Recovering KoL password from mafia?

fianor · Feb 2, 2012

I got busy in rl for a few months and haven't been able to play. Just before I went inactive there was some issue with account passwords being possibly hacked and we were all told to change our passwords. Well I did and my "new" password for KoL is saved in mafia. So I can log in with mafia, but I have forgotten what I changed the password to as it's apparently not something I normally use. I use LastPass to manage my accounts, but I guess I never logged in with the new password directly for LastPass to save it. Is there a way to see what password mafia has saved for me?

On a side note, I can't tell you how much I hate password boxes obfuscating my saved passwords or even worse as I type them ... hate hate hate the dots/asterisks ...

roippi · Feb 2, 2012

http://www.kingdomofloathing.com/forgotpassword.php

Veracity · Feb 2, 2012

No.

As a proof of concept, I wrote a 15 line patch to add a command to do that, but I'm not sure it's a great idea to submit. If you share your computer with your little brother and, for some reason, have "save passwords" checked, do you want to give your little brother an easy way to find out your password?

You can always go to KoL itself and ask it to reset your password. It will e-mail instructions to the email address you have associated with the character.

fianor · Feb 2, 2012

I can reset my password directly from options in the relay browser also. I just didn't want to. I have 4 multi's and they all have the same "new" password. So I have to reset it on all of them if I do that. I just wanted to update my password in LastPass with the current correct one and be done with it if I could.

I don't share my computer with anyone, I don't know anyone else in rl who plays kol and especially not that would have enough sense to use mafia to do so. If I were requesting a patch, I suppose I'd just be looking for a checkmark in prefs that turns off the damn dots hiding my password from me.

I was mostly just wondering if it was saved in one of the text files in the mafia folder that I could just read, but I'm guessing that's a no or veracity wouldn't be talking about patches.

Catch-22 · Feb 3, 2012

fianor said:
I was mostly just wondering if it was saved in one of the text files in the mafia folder

Yes.

fianor said:
that I could just read

No.

The preference is saveState.charname in GLOBAL_prefs.txt, but it's stored as an integer representation of the UTF-8 hex codes that make up the characters in your password. Not exactly secure but, in keeping with Veracity's example, it's going to stop your little brother from easily finding out your password.

fianor · Feb 3, 2012

That makes a minor amount of sense to me. Now I jsut need to figure out how to read "an integer representation of UTF-8 hex codes", which is turning out to be harder to find than I thought at first glance.

Thanks

Veracity · Feb 3, 2012

I'm not sure why I am helping you, since you have been, to my eye, repeatedly insulting in this thread, but what the heck.

Here is a patch to add the "test password [name]" CLI command. Install it in your copy of the source, rebuild, execute.
If you can't or won't build from the source, you will have to find a different solution.

Code:

Index: src/net/sourceforge/kolmafia/textui/command/TestCommand.java
===================================================================
--- src/net/sourceforge/kolmafia/textui/command/TestCommand.java	(revision 10379)
+++ src/net/sourceforge/kolmafia/textui/command/TestCommand.java	(working copy)
@@ -61,6 +61,21 @@
 		String[] split = parameters.split( " " );
 		String command = split[ 0 ];
 
+		if ( command.equals( "password" ) )
+		{
+			if ( split.length < 2 )
+			{
+				KoLmafia.updateDisplay( KoLConstants.ERROR_STATE, "What character?" );
+				return;
+			}
+
+			String username = parameters.substring( parameters.indexOf( " " ) + 1 ).trim();
+			String password = KoLmafia.getSaveState( username );
+
+			KoLmafia.updateDisplay( "Password = " + password );
+			return;
+		}
+
 		if ( command.equals( "load" ) )
 		{
 			if ( split.length < 2 )

fianor · Feb 3, 2012

I have no idea where I came off as insulting, I'm probably just too much of an asshole to see it, but as I apparently have I certainly didn't mean to and apologize for having done so.

Thanks for the code, I've not tried compiling from the source code before. In fact it's been a long time since I compiled any code, but I'll give it a try. Thank you, and again, sorry if I came off as insulting anywhere.

StDoodle · Feb 4, 2012

fianor said:
On a side note, I can't tell you how much I hate password boxes obfuscating my saved passwords or even worse as I type them ... hate hate hate the dots/asterisks ...

This probably didn't help with coming across reasonably... since you were basically saying that the devs did something wrong, when in fact they were following industry best practices.

bordemstirs · Feb 5, 2012

So, a friend of mine has also seemed to lock herself out of vanilla KoL, and after reading this I was inspired to go through the steps in getSaveState to recreate her password, starting with a known password (mine) to make sure I'm doing it right.

Now, I can't figure out what I'm doing wrong, or if there's some sly trick mafia is pulling, because I get very close, but there seem to be a few characters missing from every password I've tried.

Starting with the number found in the GLOBAL file, after the first conversion, I'm getting some non-hex characters.
For an account I never use anymore, I start with this number: 1339943979051213454243694
Converted I get 62756666628SGSSO (notice those bigger-than F letters) and then into ascii I get "buffb???" The password is, creatively, buffbot. Yet I seem to be consistently getting bad hex values for the last few characters in every password.

Am I doing something wrong?

