Account security

Mark · September 6, 2020, 5:29pm

I received an email from tardigrade stating that somebody was trying out username/password combinations in an attempt to gain access to tardigrade accounts.

This got me wondering. What could an attacker hypothetically do if they did successfully gain access to my account? What information would be made available to them? Why would they want access to an account? So they could get free storage?

From what I can tell the only information about my stored data that is accessible is the bucket names along with the total size of the data and the number of objects stored in it.

API key names are displayed along with an option to delete the API key. If an attacker deleted an API key from the website, would anything happen to my stored data or my ability to access it? if no, what is this delete feature for?

Vadim · September 6, 2020, 5:54pm

If it will be deleted you will loose acces to data.

He can change pass and start to ask money for data back.
is there your credit card data also?

beast · September 6, 2020, 6:06pm

Strong passwords are necessary until web devs start using crypto wallet keys to authentication…

I use this program to generate long random passwords:

https://pwsafe.org/

The interface is clunky, but it’s a decent stand alone generator which stores all passwords in an encrypted local file. If you use this program as well… you’ll need to either copy and paste passwords each time or have your browser save the passwords for each website.

I pine for the day when devs implement something like the following:

https://www.toptal.com/ethereum/one-click-login-flows-a-metamask-tutorial

So, we can all no longer worry about password hashes, hopefully salted properly, sitting in some sql injection vulnerable database.

jtolio · September 6, 2020, 9:13pm

This is a good question!

The key thing to point out is that as long as your encryption passphrase is long and unguessable, even if someone logs into your account, your data is safe.

One thing we don’t know (because we don’t have any data about encryption passphrases) is how often people use the same encryption passphrase as their account password. If this happens and someone guesses the account password, then they have that user’s encryption passphrase too. It’s vital that users choose strong encryption passphrases.

Otherwise, if a new user logs into your account, they will be able to see your bill and make new API keys. They won’t be able to see or use existing API keys, but new API keys still have the ability to create new buckets, upload new data, and delete existing buckets and data, even if the encryption passphrase is different.

They would also be able to delete existing API keys as you ask, which would make it so API keys you were using stopped working. If all they do is delete an API key, your data would still be there, and making a new API key would restore your access (after you changed your passwords and revoked their API keys of course).

Ultimately, your data is safe due to end to end encryption, but we do want to protect users from these other issues. We are planning on adding support for 2FA soon.

Anyway, hope that helps!

BrightSilence · September 6, 2020, 10:20pm

This doesn’t seem to be the case. Since the email address can’t be changed you can always request a password reset to recover your account. Then you would just need to create a new API key and you can access your data again with the same pass phrase used before.

Sasha · September 22, 2020, 11:58pm

Do you support 2FA such as Google Auth etc?
If yes, then technically an account could never be breached unless it was an internal database breach via StorJ rather than customer password was breached.

EDIT: Skipped the ending then saw you mentioned 2FA support will be added