This discussion dates from before the API introduction, at a time when a user needed his account password to use EVEMon. Candidate to deletion.

EVEMon Password Security

(See also Ticket #299)

Note that the plan is to only do this work for the EVE Online Username/Password. IMHO, the Email Server and HTTP Proxy credentials as not valuable enough to worry about protecting them in the same way.

Today

EVEMon stores the Username & Password for your EVE Online accounts in order to access data about your character and skill training. The password is partially protected by encrypting it using an encryption key == username before writing out into XML. The password is also stored in plaintext memory in a number of locations in the code (EveSession.cs, ChangeLoginWindow.cs, CharacterMonitor.cs, LoginCharSelect.cs, MainWindow.cs, ICharacterSettings.cs).

LoginCharSelect and ChangeLoginWindow only gather/store Username/Password for use by EveSession. CharacterMonitor only touches U/P for ChangeLoginWindow and for passing to EveSession when updating character data. MainWindow only touches U/P for LoginCharSelect. !ICharacterSettings touches U/P only for storage/retrieval.

In looking at this code, if EveSession had the built-in knowledge to find/store/manage the U/P, no other class in EVEMon would need to know about them at all.

Vulnerabilities in today's code:

  • Anyone who can get to your Settings.Xml file can get your password trivially. This means if you lose your USB key, you get a trojan that's running under a limited process (e.g. a Windows service compromise like file sharing or SQL Server Express or ...), someone has any level of physical access to the machine to boot an NTFS reader...
  • The current system offers a "false sense of security". End users (and even developers on EVEMon) feel "more secure" when they see the password is a jumble of letters and numbers rather than plaintext. In reality, anyone who wants to harvest EVE accounts for $$$ will do the work of realizing that the password is symetrically encrypted using the username as key. The username is stored right next to the password in the settings.xml file. You might as well leave the password in plaintext, that way you'll still have happy EVE account harvesters, but at least the users will be a little more shocked. Given the prevalence of EVE Online "Note: keyboard loggers are being used to harvest passwords" (which I also saw on WoW when I played that), this is a real threat, especially as EVEMon becomes more popular.

Tomorrow

The crux of this work will be:

  • Redesign EveSession so it encapsulates all Username/Password knowledge. Remove all references to the EVE Online Username/Password from everywhere else.
  • Use the Credential Management API, as wrapped in PromptForCredentials and CredentialSet. With CredentialManager, the credentials are encrypted with a "Windows Identity" based key which means the credentials can only be obtained when a program running under your login accesses the store.
  • Remove the Password from the Settings file. Leave the Username so that we have a way of storing multiple username/password pairs.
  • Support USB Roaming with password(s) by using an accounts file to store the password(s). If the password is not found in the credential store, we will check for a accounts.xml file next to EVEMon.Exe. If the accounts.xml file contains the username/password we will use that instead of throwing the login dialog. We will store the password in plain text in order to make it easy for the USB roaming user to hand-edit the file to add the username/password. Xml format will be simple: <Accounts><Account Username="Nimrel" Password="0wn3d" /></Accounts>

Adding a Character

  • Text field containing "EVE Online Username" is filled in
  • Press "Select EVE Character" button from LoginCharSelect
  • A new EveSession is created
  • PromptForCredentials will be called passing in the Username.
  • If a password has already been stored for this username, it is used.
  • If no password has been stored, a UI dialog will show with EVEMon logo, asking for Username/Password for EVE Online.
  • User enters Password for the Username and decides whether to click on "Save Password" checkbox.
  • Dialog allowing selection of characters for that account is presented

Updating Character Information

  • EveSession will use the Credentials Manager to look up the Password assocaited with the character's Eve username.
  • If a password is saved, it will be used automatically.
  • If a password is not saved, a Prompt For Credentials dialog box will be shown.
  • If the password is incorrect, the Credentials Manager password will be cleared (if exists) and the Prompt For Credentials dialog will be reshown.

Changing a Password

  • Change the Password using EVE Online UI.
  • When the next EveSession is created, it will attempt to use the old password.
  • This will fail, EveSession will clear the saved password out of the Credentials Manager automatically.
  • A new Prompt For Credentials dialog will be shown. User can now enter the correct password and click on "Save" checkbox.

Threats

  • CredentialManager stores the Username/Password in the Credential Store. The Credential Store encrypts the password using the Windows User Account credentials for protection, but any other program running under the same Windows User Account can access the unencrypted password(s).
  • Even if we managed to double-encrypt the password in the Credential Store, the open nature of EVEMon's open source development model would readily reveal the second encryption key to even casual hackers.