 12:22:27 UTC
Blind Melon Chitlin wrote:
Chribba wrote:
How are you able to log in to the forums when TQ is offline... same way the launcher can log you in, the login servers are not tied to TQ itself, they are merely servers for authenticating you.

If you look at the EVE process after you launch the client from the launcher you will see that it is started with a "token" or authentication cookie that TQ will use to verify that you are already logged in. Hence the login-servers are separate from the game servers.

And shameless plug for my own site, but you can check http://eve-offline.net/ and you will see if the Game Servers, Login servers, account servers and so on are online. So one can be down while the other is up.

/c


First, let me say thank you for responding. You are legendary in the community, and the services you provide are invaluable at times.

That being said, I understand the "token" system, but the question remains:

Where is the password stored?

Locally, (again, EEEK!) or on the authentication server?




There's no password stored locally, when you input your password and press enter, it sends the password to CCP's login-servers where it authenticates your user - this happens regardless of the game servers being up or down.

If you mean where the login-servers store the password, then it is most likely storing it encrypted in some database on CCP's servers, nothing locally (any longer).

/c

★★★ Secure 3rd party service ★★★

Visit my in-game channel 'Holy Veldspar'

Twitter @ChribbaVeldspar
Blind Melon Chitlin
Imperial Academy
Amarr Empire
#11 - 2015-08-03 12:26:02 UTC
Chribba wrote:
Blind Melon Chitlin wrote:
Chribba wrote:
How are you able to log in to the forums when TQ is offline... same way the launcher can log you in, the login servers are not tied to TQ itself, they are merely servers for authenticating you.

If you look at the EVE process after you launch the client from the launcher you will see that it is started with a "token" or authentication cookie that TQ will use to verify that you are already logged in. Hence the login-servers are separate from the game servers.

And shameless plug for my own site, but you can check http://eve-offline.net/ and you will see if the Game Servers, Login servers, account servers and so on are online. So one can be down while the other is up.

/c


First, let me say thank you for responding. You are legendary in the community, and the services you provide are invaluable at times.

That being said, I understand the "token" system, but the question remains:

Where is the password stored?

Locally, (again, EEEK!) or on the authentication server?




There's no password stored locally, when you input your password and press enter, it sends the password to CCP's login-servers where it authenticates your user - this happens regardless of the game servers being up or down.

If you mean where the login-servers store the password, then it is most likely storing it encrypted in some database on CCP's servers, nothing locally (any longer).

/c



"If you mean where the login-servers store the password, then it is most likely storing it encrypted in some database on CCP's servers, nothing locally (any longer)."

That was my concern, and I appreciate you clearing up that concern for me. I will assume that the password sent from the client to the auth server is encrypted. It would boggle the sensibilities were it not, so I will take it as a given.

It is nice to see such helpful and knowledgeable people on the forums.

Thanks!
Chribba
Otherworld Enterprises
Otherworld Empire
#12 - 2015-08-03 12:28:12 UTC
The communication between your launcher and the login-servers are using SSL (https if you will) so yes it is encrypted.

/c

★★★ Secure 3rd party service ★★★

Visit my in-game channel 'Holy Veldspar'

Twitter @ChribbaVeldspar
Webvan
All Kill No Skill
#13 - 2015-08-03 13:16:50 UTC
Hamsters inside.

I'm in it for the money

Ctrl+Alt+Shift+F12
Best Korea
Leap Technologies
#14 - 2015-08-03 18:36:06 UTC  |  Edited by: Best Korea
Everyone keeps saying the passwords get sent across the Internet. True, encryption with SSL is used, but likely the passwords aren't being sent, but their hashes.

If done well, the hash is salted with some temporal variable. That would prevent replay attacks should SSL encryption be compromised.

Everyone is probably correct about the authentication servers being separate from TQ, but keep in mind another option for implementing network-based authentication is how Windows does it in a domain environment: the NTLM hash is stored locally so that if the domain server is down, a Logon Type 11 can occur (vs. Logon Type 2 for network auth) whereby auth is done against the hashed credential.

This, of course, has opened up security holes on its own prone to Golden & Silver Ticket attacks ("pass the hash").