As to the OP's desire to not have his password obfuscated by dots/asterisks I am truly sorry, as I have not seen a password prompt in YEARS in -any- interface whatsoever that has actually shown the characters as typed. Seems odd to me that you'd be using a tool that not only stores but also allows you to conveniently keep very strong passwords and at the same time let anybody walking by see what it is.

Catch-22 · Feb 6, 2012

bordemstirs said:
Yet I seem to be consistently getting bad hex values for the last few characters in every password.

Well... They're not hexadeximal values, they're sexatrigesimal *snickers* values. AKA base-36.

Your last 3 numbers (from 8S GS SO) in decimal would be 316, 604, 1032. In UTF-8 your password comes to buffbļɜЈ... In other words, I think something borked

My guess is you are using the incorrect radix somewhere in your conversion process.

Edit: If you change your password to buffbļɜЈ, you'll break KoL and have to reset your password, haha. Apparently KoL doesn't like unicode in passwords...

bordemstirs · Feb 6, 2012

Catch-22 said:
Well... They're not hexadeximal values, they're sexatrigesimal *snickers* values. AKA base-36.

Your last 3 numbers (from 8S GS SO) in decimal would be 316, 604, 1032. In UTF-8 your password comes to buffbļɜЈ... In other words, I think something borked

My guess is you are using the incorrect radix somewhere in your conversion process.

Edit: If you change your password to buffbļɜЈ, you'll break KoL and have to reset your password, haha. Apparently KoL doesn't like unicode in passwords...

Aside from the rare coincidence, I think you'll find that using the wrong radix at some point in the conversion process would give you a completely bad decryption, not one that is correct for the first few values and then bails out near the end (consistently with all my passwords).
Go ahead and try the conversion on the password "hash" I provided and if you can make it work, then please please tell me your process.

One thing I hadn't considered until *just* now is that the systems I was using to do the conversion couldn't handle the original very large input and had a loss of precision in the tail end (which would explain how I got "buffb" and then non-hex for the last two characters) but I tried with different converters and got the same result (which is why I overlooked this possibility).

I'm not sure how Java handles integer/string conversions but even if that isn't the problem I'm experiencing I'm just wondering what the character count limitation would be for mafia to continue storing passwords in the fashion that it does.

HUH!
Seems the converters I was using to get from Decimal to base 36 were the problem (they were giving 62756666628SGSSO, compared to my 62756666626F7432 today), but I just found a website (too lazy to code it) that actually converts them properly. Thanks for the help anyways!

Bale · Feb 6, 2012

Weird. I was curious so I ran your decimal password through an online base converter and got the same wrong number as yourself. So I tried another website converter and another and another and continued to get the wrong number. For laughs I ran their answer into the converter from base-36 to base-10 to see what happens and sure enough it did not convert back to the original base-10 number, so their converter couldn't even check its own work.

Messed up, eh? It is interesting that so many websites make the same error. Isn't it amusing and tragic when people copy each others errors?

Anyway, I finally found a functional online base converter here. Probably the same one you used.

roippi · Feb 6, 2012

32 bits of precision issue? Just a WAG from a non comp sci guy

Grotfang · Feb 6, 2012

bordemstirs said:
I start with this number: 1339943979051213454243694
The password is, creatively, buffbot.

Are you sure? I get "buffbot2".

Catch-22 · Feb 6, 2012

Floating point math strikes again!

fianor · Feb 7, 2012

Sorry for the late reply, I don't get much of a chance to deal with KoL over weekends or on Mondays. Anyway, after having attempted to "decrypt" my password myself with the help of this thread, it is clearly beyond my current comprehension. However someone sent me a java class that recovered it for me. I presume the sender understood whatever it is involved with this that I don't since it worked very nicely. As it was sent PM I also presume they do not want the code/their name passed on so I shall not. You know who you are, it works beautifully, thank you. Also thanks for the help from everyone else.

Grotfang · Feb 7, 2012

fianor said:
As it was sent PM I also presume they do not want the code/their name passed on so I shall not.

I don't mind you saying it was me. I'm glad it works for you. Anyone who particularly wants to produce the same thing can do so simply by reading Veracity's code. Or, you know, the open-source KoLmafia code... However, to avoid making things too readily available for those who would use it for nefarious means, I would prefer it if you didn't pass the class on.

bordemstirs · Feb 8, 2012

Bale said:
Isn't it amusing and tragic when people copy each others errors?

Indeed so.
And actually, I found Bitizer which, if you check it out, is EXTREMELY convenient for the steps necessary to convert from Mafia stored password to plaintext and back.
Funny, judging by its appearance I'd expect it to be less accurate than the others. That whole "lack in power, make up for in paint" principal. (A quick google suggests that that's not a real idiom, but I'm saying it is now.)

Recovering KoL password from mafia?

fianor

Member

roippi

Developer

Veracity

Developer

fianor

Member

Catch-22

Active member

fianor

Member

Veracity

Developer

fianor

Member

StDoodle

Minion

bordemstirs

Member

Catch-22

Active member

bordemstirs

Member

Bale

Minion

roippi

Developer

Grotfang

Developer

Catch-22

Active member

fianor

Member

Grotfang

Developer

bordemstirs

Member