Server Help

Qndre

OK, OK the Continuum encryption is very strong, but one thing I don't like about it is that it's much too weak to send a password through it. (I know every time we log in at a website our password is visible but in Continuum it's a known problem

while at the web, most people don't know.) Password thefts have been done by reading the "profile.dat" or by sniffing network packets. So my suggestion to you is to make the password encryption(like they are stored in Registry, "profile.dat" and sent to server) one-way- and SSL-like. Like MD5 at example. So you can't decrypt the passwords any more so you can't send them "unencrypted" (only secured by Continuum encryption) to the server and no software can easily decrypt them out of the "profile.dat" any more. So this means it would require a change in the server software, too. The server could just compare the two encrypted values instead of the original password, like almost every webserver with a database does. So people could trust in Continuum a bit more.
Once I typed my password I use for my webserver into Continuum's login and I changed it because I didn't really trust in Continuum (at some servers I actually saw my password transmitted unencrypted but that's another problem). A new encryption for the passwords would make it more secure. Mr Ekted, please talk to PriitK too because a change at the server side will be necessary if the idea would become true.
_
Thanks, Qndre

Mr Ekted · Movie Geek Gender: Joined: Feb 09 2004 Posts: 1379 Offline

MD5 is not an encryption method. Learn before you speak.
_________________
4,691 irradiated haggis!

Mine GO BOOM · Posted: Thu Mar 25, 2004 5:30 pm *Post maybe stupid* Post subject:

The idea of encryption is so that you can revert the process to get the original password. If you would MD5 the password, a person who sniffs the packet would get this MD5'd password, and thus can just use that as a password if they wanted to steal it.

The way Continuum works is already how you are attempting to request. The password is only ever sent plain text one time, the first time you create your name. Afterwards, the password, for SSC zones, is hashed with the information the SSC billing server sends to the client. Thus, if you log into an SSC zone, even if it is running ASSS and you don't trust the sysop/coders of that zone, your password is secure, since ASSS would only see this hashed password. So as long as the Client and Billing server are closed sourced, logging into a zone with your password already created is safe from people sniffing between the client/billing server.

As to what you want for your software, if a new connection type is created for ASSS, people can use a seperate "spec" password. At some point in time, a user can tell the billing server (or that specific zone) to create a "spec" account with a new password. So, that way, their master password is secure with Continuum, while if someone steals their spec password, it would only work to talk in game. If done with ASSS, this could also allow a special banner or icon next to the name to signal that this is a spec client, and not a normal one.

Qndre · Posted: Fri Mar 26, 2004 9:00 am *Post maybe stupid* Post subject:

Cyan~Fire · Posted: Fri Mar 26, 2004 10:46 am *Post maybe stupid* Post subject:

Qndre · Posted: Fri Mar 26, 2004 1:37 pm *Post maybe stupid* Post subject: