Hello everyone! I am captainnana one of the web developers here at FTB, today we have joined facebook, google and may other sites in adding two factor authentication to our site.
Enabling two factor authentication is easy:
Why do I want this?
Simple answer – It increases the security of your password so if your password were to be known by a third party (bad guy) then they wouldn't be able to login without the code from your phone as well.
Long answer – There are many ways that a miscreant could get a hold of your password, they could get it from a key logger on your computer, a phishing attack or a database hack on our servers. We take every measure possible to ensure that our servers don’t get hacked however it is always best to prepare for the worst for this reason we take several measures to make sure your passwords are secure. When you signup and enter your password we hash the password using SHA256 twice using a salt:
sha256(sha256(password) . Salt) - this is a one way hash this means that we do not know the password that you entered we can just check if your input the next time you come is the same.
The salt is unique for each user however the issue with password based key derivation is that if a miscreant were to attempt to do this hash using the salt for the user with every dictionary word with say 0-99 at the end of it they would find out a lot of users passwords! In contrast to some other websites we use a unique salt for every single user meaning that the miscreant cant simply use the dictionary table once and check to see if anyone has that hash they have to do it for each user which is very time consuming. This process can be done incredibly quickly with modern GPU's and so increasingly this is not enough, so what can be done? Well firstly a strong password can be used, the best are randomly generated ones from a service such as keepass or lastpass this ensures that you cant fall victim to these attacks; it is still possible to crack the passwords but it will take a lot of time as the miscreant has to try each password combination, in future with the speed GPU's are advancing this could well be possible. The second way to fix this problem is to use two factor authentication, this is what I have added to the site today, simply you get a key from the server and combine it with the current linux time in an algorithm to generate a pseudo random string of numbers. Because both the server and the phone know the current time and the key (that’s what you get from the QR code) they both can generate the same string and therefore we know that you are the correct user and can allow login.
Does FTB really need this? It's not like I am transferring national secrets on here!
Well to put it plainly no, but with miscreants becoming more advanced every day I want to say ahead of the game, you don’t have to opt into this system but I have put it here to be future proof, in the coming months and years you will start to see a lot more sites using this system, twitter is currently developing one and google and facebook already have it. The great thing about it is that you only need one app for everything I link to google authenticator in this post but equally you could use Microsoft authenticator or a third party one if you so choose!
Thanks for reading I'm sorry if this post was a bit technical but I found this really cool and I thought some of you might as well so I decided to share it with you.
Captainnana
Enabling two factor authentication is easy:
- Install Google Authenticator on your phone
- Hover over your username in the bar above the bar above (be sure you are signed in) and click on two factor authentication. Add a new key
- Enter a description for your key.
- Open the Google Authenticator app.
- Tap menu, then tap "Set up account", then tap "Scan a barcode". (Alternatively you can enter the code manually)
- Your phone will now be in a "scanning" mode. When you are in this mode, scan the QRCode
- You now have two factor authentication enabled on your account; whenever you login in future you will need to open up the app and enter the code for Feed The Beast
Why do I want this?
Simple answer – It increases the security of your password so if your password were to be known by a third party (bad guy) then they wouldn't be able to login without the code from your phone as well.
Long answer – There are many ways that a miscreant could get a hold of your password, they could get it from a key logger on your computer, a phishing attack or a database hack on our servers. We take every measure possible to ensure that our servers don’t get hacked however it is always best to prepare for the worst for this reason we take several measures to make sure your passwords are secure. When you signup and enter your password we hash the password using SHA256 twice using a salt:
sha256(sha256(password) . Salt) - this is a one way hash this means that we do not know the password that you entered we can just check if your input the next time you come is the same.
The salt is unique for each user however the issue with password based key derivation is that if a miscreant were to attempt to do this hash using the salt for the user with every dictionary word with say 0-99 at the end of it they would find out a lot of users passwords! In contrast to some other websites we use a unique salt for every single user meaning that the miscreant cant simply use the dictionary table once and check to see if anyone has that hash they have to do it for each user which is very time consuming. This process can be done incredibly quickly with modern GPU's and so increasingly this is not enough, so what can be done? Well firstly a strong password can be used, the best are randomly generated ones from a service such as keepass or lastpass this ensures that you cant fall victim to these attacks; it is still possible to crack the passwords but it will take a lot of time as the miscreant has to try each password combination, in future with the speed GPU's are advancing this could well be possible. The second way to fix this problem is to use two factor authentication, this is what I have added to the site today, simply you get a key from the server and combine it with the current linux time in an algorithm to generate a pseudo random string of numbers. Because both the server and the phone know the current time and the key (that’s what you get from the QR code) they both can generate the same string and therefore we know that you are the correct user and can allow login.
Does FTB really need this? It's not like I am transferring national secrets on here!
Well to put it plainly no, but with miscreants becoming more advanced every day I want to say ahead of the game, you don’t have to opt into this system but I have put it here to be future proof, in the coming months and years you will start to see a lot more sites using this system, twitter is currently developing one and google and facebook already have it. The great thing about it is that you only need one app for everything I link to google authenticator in this post but equally you could use Microsoft authenticator or a third party one if you so choose!
Thanks for reading I'm sorry if this post was a bit technical but I found this really cool and I thought some of you might as well so I decided to share it with you.
Captainnana