Sign In Register

How can we help you today?

Start a new topic

Disable automatic player lock too many failed login attempts

Automatic player lock after N failed login attempts is a REALLY bad practice, and here is why.

Consider this situation:

- You have your game and in-game admins/moderators that can ban players who violate the rules

- Their display names most likely will match their logins

- Anyone can start trying to log in under their account. One can even set up a bot to do that

- Now, your moderators/admins can't sign in. Even if you unlock them through the cloud code, attacker will keep spamming with incorrect passwords and will keep locking them in.

- Attacker starts anarchy in the game or game chat and you have no moderators to ban them


Can you see the problem?

Locking someones account after N failed attempts is a really bad practice. Password brute-force problem should be solved by enforcing users to make complex passwords.

Player account state should NOT depend on the actions of other players. Golden rule of online game development - if something can be abused, it will be abused.

Back in 2000s, popular forum engines had the same functionality, and people used to troll by abusing it and locking down forum moderators and administrators. Today, most web software don't use this practice and use captcha if IP-address sent too many failed login attempts.


I would suggest that this functionality to be removed. If you can't remove it, at least give us the possibility to turn that off for our games, since player.unlock() is not a solution when someone is using 24/7 bot to spam incorrect passwords.


1 person likes this idea

Hi Leonid,


We've never had an issue with this functionality before. You made the point "Their display names most likely will match their logins". You could avoid this scenario if you make sure that a userName and displayName are never the same for a user. You can achieve this in Cloud Code. A user should never be in a position where they can easily guess an admins userName and do this. We'll raise this with the dev team for you.


Thanks,

Liam

If you have never experienced the issue, it doesn't mean that the problem doesn't exist. This can be said about any security issue.
This is a security breach that opens a possibility for an attacker to perform a Denial of Service attack against any user by knowing their username, and there is nothing that you as a game owner could do about it.

You say that we should make sure that userName and displayName are never the same. Although you can enforce this for your "admins" or "moderators", this problem doesn't affect admins only. I just gave you the most extreme example.
I have experience working with competitive online games, and I can assure you that in the competitive environment players will do anything to win, even if that includes performing DoS attack against their opponent at the right time.

What I am saying, is it is not realistic to make sure users will make up absolutely 2 different keywords for their username and password. Most users have 1 nickname that they are using as their login and username. If you don't believe me, please make a query against your whole database and see how many usersNames are different from displayNames. I can assure you that in 90% of the cases they will be the same. Even if you hardcode the check, they will simply add "1" at the end of their nickname or change the case, which doesn't help and allows an attacker to guess their username pretty easily. Additionally, this could be a potential obstacle for a new users. In the high competitive environment of the mobile market, some players will choose not to play your game if you ask them to do something they are not used to, including making up 2 different user names.
An explanation like "your username should be secure and no one should know it" is odd, the password should be secure, not username.

I know that this technique of locking down the account is used in other places, for example in online banking. However, keep in mind that in online banking usernames are usually random and there is no interaction between users. I have seen an online game that tried to enforce random username/password for their users, but this could be a major obstacle for your returning players.

Again, the problem of account brute-force should be solved by enforcing the complicated password, not by locking down the account. In competitive games, account state should never depend on the actions of others, otherwise it will be abused.





 

Hi Leonid,


We understand your point of view on this issue. You can implement your own more complicated password system if you would like to. The system offers basic userName/password registration but you can build upon this if you don't think it suit's your needs. The RegistrationRequest or AuthenticationRequest Cloud Code scripts would be the place to do this. Crude example posted below. Basically we are grabbing the password string submitted by the player during their RegistrationRequest. If it's less than 5 characters we set a custom error and exit the Registration process. In the instances of password being <= to 5 characters a new player won't be created. You can add your own logic here to make sure a newly registering user supplies a password that is secure enough for your requirements.


if(Spark.getData().password.length <= 5){
Spark.setScriptError("error", "password now long enough. player not registered")
Spark.exit()
}

 

You could then implement a similar check in the AuthenticationRequest and do the same. If the supplied password doesn't match the format that you enforce your players to use upon registration, then simply exit from the Authentication process, this would help prevent the repeated errors which would lead to an account being locked. Using Social authentication would bypass this issue altogether.


Regards,

Liam

I understand that I can implement password strength check using the cloud code.

What I am asking is an option to disable automatic account lock after N failed login attempts; because this lock opens a possibility for anyone to perform a DoS (Denial of Service) attack against any other user by only knowing their username. If someone spams with incorrect passwords in the real time, I as a game administrator can't do anything to unlock that user.

 

Hi Leonid,


We'll raise this with the dev team for you.


Thanks,

Liam

Any update on this topic?

Yeah, this is pretty important. Please provide an update.

 

It would be nice if the Request section of an API call could overwrite the original request. This way we can log in via "email", and use an email lookup to insert the correct username for the Auth Request to use instead.
this is a bad feature, pls allow us to turn it off

 

Login to post a comment