Account security

Welcome, Guest. Please Log in or Sign up.

Pages 1Send topic
Author Topic: Account security (Read 655 times)
«Avenger»
Operator






Posts: 8
Account security
14 Aug 2015, 05:16AM
As a matter of policy Frontier does not disclose details of how it protects sensitive information as the dissemination of such details can itself be a security risk.
(Emphasis added) Security through obscurity is no security at all; a cryptosystem is just as secure if you know its details. In that vein, we are happy to share the details of our security.

The account database uses stretched and salted, cryptographically hashed passwords:
Additional security considerations:
Needless to say, we can't tell you your password if you forget it. But you can change it yourself.
Avenger's Tremulous stuff site
Tremulous map site (or a list of Tremulous maps and mods)
« Last edit: 05 Jan 2017, 07:36AM by «Avenger» » Address logged
«Avenger»
Operator






Posts: 8
How this site measures against NIST's rules
20 Aug 2016, 10:42PM
Stop making users jump through hoops that don't improve security
There are very few specific rules about what characters are allowed or required, or length, just that you cannot use "common" passwords

Require passwords to be at least 8 characters long
It is impossible for this site to determine how many characters were used. It does nevertheless try to encourage you to use at least 4 characters

Accept passwords with maximum length of at least 64 characters
If Javascript is enabled in your browser, your password can be arbitrarily long. If Javascript is disabled, your password can still be at least a few thousand characters long.

Check passwords against a list of known-bad passwords
This website prevents the use of about 5 million known-bad passwords. That can be expanded arbitrarily (importantly, without noticeably impacting performance).

No composition rules (e.g., "must include special characters")
This site never had and never will have composition rules

No password hints
Ditto

No "knowledge-based authentication" (e.g., "your pet's first name")
Ditto

No expiration without a reason
Ditto


Recommendations
HMAC-SHA family
As described above, passwords are hashed using SHA-2, but not HMAC compliant

PBKDF2 with at least 10,000 iterations
As described above, passwords are stretched with 65,536 iterations, but key derivation is not PBKDF2 compliant. Previously, "only" 16,384 iterations were used

Do not use SMS as a second factor for two-factor authentication
SMS authentication has always been optional and does not work anymore anyway
Avenger's Tremulous stuff site
Tremulous map site (or a list of Tremulous maps and mods)
« Last edit: 27 Nov 2016, 06:26PM by «Avenger» » Address logged
Pages 1Send topic