16 replies to this topic

[Hamster]

Hey, I have a question, in here (Look at the picture)

 

You suggest to write the C&C password, I did write my own password there. When i went on my profile here (Look at the picture)

 

Does it show it to public? this part can be very miss-understood and people can write their passwords over there... lucky i removed it quickly.

[Graion Dilach]

Except that only you can see that field on your own profile.

[ToxicShock]

That's right hamster.   Try looking at other peoples' profiles.  You can't see their passwords.

[Mathijs]

Yeah this is not an issue. 

[Hamster]

Thank you but it can miss leading in my opinion, people might think other people can see. can be confused to people if you don't write anything nearby like (This is only visible for you)

[ICT]

Thank you but it can miss leading in my opinion, people might think other people can see. can be confused to people if you don't write anything nearby like (This is only visible for you)

 

Good idea

[xezon]

I think it is an issue that the password is shown in clear text in the first place. It does not look secure at all. Some people tend to use shared internet passwords on multiple pages. The assumption that the computer is never shared by multiple people would be a terrible mistake. And even if it is "just" shown on the own profile, I fear some future error or exploit could reveal passwords from other profiles.

[Mathijs]

There is no way to view these on other people's accounts short of hacking yourself into admin rank on Revora, which to my knowledge is impossible. 

 

It might be good to add the disclaimer (DO NOT USE THIS PASSWORD ANYWHERE ELSE) near the password field, though.

[xezon]

There is no way to view these on other people's accounts short of hacking yourself into admin rank on Revora, which to my knowledge is impossible. 

 

Wait. Do you say admins can see clear passwords?

Edited by xezon, 07 July 2014 - 01:51 PM.

[ICT]

WARNING: This password is saved in plain text!

 

So, yes.

Edited by ICT, 07 July 2014 - 02:19 PM.

[Squaggle]

 

There is no way to view these on other people's accounts short of hacking yourself into admin rank on Revora, which to my knowledge is impossible. 

 

Wait. Do you say admins can see clear passwords?

 

If this is the case I cannot stress enough that this needs to be clearely stated upon entering that password so that people use a totally original password. Many people use the same password many many times and this can potentially expose those users. Or even better changed so admins do not see the passwords.

Edited by Squaggle, 08 July 2014 - 04:49 AM.

[ICT]

Wherever you go in the world-wide-web your passwords are always eventually visible to the administration of the respective page..

The guide clearly says that it is saved in plain text and that it shouldnt be used for anything else.

We are talking about a free gaming service here, giving support is very time-consuming. Given the fact that revora is a non-profit association you can trust the handful admins with their powers.

[xezon]

Wherever you go in the world-wide-web your passwords are always eventually visible to the administration of the respective page..

The guide clearly says that it is saved in plain text and that it shouldnt be used for anything else.

We are talking about a free gaming service here, giving support is very time-consuming. Given the fact that revora is a non-profit association you can trust the handful admins with their powers.

 

On the register page I did not see any warning about this. I think this is a major security issue that needs fixing asap. Labeling something as "password" and making it visible to admins is simply unacceptable. Nowadays users simply expect that passwords are stored as hashes and are not exposed to other people.

Edit: I put a warning on the gamereplays forum thread. I think some people are not aware about this detail. Neither was I.

Edited by xezon, 08 July 2014 - 08:28 AM.

[ICT]

Alphanumeric hashes do not really provide much safety. Any admin on any site can do with hashes whatever he wants..

Obviously this solution is not perfect at the moment, but we need a better user control system first which we don't have right now.

[xezon]

I doubt there is no way to encrypt a pass-phrase making it virtually impossible to decrypt it. Although I must admit I did not research before making that claim.

 

Edit: According to this questions hashes can indeed make it virtually impossible to reverse engineer a password.

http://stackoverflow...d-encrypting-it

 

As someone writes there

 

As an administrator you NEVER EVER need to have someone's pre-hashed password. You just don't. And you shouldn't have it either. If you don't agree with what I'm saying, let me assure you: you're wrong.

 

100% agree.

 

Btw I was wondering if Phil is Phil who posted there (coincidence)

Edited by xezon, 08 July 2014 - 01:03 PM.

[ICT]

My point is: IF the admin wants to get the passwords of a site he manages then he will get them. This is a question of trusting the site-owner (or code developer).

As I said before, the current system is not perfect and it should be changed in another user control system, but you will have to trust the page-owner again to implement a good hashing algorithm.

[Phil]

If this is the case I cannot stress enough that this needs to be clearely stated upon entering that password so that people use a totally original password. Many people use the same password many many times and this can potentially expose those users. Or even better changed so admins do not see the passwords.

 

On the register page I did not see any warning about this. I think this is a major security issue that needs fixing asap. Labeling something as "password" and making it visible to admins is simply unacceptable. Nowadays users simply expect that passwords are stored as hashes and are not exposed to other people.

Edit: I put a warning on the gamereplays forum thread. I think some people are not aware about this detail. Neither was I.

 

You're right, I'll put an extra note under that field. The guide on the website already states this very clearly, but people don't really read that I guess.

 

To clear up some confusion: You cannot protect a password from the administrator of a site because he controls the application. What hashing a password does is protect it from unauthorized third parties in case the database is hacked.

This only holds true however if the passwords are also salted and if people use long passwords that aren't dictionary words or variations thereof. You also shouldn't be using a fast hashing algorithm like md5 because current password-cracking tools can guess billions of hashes per second. Another problem is the input limitation of the password fields for those games: by not allowing special characters to be entered, the search space is drastically reduced. So if you have an 8-character password of just alphanumerics, a fast password cracking tool might take only minutes to guess your hash.

More reading (because it's fascinating stuff): http://blog.codingho.../speed-hashing/

 

I do plan to add password hashing to the server eventually, but that will require some extensive programming. And unless it's done correctly, there's not much of a point.

Edited by Phil, 08 July 2014 - 02:11 PM.