Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding unsafe username and password set #175

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Adding unsafe username and password set #175

wants to merge 5 commits into from

Conversation

WaterArchery
Copy link

This PR helps server owners to add a protection for the leaked user credentials from other servers. For example https://haveibeenpwned.com/PwnedWebsites#CraftRise CraftRise leaked 2.5m user info with their passwords.

Server owners can simply add the leaked username and password combinations in "unsafe_pass_user_set.txt" file with "user:pass" format. When a player tries to register with a password that is in the leak list with his user name, he will receive an error.

@ghost
Copy link

ghost commented Sep 23, 2024

I don't see how this is better than unsafe passwords list. It's much better when leaked password can't be used at all, not just for one specific username

@WaterArchery
Copy link
Author

I don't see how this is better than unsafe passwords list. It's much better when leaked password can't be used at all, not just for one specific username

It is better than unsafe password list for a very simple reason. It is, controlling user names. For example in CraftRise passwords, people that trying to steal accounts are trying those passwords with leaked usernames.

If you block 2.5 million passwords all together for all usernames, people won't be able to use their passwords because many of the possible combination will be blocked.

@ghost
Copy link

ghost commented Sep 23, 2024

If the passwords are leaked, they are leaked and shouldn't be used, regardless whether the password is attached to any username. For example, the attached haveibeenpwned website doesn't check username:pass combo, it checks only emails or only passwords with K-anonimity. Additionally, leaked passwords aren't checked for registered players in your implementation anyway, with some leaks coming soon, not foreshadowing any, just saying they'll happen, it's pretty useless, as vulnerable user:pass combo will be registered.

@WaterArchery
Copy link
Author

If the passwords are leaked, they are leaked and shouldn't be used, regardless whether the password is attached to any username. For example, the attached haveibeenpwned website doesn't check username:pass combo, it checks only emails or only passwords with K-anonimity. Additionally, leaked passwords aren't checked for registered players in your implementation anyway, with some leaks coming soon, not foreshadowing any, just saying they'll happen, it's pretty useless, as vulnerable user:pass combo will be registered.

It is very absurd to block every password that is leaked. It will probably block most of the humanly password combinations that have words in it. Also, hackers tend to steal Minecraft accounts with the user:password combo instead of trying all leaked passwords. This system will warn users to use another password while registering. He can just use 1 letter with a different password and it will dodge the account stealer easily with this setup.

Also, I check user pass combo on new registers in my implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@WaterArchery