Welcome to the Builder Academy

Question passwords/crypt

More
27 Aug 2022 00:43 - 27 Aug 2022 00:55 #10133 by ironfist
passwords/crypt was created by ironfist
I think the default password handling is a bit out of date.  It uses the crypt function (at least on linux) which is defaulting to DES algorithm as far as I can tell with a salt that takes the first 12 bits of the character's name.  It is not even as secure as md5 which itself is not good anymore.  The glib version of crypt allows for SHA256 and SHA512 which are pretty current, using the SHA2 algorithm.  The government phased out SHA1 for new applications there from what I have read.  According to the documentation the size of the encrypted string would be 43 characters for SHA256.

man7.org/linux/man-pages/man3/crypt.3.html

Now, I'm not sure how this would work on other systems or if it is better to pull in openssl libraries.  It looks like one might use the EVP_sha256 function, but I've never used it myself.  I'm not sure if the encryption export restrictions apply anymore as all of this stuff is all over the web.  Anyone have thoughts on this?

wiki.openssl.org/index.php/EVP
 
Last edit: 27 Aug 2022 00:55 by ironfist.

Please Log in or Create an account to join the conversation.

More
28 Aug 2022 15:52 #10134 by thomas
Replied by thomas on topic passwords/crypt
Well, you are right about the encryption; if someone got to your file system and read the player file, they'll get a hash that is easy to decrypt.

But we're talking about a game that is accessed via telnet over an open line; the password is already sent in clear text over the internet. There are limits to what we can fix with a hashing algorithm.

You are, btw, entirely correct when it comes to the reason here; it's simply outdated. At the time, crypt was the highest level of encryption available on most platforms.

Feel free to submit a patch for an update.

Please Log in or Create an account to join the conversation.

More
28 Aug 2022 16:38 #10135 by ironfist
Replied by ironfist on topic passwords/crypt
Main reason is that sometimes the codebases end up getting passed around and often they have left over playerfiles with passwords in them after the fact.  They could probably be hacked or rainbow tabled given enough time, but it just seemed like one aspect to address.  Yup, there is the telnet issue and other stuff also, but I don't really know anything about implementing ssh or whatever at least at the moment :(

Please Log in or Create an account to join the conversation.

Time to create page: 0.215 seconds