Concerns about acount safety

  • Concerns about acount safety

    So I came back from a long break, installed the game and logged back into it. Eager to start gathering.

    After a while something popped up in the back of my head, I remembered my full login information was stored in plain text back when I played, so I popped open regedit hoping to see an improvement there. Sadly I was disappointed. Account login information is still stored in plain text, sure enough, there is a HWID (hardware identifier) now, which is useful yes, but that is just evading the problem, consider that most people use the same password for everything, hence there is a good chance that the password found in the registry will also work for the email found and yes blahblah 2 factor auth or other shit on the email provider, that's good and all but do you (albion devs) really want to rely on a 3th party? It would make sense to anyone, even the people who have no clue about what programming is or how works, that storing a user's login information in plain text is a bad idea.

    Is the user's account safety not being valued? I wish to avoid using the word incompetence but cmon, plaintext, really?
    I am quite uncomfortable with the fact that my login information is being stored simply in plain text

    For those who wish to see for themselves:
    1. window + r
    2. regedit
    3. press enter : O
    4. open up HKEY_CURRENT_USER
    5. open up SOFTWARE
    6. open up Sandbox Interactive GmbH
    7. open up Albion Online Client
    8. scroll down and double click either login.accountname_blahblab or login.password_blahblah

    as a user you might ask: "How is this important? Why is that a bad thing?"
    Well the thing is, any program is able to read that information. If then a malicious program gets onto your computer and just casually reads your precious information and sends it off to god knows where then well, you are fucked, malicious person x now has your email address and password.

    sidenote: virus scanners are far from perfect and malicious programmers keep innovating on a day to day basis, it's a game of cat and mouse and I rather not have my account safety depends on a cat and mouse game

    sidenote_2: it doesn't always have to be some shady software that does some malicious things or that new porn site you visited more often than not it are good programs in disguise 1 example that comes to mind is, lets say that some lovely user x on here made a program that could help you track crafting materials required and resources owned (sorry if someone actually made that, I had no intention of targeting you in specific). Great and all but behind the scenes it could just grab your information and you'd have no idea it even happened.

    Me being a little irritated decided to make a test application, that would read your precious information and send it off to a server somewhere. I made it in C# (a programming language, used by albion itself, found it rather fitting to do it that way). As I think it would not be appreciated if I posted the source code here I will not do that however I did work flawlessly, took me around 5 min and 3 sips of coffee and here is the virustotal scan I did on it
    virustotal.com/en/file/64e1caa…0fde/analysis/1478395832/

    if it would be allowed to let the source be posted please let me know and i'll happily add it in although anyone who can write a little bit of C# and google "C# reading registry keys" can remake the exact program I made.

    anyways, I might sounds a little rant-isch but I felt like it did not belong in the rants section, if ya disagree just move it lel

    sadface
  • Hi HyunMi,

    you are not wrong, but there is no way for us to make this secure.

    If you are afraid of malicious software on your machine (and that is a completely valid concern), you should never save a password in any application. Not in Albion, not in your web browser, not anywhere else.

    Encryption does not help here, because the game needs to be able to decrypt and send the password on login, so the encryption key needs to be stored somewhere as well and can be stolen in the same way...

    As an example, Firefox encrypts the password database, but since it stores the encryption key right next to it, that is pretty much futile (see here: raymond.cc/blog/how-to-find-hidden-passwords-in-firefox/)

    So yes, the only way to be safe is to never store a password. (Then again, if you have malicious software on your computer, there may very well be a key logger installed and you are screwed anyway. Well, life is a dangeous place.)

    David
  • If I may add one more thing: the way to go is of course two-factor-authentication, since you would have to break into two devices instead of just one.

    We already have a light version of that - if you log in from a new device, you will have to do an email verification. Account theft is way down since we have introduced this. The only people who still get their accounts stolen are those who use the same password for Albion and their email account (or the email account is otherwise compromised).