Please re-read what I posted. You seem to have misunderstood. We do not have your password in cleartext. I added password hashing to the server years ago to help protect people's privacy. Before then *everything* was in cleartext. Should I have left it like this?
I don't see how upgrading in the future to support a more secure authentication mechanism, or allowing users to whitelist IP addresses and sending e-mails to confirm via their registered email address if another IP wants access to their account could be a bad thing for anyone.
Security Feature
Forum rules
This forum is for feature requests, content changes additions, anything not a Bug in the software.
Please report all bugs on the Support Forums
Re: Security Feature
Head of the TMW Illuminati
Re: Security Feature
Hi,
passwords are in general not the most secure thing. Choosing weak passwords is very common. And you can not avoid it. Even enforcing some rules for the password does not really solve the problem.
Hashing the password for protecting privacy is a good thing. Should be kept like this.
The only thing i could think of, which might add some security here, is, not sending the password or its hash over the network. At least not unencrypted. So for login an encryption layer might be useful. And a challenge/response mechanism might help against replay attacks. I'm no specialist with this, though. I just have some basic knowledge.
It could happen at any time getting an account hacked. It is like getting your credit card stolen. So what could be useful here is disabling such an account as fast as possible. If someone has an idea on how to do it? The other thing which might be useful is: Each time a player logs out make a backup with date. So in case an account was hacked it could at least be reverted to some state short before beeing hacked. But that would be the maximum an administrator could do. At least some responsibility for the account has to stay at the players
passwords are in general not the most secure thing. Choosing weak passwords is very common. And you can not avoid it. Even enforcing some rules for the password does not really solve the problem.
Hashing the password for protecting privacy is a good thing. Should be kept like this.
The only thing i could think of, which might add some security here, is, not sending the password or its hash over the network. At least not unencrypted. So for login an encryption layer might be useful. And a challenge/response mechanism might help against replay attacks. I'm no specialist with this, though. I just have some basic knowledge.
It could happen at any time getting an account hacked. It is like getting your credit card stolen. So what could be useful here is disabling such an account as fast as possible. If someone has an idea on how to do it? The other thing which might be useful is: Each time a player logs out make a backup with date. So in case an account was hacked it could at least be reverted to some state short before beeing hacked. But that would be the maximum an administrator could do. At least some responsibility for the account has to stay at the players