Minecraft Blogs / Article

Password Security and Mojang Transparency

  • 3,962 views, 3 today
  • 16
  • 2
  • 12
Zaralith's Avatar Zaralith
Retired Moderator
Level 58 : Grandmaster Wizard
596
I recently received an email from Mojang notifying me that someone had attempted to gain access to my account and that my password had been reset to protect my account. The email went on to mention that Mojang had not been hacked, and that my password was "stored in a strongly encrypted format". While most of you here on PMC won't know this, I spend my days writing code, and that sentence does not make me feel like my data is safe, because I understand what the word encrypted means, and I know that when it comes to passwords, encrypted helps, but is not much better then storing passwords in the open.

The reason for this is that encrypting something means that you scramble and change it in a very specific way so that it looks like garbage to anyone looking at it. The problem is that you can use the same method to unscramble the information, and for passwords, this should never be an option. If you run a Google search on password security, you will find endless blogs discussing the right way to store passwords and what programs and algorithms to use, but they will all tell you a few things the same, and those are that storing passwords in plaintext (meaning exactly as typed) is the worst, and encrypting them is not much better.

The proper way to store a password is with something called a salted hash. What this means is that you are scrambling your password similar to how encryption works, but it cannot be unscrambled. The end result of not being able to read the password is the same, but you have the added security of making it nearly impossible to find out what the password originally was. A salt is a small piece of additional data that is added to your password before this scrambling takes place so that someone cannot simply take the hash and try and figure out every possible password and what the hash is to compare against (a thing called a rainbow table).

With this knowledge in hand, I went to the Mojang support as mentioned in the email about resetting my password to ask if this is what they meant when they mentioned strongly encrypted, as I understand most people that don't deal with computer security on a regular basis would not know the difference between encrypted and hashed, and I was hoping that they would respond with a quick "Ya, we hash them like McDonald's breakfast" and I would go on my merry way. What happened instead is that I received a message from Mojang support that they could not discuss that for security reasons. While it is reasonable to not be able to tell me which program or algorithm was used to scramble my password, not being able to tell me whether they can unscramble it is not.

As Microsoft has recently purchased Minecraft for no small amount of money, I tried to contact their support team for assistance as they might be able to provide me with more information. While they were helpful, the only information they were able to provide me about Mojang and passwords was a link to their FAQ about making a good password, which can be seen here. If you have not yet checked out that article, do so and make sure that you follow it, as there is good information in it. The problem with the article is that it also does not mention whether the passwords are stored encrypted or hashed.

I decided to write as I believe I have run out of options for getting an answer from a Mojang staff person regarding the security of my password data in the event of a data breach. While I follow the password guidelines and don't really have anything to lose other than my password for my Minecraft account, I know that our community has more than 20 million players on PC alone, and more than 100 million registered accounts, and that number is growing. While searching for some basic info about this, I stumbled upon this blog post from January 2015 from Mojang, which mentions that passwords are "super encrypted". I found this through the Reddit thread that it was linked from, and many of the same arguments I have listed here were listed in that discussion as well (thread can be found here), and while there was official response to some of the comments, it was asking about accounts that had been compromised, not about the password policy.

Everyone has heard about Minecraft accounts getting hacked in the past, it is a thing that happens, though usually from someone downloading a shady Minecraft client or installing some bad mods and has not, so far, been the result of a breach of Mojang's databases. With that said, nobody is unbreachable, as massive companies breaches on companies like Twitch, Sony, and Nintendo prove year after year (List of hacks). With the massive size of Minecraft and their acquisition by Microsoft for $2 billion, they will eventually be targeted for an attack, and the security of how they store their data will determine how bad the eventual breach is. I hope everyone joins me in asking Mojang to be transparent on how our data is stored and to let us know if our password information is safe.

~Zaralith
Tags

Create an account or sign in to comment.

