LAUNCHER Remember password

Runeforce · 2012-12-18 17:31:50 UTC

How about it? Getting tired of having to input my password each time I start the launcher.

Violator · 2012-12-18 17:41:04 UTC

Amen to this

mitsuhiko · 2012-12-18 17:43:06 UTC

There is a certain security aspect to this. Fireteam supports remembering logins without actually storing the password in clear text but someone could still walk away with the security token if he gets access to your computer. I kinda wish windows would have a keychain like OS X does

Reacto · 2012-12-18 17:56:08 UTC

Not sure what you mean with token, but I assume you mean some kind of password hash file: Is this really so much of a danger? Windows (at least used to) leave a hash file of your password too, it’s not that much of a security risk in my opinion at least (I’m not a software engineer though!)

Mustang · 2012-12-18 18:00:17 UTC

I find it more worrying that my bank has an Android app that keeps me logged in indefinitely, and that’s on a device I carry around all the time, could leave anywhere, get mugged, etc.

On my home PC I don’t have as much worry, Steam auto logs-in btw.

Domipheus · 2012-12-18 18:26:23 UTC

Password remembering may not be a danger on a released product, but for a pre-release alpha, storing the password is usually a disabled feature.

mitsuhiko · 2012-12-18 18:26:53 UTC

The windows account password hashes are only readable for the system user. So you need to reboot into a separate operating system mode to override them and you can never read them. No such privilege exists for user space applications in windows. It’s enough concern for Blizzard, ArenaNet and Riot games at least.

Reacto · 2012-12-18 19:00:21 UTC

I guess I was wrong then

stealth6 · 2012-12-18 19:03:35 UTC

Well the site offers remembering password already…

(I don’t really mind, but couldn’t they do the same thing with your forum account?)

mortis · 2012-12-18 19:05:11 UTC

+1.0000000000000000000

mitsuhiko · 2012-12-19 15:22:28 UTC

It works differently though. If you tick the “keep me signed in” thing it gives you a cookie with a specially crafted token* that allows your browser to sign you in later automatically. However you can’t go to your browser and take that token to run away with a game. Every change in the account settings that could be used to steal your account require the password again and you can’t take the browser’s token to sign into the actual game.

As mentioned it’s technically possible, we’re just not yet sure how we feel about it.

*token = large random number unique to a specific use, such as keeping you signed in.

UJERebel · 2012-12-19 15:33:31 UTC

Can’t you make a token which is verified by the serial code of something of the pc so you can’t run away with the token? Maybe this is just to easy in my head. Something like a MAC adress but non spoofable?

mitsuhiko · 2012-12-19 15:37:55 UTC

Computers don’t work that way for better or worse.

DarkangelUK · 2012-12-19 16:28:12 UTC

How does Google save your login with 2-step varification? Steam also does trusted PC’s and requires a code if you login from another computer.

SockDog · 2012-12-19 16:49:43 UTC

If I understood Mits’ explaination in IRC Steam still relies on having a local token on the PC to say it has been authorised.

My question is whether someone stealing the token from your PC is any more or less likely than them installing a keylogger and just getting your password.

mitsuhiko · 2012-12-19 16:53:39 UTC

In a cookie, similar to our auth website. That’s why they ask you if you trust your computer. If you get access to a computer that was already trusted and save away the cookie you stole someone’s account for 30 days.

Steam guard uses Intel’s IPT if available but has some sort of fallback for processors not supporting it. The way the IPT works is similar to Google’s authenticator in that it generates a random number once every few seconds off a initial seed which however is embedded into the hardware. I have not yet looked at how the IPT works, mainly because it only supports a subset of the hardware we want to support. As far as I know no AMD hardware supports it.

I think steam guard has a basic workaround for the lack of an IPT (MAC of primary network device?). If it does do that, then you could probably easily bypass steam guard that way.

We’re definitely keeping our eyes and ears open and maybe we just decide the security impact is not big enough.

UJERebel · 2012-12-19 17:29:27 UTC

What about a token for every launcher. Like Launcher 1 will only work with a token generatoed on launcher 1. Every launcher generates it’s own code. Would this be programable without someone changing it?

And otherwise i wiss that you smart people figure out a way to reduce the security risk enough!

Mustang · 2012-12-19 21:38:02 UTC

Launcher has built-in WebKet, so can’t you use a website API URI in the background?

mitsuhiko · 2012-12-20 02:02:34 UTC

That’s how the majority of Fireteam APIs are already available, that however does not give or take anything security wise.

Runeforce · 2012-12-21 17:01:12 UTC

You guys at SD get the greatest level of secutiry (i.e. non-leakage) by forcing the user to log on each time, since it is only them that know the code and by that practice you eliminate a major technical security concern of yours. Got it!

In other words: at the moment the security is your concern. When the game goes public, you will give us what asked for on the issue, because at that time the security will be our concern.