Betaserv & EVIL - Account security

Account security

Welcome, Guest. Please Log in or Sign up.

Pages 1
Author	Topic: Account security (Read 978 times)
«Avenger» Operator Posts: 8	Account security 14 Aug 2015, 09:16AM
	As a matter of policy Frontier does not disclose details of how it protects sensitive information as the dissemination of such details can itself be a security risk. (Emphasis added) Security through obscurity is no security at all; a cryptosystem is just as secure if you know its details. In that vein, we are happy to share the details of our security. The account database uses stretched and salted, cryptographically hashed passwords: The password is irreversibly obscured (hashed) using the SHA-512 cryptographic hashing function A random number at least 128 bits long (salt), generated with an Indirection, Shift, Accumulate, Add, and Count cryptographically secure pseudorandom number generator, is added to the password hash Salting and hashing is performed 65,536 times (stretching) to make brute force attacks take longer Timing attacks are impossible because the login phase always takes the same amount of time Additional security considerations: This site uses a secure HTTPS configuration and can be connected to with HTTPS with all recent browsers (including Internet Explorer 11 and Microsoft Edge) With Javascript enabled, your password will never be sent in the clear You can enable two-factor authentication to prevent unauthorized logins You can also view and terminate your current sessions Additional measures have been taken to make session hijacking harder. You can make it even harder by only connecting over HTTPS and logging out when you are done Many account-related settings require re-authenticating with a password to change Needless to say, we can't tell you your password if you forget it. But you can change it yourself. Avenger's Tremulous stuff site Tremulous map site (or a list of Tremulous maps and mods)
	« Last edit: 08 Dec 2017, 10:01AM by «Avenger» »	Address logged
«Avenger» Operator Posts: 8	How this site measures against NIST's rules 21 Aug 2016, 02:42AM
	Stop making users jump through hoops that don't improve security There are very few specific rules about what characters are allowed or required, or length, just that you cannot use "common" passwords Require passwords to be at least 8 characters long It is impossible for this site to determine how many characters were used. It does nevertheless try to encourage you to use at least 4 characters Accept passwords with maximum length of at least 64 characters If Javascript is enabled in your browser, your password can be arbitrarily long. If Javascript is disabled, your password can still be at least a few thousand characters long. Check passwords against a list of known-bad passwords This website prevents the use of about 5 million known-bad passwords. That can be expanded arbitrarily (importantly, without noticeably impacting performance). No composition rules (e.g., "must include special characters") This site never had and never will have composition rules No password hints Ditto No "knowledge-based authentication" (e.g., "your pet's first name") Ditto No expiration without a reason Ditto Recommendations HMAC-SHA family As described above, passwords are hashed using SHA-2, but not HMAC compliant PBKDF2 with at least 10,000 iterations As described above, passwords are stretched with the equivalent of 32,768 iterations of PBKDF2 (because each PBKDF2 iteration actually does two hashes), but key derivation is not PBKDF2 compliant. Previously, the equivalent of 8,192 iterations of PBKDF2 were performed Do not use SMS as a second factor for two-factor authentication SMS has been disabled as a second factor Avenger's Tremulous stuff site Tremulous map site (or a list of Tremulous maps and mods)
	« Last edit: 13 May 2019, 11:53AM by «Avenger» »	Address logged
«Avenger» Operator Posts: 8	Two-factor authentication 30 Nov 2017, 09:24AM
	Two new methods have been added for two-factor authentication Authenticator app This works with Google Authenticator or compatible programs Email Sends an email with a confirmation code any time you want to log in Avenger's Tremulous stuff site Tremulous map site (or a list of Tremulous maps and mods)
	« Last edit: 30 Nov 2017, 09:24AM by «Avenger» »	Address logged
Pages 1