On that same note, Windows 10 actually mitigates Pass The Hash attacks using a secure second kernel in a pretty nifty fashion.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#15 - 2015-08-03 18:56:05 UTC
When you log in using the launcher, you're logging into login.eveonline.com

This uses OAUTH2, and returns, to your launcher, a token. This token, for a period of time, can be used to authenticate an Eve client against TQ.

When you hit play, it starts an eve client, and gives it the token to auth.

The password is not stored on your PC. The token is stored in memory, on your pc, while the launcher is running.


(as an aside, OAUTH2 is how third party sites can have you authenticate against TQ, without needing you to give them your password. you click a link, it sends you to login.eveonline.com, with a client ID. you log in there are normal (or are remembered), pick a character, accept any scopes they ask for (permissions to look at stuff, or in the future, change things. mail is a possibility here) then they send you back to the original site (by looking up the client id) with a token. The site takes that token, and talks directly to CCP, asking 'so who's this token belong to then? I'm site X, with this secret key.' At this point, you're identified to the site (character id, and a bit of text which is generated based on your account and character, so sites know if the character changes hands)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Unsuccessful At Everything
The Troll Bridge
#16 - 2015-08-03 19:18:50 UTC
Tippia wrote:
Blind Melon Chitlin wrote:
That being said, I understand the "token" system, but the question remains:

Where is the password stored?

Locally, (again, EEEK!) or on the authentication server?

How does the question remain when it was answered in full?


Im getting worried about the mental health of the GD regulars. It seems like many are forgetting that they are not new to GD. Fisrt Loyd, now Tippia. Oh god... am I next!?!!?!?!?

Since the cessation of their usefulness is imminent, may I appropriate your belongings?
Sobaan Tali
Caldari Quick Reaction Force
#17 - 2015-08-04 00:30:12 UTC
Unsuccessful At Everything wrote:
Tippia wrote:
Blind Melon Chitlin wrote:
That being said, I understand the "token" system, but the question remains:

Where is the password stored?

Locally, (again, EEEK!) or on the authentication server?

How does the question remain when it was answered in full?


Im getting worried about the mental health of the GD regulars. It seems like many are forgetting that they are not new to GD. Fisrt Loyd, now Tippia. Oh god... am I next!?!!?!?!?


That happens with old age.

"Tomahawks?"

"----in' A, right?"

"Trouble is, those things cost like a million and a half each."

"----, you pay me half that and I'll hump in some c4 and blow the ---- out of it my own damn self."
Maldiro Selkurk
Radiation Sickness
#18 - 2015-08-04 06:25:59 UTC
Archibald Thistlewaite III wrote:
CCP has installed cameras in all of our homes Mom's basements and they watch us type the password in.


I installed those cameras ......for...uh....um.....yes for CCP.

On a totally unrelated subject, some of you are very naughty and hot!

Yawn,  I'm right as usual. The predictability kinda gets boring really.
Zimmy Zeta
Perkone
Caldari State
#19 - 2015-08-04 07:44:52 UTC
Blind Melon Chitlin wrote:
How does it know?


Simple.
It puts the password in the basket or else it gets the hose again.

I'd like to apologize for the poor quality of the post above and sincerely hope you didn't waste your time reading it. Yes, I do feel bad about it.
Cypherous
Liberty Rogues
Aprilon Dynasty
#20 - 2015-08-04 10:01:46 UTC
Best Korea wrote:
Everyone keeps saying the passwords get sent across the Internet. True, encryption with SSL is used, but likely the passwords aren't being sent, but their hashes.

If done well, the hash is salted with some temporal variable. That would prevent replay attacks should SSL encryption be compromised.

Everyone is probably correct about the authentication servers being separate from TQ, but keep in mind another option for implementing network-based authentication is how Windows does it in a domain environment: the NTLM hash is stored locally so that if the domain server is down, a Logon Type 11 can occur (vs. Logon Type 2 for network auth) whereby auth is done against the hashed credential.

This, of course, has opened up security holes on its own prone to Golden & Silver Ticket attacks ("pass the hash").

On that same note, Windows 10 actually mitigates Pass The Hash attacks using a secure second kernel in a pretty nifty fashion.


No the password will be sent, you should never be hashing something on a machine you dont have complete control over otherwise the salting and hashing is worthless as people can just reverse it from the client, the login server will do both the hashing and salting, you have much bigger issues than losing a password if SSL gets broken :P
12Next page