1
03/09/2018 4:37 pm
Level 34 : Artisan Wolf
SpacePuppeh
SpacePuppeh's Avatar
Helpful information, I agree that companies are too vague about their security practices. Especially after inquiring you'd think they'd divulge something – by not doing so, they actually weaken their security appearance as you have demonstrated.
1
06/15/2016 5:18 pm
Level 1 : New Taco
Darklord__GabeN
Darklord__GabeN's Avatar
PHP already has a built in 1-function password hashing tool, and with the right settings it is better then coming up with your own method, why do people go through the trouble of that when there's a function that can do it 10 times better.
1
06/18/2016 11:34 am
Level 58 : Grandmaster Wizard
Zaralith
Zaralith's Avatar
The php password_hash() function uses the bcrypt algorithm, which is widely listed as one of the better hashing algorithms because of the inclusion of a cost parameter. The bcrypt algorithm is not unique to php and most languages have some implementation of it such as the bcrypt python package, the bcrypt-ruby gem for ruby, and the jBCrypt Java library. Why people use other algorithms or weaker algorithms like MD5 and SHA1 is almost certainly due to a lack of knowledge that those algorithms are insecure, or using outdated tools. Knowledge of cryptographic methods and the state of the art is almost certainly not something that many developers have a lot of knowledge in, which is why larger projects that are concerned about security will usually hire a person specifically to work on security, usually both physical and programmatic.

Going back to PHP having a function, PHP is a web language that is not available outside of use on the internet for the most part, and when building a piece of software, you would need to find the appropriate library like those I mentioned earlier. Additionally, even on the web, a large portion (and I hope growing portion) is no longer using PHP because of the various issues with the language in general and other options being more available such as JavaScript, Ruby, and Python. PMC is currently coded in PHP for those that are interested, and the availability of the functions mentioned here is certainly an aid to the site.

~Zaralith
1
05/04/2016 8:14 pm
Level 48 : Master Pokemon
Devee
Devee's Avatar
Just be lucky you received an email and Mojang automatically reset your password. They didn't do that 3 months ago.

Also, I highly doubt your password just got stolen because Mojang doesn't use strong encryption. Next time, make sure your password is secured.

I suggest you check HaveIBeenPwned.com to see if any passwords for any other accounts you used have been hacked.
1
05/04/2016 10:46 pm
Level 58 : Grandmaster Wizard
Zaralith
Zaralith's Avatar
I didn't get my password reset because my password was stolen, I got my password reset because someone attempted to brute force it (I assume). It is an issue though that they reset my password without asking me if I wanted them to. I am all for getting a notification that someone has attempted to get into my account (multiple failed attempts to log in, etc.), but since they automatically changed my password because of that, it means that anyone can just do a simple DoS attack on another account by simply attempting to brute force their password, which is not exactly a good idea.

~Zaralith
1
05/05/2016 6:29 pm
Level 48 : Master Pokemon
Devee
Devee's Avatar
Not sure where you're getting your information, but password resets only occur when somebody has logged into your account from a distant IP. This was in effect sometime in Feb, if I can recall, along with the security update of removing player's session ID's in the crash log. I call it the session-stealing updating, since it ended all sessions stealing.

But, do me a favor and delete this and the other post from your blog. I don't want people thinking you're wrong in anyway - besides, the information you spread isn't hurting anyone from the hacker community other than making us look more scary.

Edit: Also, my compliments for responding within 2 hours.
1
05/05/2016 10:18 pm
Level 58 : Grandmaster Wizard
Zaralith
Zaralith's Avatar
My information comes from an email from Mojang that was sent to me about a month ago, relevant part quoted below:

"We suspect that your Mojang account email and password may have been compromised. To prevent unauthorized use of your account we've reset your account password."

It would be impossible for a session theft to have happened near that time because I have not logged in to my Minecraft account in months, so there is no session to steal, and my password for Minecraft is unique, so any other breach would not affect it. Of note, I was aware of my being on the Adobe list, but apparently that email was also on the Nexus mods list, and my other was on the XSplit breach. None of those are strongly associated with Minecraft, and the passwords to those services were different from what I used on my Minecraft account.

If the change was because of a distant login, I would like to have been informed of that instead of just getting a generic 'Possible Hax!' message from Mojang. Either way, the hacker community does not need my help to be scary to anyone that pays attention to the state of digital security. Every time I watch Mikko give a talk I get a little more paranoid...

~Zaralith
1
05/04/2016 10:12 am
Level 40 : Master Pokemon
Chellizard
Chellizard's Avatar
Nice knowledge, Zar!
1
05/04/2016 10:47 pm
Level 58 : Grandmaster Wizard
Zaralith
Zaralith's Avatar
Thanks, its part of my side job (because we all know my day job is destroying worlds).

~Zaralith
1
05/06/2016 6:28 pm
Level 40 : Master Pokemon
Chellizard
Chellizard's Avatar
(:
Planet Minecraft

Website

© 2010 - 2024
www.planetminecraft.com

Welcome