EVE Online account security - Part 1 - Pwned Passwords
Sitting in our Reykjavik Offices last April, I read one of Troy Hunts blog posts about Pwned Passwords mentioning how he launched V2 of his API allowing anyone to check their passwords to see if they had been included in known security breaches.
I thought how cool that feature was and how it would be useful to increase a users' sense of security. It could also let people known if their accounts were in danger of being taken over, and then an idea hit me! We could actually do that check for our EVE Online users during login and then we could prompt them to let them know that they should change their passwords. Aha!
But, first I needed to be sure that we wouldn't be accidentally exposing our users' security credentials to a 3rd party service, so I read up on how it worked.
Thankfully, it didn't take long to see that there was pretty much zero-chance of us leaking our users credentials so I spent a Friday afternoon and whipped up a quick prototype on my local development build of the SSO.
I then posted a small sneak-peek tweet about it to our users.
WIP: Helping our @EveOnline players to be aware if their passwords are on a list of known compromised passwords. Thanks @haveibeenpwned ! CC: @troyhunt #tweetfleet #security #workinprogress pic.twitter.com/miovu6g25q
— Stefán Jökull Sigurðarson - CCP Ghostrider (@stebets) April 27, 2018
Apparently Troy found this pretty interesting, so soon after that tweet he got in contact with me and a discussion started between us on an optimal implementation. The discussion eventually involved Junade Ali at Cloudflare as well, since Troys API is fronted by them. Junade made some tweaks on the CDN side of things which improved things even further. Junade has also just released a blog post on some of those improvements in case you are interested in reading up on that.
Over the next few days I worked with our awesome Customer Support people at CCP on finalizing messaging and translations until we then launched the feature on May 2nd.
And we're live on TQ! Just English for now (translated versions coming in the next few days) but we're now actively notifying pilots when logging in either through the launcher of websites. Fly safe capsuleers! CC: @EveOnline @troyhunt #tweetfleet https://t.co/rXJrdxmhaC
— Stefán Jökull Sigurðarson - CCP Ghostrider (@stebets) May 2, 2018
The launch went incredibly well, and the feature has been very well received. In the next blog posts I will go into more technical details, share some code snippets, statistics and our future plans for better account security. Stay tuned, there's good stuff coming ;)