Plaintext Password Storage?
Plaintext Password Storage?
After reading settings_authentication.cfg, my understanding is that in order to create a local account, I need to store the password for said account in plain text. Is this true?
Also, can I set up my server to accept forum accounts? How?
Also, can I set up my server to accept forum accounts? How?
, leaving behind a single black feather.
- Tank Program
- Forum & Project Admin, PhD
- Posts: 6711
- Joined: Thu Dec 18, 2003 7:03 pm
Re: Plaintext Password Storage?
As far as I know about local accounts, that's true, but I'm not too up to date. To use the forums set GLOBAL_ID to 1. If you want to allow only the forums, use AUTHORITY_WHITELIST. There are descriptions of everything in settings_authentication.cfg.
Re: Plaintext Password Storage?
Yes, local accounts need to have their passwords in plaintext in your config files. It would be technically possible to instead store the appropriate md5 digest there, but that would not add any security: the first digest step is done on the client side, too, so modified clients could just as well skip the step and use a digest stolen from your config files. This was a choice we had to make in order to keep the data sent over the network useless to identity thieves, which is much more important, especially for global IDs. (End-to-end public key cryptography would be a way to get everything, I guess, but then we'd be subject to various import and export regulations since some silly governments consider these things weapons.)
Reply: “Re: Plaintext Password Storage?”
I have set GLOBAL_ID to 1. How do I authenticate using my forum login data? And how do I give my forum account level zero (owner) access?
Last edited by TechnoCat on Sat Jul 02, 2011 12:11 pm, edited 1 time in total.
, leaving behind a single black feather.
- Tank Program
- Forum & Project Admin, PhD
- Posts: 6711
- Joined: Thu Dec 18, 2003 7:03 pm
Re: Plaintext Password Storage?
Code: Select all
USER_LEVEL TechnoCat@forums 0
Code: Select all
/login TechnoCat@forums
Reply: “Re: Plaintext Password Storage?”
I'm getting a “Command /LOGIN unknown” error.
Last edited by TechnoCat on Sat Jul 02, 2011 12:11 pm, edited 1 time in total.
, leaving behind a single black feather.
Reply: “Re: Plaintext Password Storage?”
Is there some way I can configure the server so that I can use the authentication submenu?
Last edited by TechnoCat on Sat Jul 02, 2011 12:11 pm, edited 1 time in total.
, leaving behind a single black feather.
Re: Reply: “Re: Plaintext Password Storage?”
Do it in chat, not the console.TechnoCat wrote:I'm getting a “Command /LOGIN unknown” error.
And you can configure the client so you can use the authentication menu. Put TechnoCat@forums in the "Global ID" field of your player configuration. You can even activate automatic login somewhere around that.
Reply: “Re: Plaintext Password Storage?”
Thanks, everything works now. Now to find a way to securely store the password so I don't have to type it every time.…
Last edited by TechnoCat on Sat Jul 02, 2011 12:12 pm, edited 1 time in total.
, leaving behind a single black feather.
Re: Plaintext Password Storage?
Ah, you mean the password storage in your client? That's encrypted all right. But, of course, it's still stored in a way that if someone steals your user.cfg file, he can log in as you.
Maybe we should think about external password manager integration, that's right. Is the Firefox password manager accessible via some API? Or, even better, is there a cross-platform API to access several password managers the user may have installed anyway?
Edit: Or you could simply store your user.cfg on an encrypted file system. Yeah, that makes it easier to access for a hacker once they have access to your computer in some way while it's running with that partition mounted, but if they're that far, you're doomed anyway. A dedicated password manager program is then usually just a small obstacle.
Maybe we should think about external password manager integration, that's right. Is the Firefox password manager accessible via some API? Or, even better, is there a cross-platform API to access several password managers the user may have installed anyway?
Edit: Or you could simply store your user.cfg on an encrypted file system. Yeah, that makes it easier to access for a hacker once they have access to your computer in some way while it's running with that partition mounted, but if they're that far, you're doomed anyway. A dedicated password manager program is then usually just a small obstacle.
Reply: “Re: Plaintext Password Storage?”
I'm not sure. For Macs, there's always Keychain Access, and gpg for Linux. Not sure about Windows though.…
, leaving behind a single black feather.