Swag and his password stealing

[Light]

I also had another thought in the past, Z-Man. Feel free to delete this post if it shouldn't be posted ..

The problem I see with the current system isn't really that you can brute force the hash. You could just make a slight edit to the client and send a preset hash. Since it doesn't have to be generated in any certain way, you can just reuse what was sent to the server over and over again. This was my thought before brute forcing even came to mind, since I guess in my mind I know that's too time consuming and boring.

Now it sounds like I'm actually planning this. lol I don't do anything like that with other people's account, but it seems like it would be easily exploitable. I mean .. if you're editing the server to get the hashes, you probably won't have much of a problem editing the client to just send a preset string.

I haven't really looked into it, but is there anything to prevent it?

[Z-Man]

The problem I see with the current system isn't really that you can brute force the hash. You could just make a slight edit to the client and send a preset hash. Since it doesn't have to be generated in any certain way, you can just reuse what was sent to the server over and over again. This was my thought before brute forcing even came to mind, since I guess in my mind I know that's too time consuming and boring.

Ha! That would work if we'd send the plain PW hash. We don't. The server picks a random nonce, sends it to the client, and that gets added to the hash data. As is the server's IP address. What is sent by the client is only usable for authentication on that server at that time.

[Light]

Ha! That would work if we'd send the plain PW hash. We don't. The server picks a random nonce, sends it to the client, and that gets added to the hash data. As is the server's IP address. What is sent by the client is only usable for authentication on that server at that time.

That's odd. When I made my PHP login, I just used "Light" run through MD5(). I thought the client generated it and sent it to the server? The salt that is. The rest is just using the pre/suffix and subbing out %u for the username. The script worked for @forums (I forget the URL off the top of my head), as well as the more obvious @lightron.org ones. I might have to see if I still have that layin' around somewhere.

[epsy]

If I'm following you correctly Light, you've merged the Game Client and Game Server roles, in which case the salt picking and password hash generation will indeed lie with the same hands.

[Light]

Ohh! When I made it, I followed the auth scripts as a guide, so I never looked much into it when it came to this because I wasn't actually planning on attempting to use someone else's account. That makes sense then. (: Curiosity of that can rest now. lol

[epsy]

(By the way, never merge those two in real situations.)

[Light]

(By the way, never merge those two in real situations.)

It was for a PHP login script, so it wasn't really something that was going to be used in the game. Though, it wasn't something I planned on using anyway. Just made it for fun. I don't seem to have it anymore.