forums.rs

Forums

Auth on wrong password

Quick find code: 278-279-658-66188702

of 3
Ownage Omg

Ownage Omg

Posts: 14,364 Opal Posts by user Forum Profile RuneMetrics Profile
Hmm said :
IMO, the OSRS approach of asking for 2FA regardless of the password is better than the RS3/Website approach. What are you on about advantage? How is that an advantage? I literally explained why it's a disadvantage given that it allows people to find out if an account exists and the login name tried is correct/active. If it just throws you out the way RS3/site does then it means hackers won't know for sure if the username was even correct.
Hardstyle
|
@OwnageRS
|
OSRS
|
U
K

15-Nov-2020 18:00:32

Pepsi River

Pepsi River

Posts: 216 Silver Posts by user Forum Profile RuneMetrics Profile
Ownage Omg said :
Hmm said :
IMO, the OSRS approach of asking for 2FA regardless of the password is better than the RS3/Website approach. What are you on about advantage? How is that an advantage? I literally explained why it's a disadvantage given that it allows people to find out if an account exists and the login name tried is correct/active. If it just throws you out the way RS3/site does then it means hackers won't know for sure if the username was even correct.
Yeah, I think it poses a security risk for sure.
There's not a good enough reason it should ask for it with the wrong credentials in my opinion. The only reason I can even think there would be is it would allow someone who forgot their username to know if that was the correct one if they were guessing, but after so long they'd get "try again in 10 minutes" or whatever anyway, and that doesn't seem worth letting hackers know if it's a real username.
But does it say invalid password after entering the correct auth? It'd be nearly impossible for someone to actually hack an account using these methods, because they wouldn't even know if they were entering the right password unless they got the auth code correct. Or am I mistaken? I hadn't thought about this. I highly doubt it would let someone log in without entering the correct password. Still though, I don't think it should work like this personally. Convenient links
Forum Help V2 : Support Centre : Too many logins?

15-Nov-2020 18:18:01 - Last edited on 15-Nov-2020 18:23:06 by Pepsi River

Hmm
Jan Member 2016

Hmm

Posts: 13,000 Opal Posts by user Forum Profile RuneMetrics Profile
Ownage Omg said :
Hmm said :
IMO, the OSRS approach of asking for 2FA regardless of the password is better than the RS3/Website approach. What are you on about advantage? How is that an advantage? I literally explained why it's a disadvantage given that it allows people to find out if an account exists and the login name tried is correct/active. If it just throws you out the way RS3/site does then it means hackers won't know for sure if the username was even correct.

I wrote an entire post on why I consider it an advantage, just because you disagree or think the username enumeration is worse doesn't mean I wasn't clear on my rationale.

But usernames are not considered private information. They are usernames, hiding a username is security through obscurity and is not real security. But revealing a password is correct is an information disclosure of private information, this is an actual flaw. Knowing someone's username isn't in basically every major system.

In reality, I don't think it's an actual flaw at all, because it relies on too many magical "what if" scenarios where brute force attempts of the online database are trivial, which isn't the norm.



Pepsi River said :

But does it say invalid password after entering the correct auth? It'd be nearly impossible for someone to actually hack an account using these methods, because they wouldn't even know if they were entering the right password unless they got the auth code correct. Or am I mistaken? I hadn't thought about this. I highly doubt it would let someone log in without entering the correct password. Still though, I don't think it should work like this personally.

If you fail the 2FA, you get the same message as if you fail the password. However because you are asked for both but not told which is incorrect of either, you cannot determine which it was, or even if either was correct at all.

15-Nov-2020 18:59:05 - Last edited on 15-Nov-2020 19:11:36 by Hmm

Pepsi River

Pepsi River

Posts: 216 Silver Posts by user Forum Profile RuneMetrics Profile
Hmm said :


If you fail the 2FA, you get the same message as if you fail the password. However because you are asked for both but not told which is incorrect
I thought so.

But I disagree with you still, username/email should be kept as private information, and there are clear disadvantages of people knowing your login..
One disadvantage is they can spam incorrect credentials to block you out of using your account. This is usually only an issue for twitch streamers but is still a possibility. Convenient links
Forum Help V2 : Support Centre : Too many logins?

15-Nov-2020 19:17:09 - Last edited on 15-Nov-2020 19:25:55 by Pepsi River

Hmm
Jan Member 2016

Hmm

Posts: 13,000 Opal Posts by user Forum Profile RuneMetrics Profile
I concede that not knowing the username has an implicit advantage, but it is not a security related advantage. DOS from spamming login attempts is fixable by Jagex by blacklisting the individual networks making the requests, it is not something most people need to consider unless they are on a Zezima level of prestiege where other offers are available (such as changing the username). Jagex could enable login via GPG keys like SSH if they wanted and remove the need for usernames at all. They could send links to your email address where you don't even have a username nor a password but temporary sign in tokens. So yes, it's some concern DOS could happen if you know a username, but it is not an authentication problem.

The system that would fix not being able to enumerate usernames is neither OSRS or RS3, it is a system that asks for password and 2FA like OSRS, even if the user does not exist and even if they do not have 2FA, and adding a button that says "I don't have 2FA" alongside the option to enter it if they do.

And this is bound to confuse people, but it prevents username enumeration.

The choices so far however have been do it how OSRS does or do it how the website and RS3 do, but the only actual good option is option 3, fixing everyones problems. (And irritating everyone without 2FA, confusing people into thinking they have an account with a username that doesn't actually exist such as if they change their name or get confused on login names or emails, and generally requiring more effort)

15-Nov-2020 19:21:10 - Last edited on 15-Nov-2020 19:26:56 by Hmm

Pepsi River

Pepsi River

Posts: 216 Silver Posts by user Forum Profile RuneMetrics Profile
Hmm said :
(And irritating everyone without 2FA, confusing people into thinking they have an account with a username that doesn't actually exist such as if they change their name or get confused on login names or emails, and generally requiring more effort)

I'm confused, I tried for like 3 minutes to wrap my head around what you meant.
Could you please try to clarify this last part? Convenient links
Forum Help V2 : Support Centre : Too many logins?

15-Nov-2020 19:29:13

Hmm
Jan Member 2016

Hmm

Posts: 13,000 Opal Posts by user Forum Profile RuneMetrics Profile
If you pick option 3, where username/password/2fa are all verified at the same time, the interface for doing this is misleading.

In exchange for preventing username enumeration, it confuses users.

Users on the account help forums are regularly confused what their accounts are called, (they change their display name and think the username has changed, they change email and think the login name has changed, etc). The system that prevents knowing usernames exists only works by pretending every username exists, so it's a support burden. How do you help users sending recovery requests for what they think is their account, but doesn't actually exist?

Similarly, asking whether an account even has 2FA is a support burden, a user might not realise a hacker has set 2FA, a user might forget they have set 2FA, a user might not even know what 2FA is, they might not understand what clicking the button means, or enter random values, no other service asks for 2FA if you don't have it.

Basically, the option I propose which fixes all of 0wnage's problems, does it by creating other problems in terms of the user interface that confuses users and leads to more problems itself.

Everything is a tradeoff.

Sticking with just the OSRS or RS3 style approach, I'm adamant than OSRS's is better. I appreciate you disagree though, and can understand why, but I think the concerns of DOS are treatable seperately via other policies such as blacklisting networks (which does already happen).

15-Nov-2020 19:32:39 - Last edited on 15-Nov-2020 19:34:55 by Hmm

Maynne

Maynne

Forum Moderator Posts: 52,416 Emerald Posts by user Forum Profile RuneMetrics Profile
Hmm said :
As noted above, OSRS client works differently to RS3 and the website.

In OSRS, it appears as above. 2FA is asked for even if the PW is wrong.

In RS3 and the Website, this is not the case.

Which method is better?

OSRS has advantages in that you will not know if the password you entered is correct. You only know that EITHER the password OR 2FA was wrong. You do not know which, or even if they were correct at all. This means in the situation of a brute force attack (which generally don't happen, but regardless), you will never know you got the correct password unless you ALSO got the correct 2FA at the time of entering it. This is actually preferable to knowing you got the correct password but not the correct 2FA, because the second you knew the password is correct you can stop brute forcing that particular bit, or use it in recovery requests, or in attempts to scam the owner ("i know your password, give me 100m or I'll macro on your account and get you banned" or something similar), or try use the same password on their email account and such.

In RS3 and the Website, if you do not get the 2FA prompt, you know the password was incorrect. If you do get the prompt, you know the password is correct, leading to the blackmail problems / appeal problems above.

IMO, the OSRS approach of asking for 2FA regardless of the password is better than the RS3/Website approach.





I agree, people just need to chill-out. It is not really a problem either way, besides there are lots of legacy accounts right now, which the login name is the account name, who have 0 history of being hijacked through brute-force or similar techniques.

If you witness someone crying here in RSOF for being hijacked, it was because they fell for a scam or got phished. The easiest way to get scammed or phished these days is if greed overtook one's better judgement and critical thinking.

15-Nov-2020 21:35:18

Pepsi River

Pepsi River

Posts: 216 Silver Posts by user Forum Profile RuneMetrics Profile
A lot of the "legacy" account people probably changed their display name by now.
Those accounts would be the only ones someone might figure out the login for, trying to guess an email would be ridiculous.. Trying to guess any log in credential is ridiculous when there's 0% chance the person will manage to get into the account even if they do find a valid username/email.
I agree that if someone gets hacked it was undoubtedly because they fell for a scam or trusted something untrustworthy. Convenient links
Forum Help V2 : Support Centre : Too many logins?

15-Nov-2020 21:53:49 - Last edited on 15-Nov-2020 22:11:43 by Pepsi River

Quick find code: 278-279-658-66188702 Back to Top