Plaintext Password Storage?

[TechnoCat]

After reading settings_authentication.cfg, my understanding is that in order to create a local account, I need to store the password for said account in plain text. Is this true?

Also, can I set up my server to accept forum accounts? How?

[Tank Program]

As far as I know about local accounts, that's true, but I'm not too up to date. To use the forums set GLOBAL_ID to 1. If you want to allow only the forums, use AUTHORITY_WHITELIST. There are descriptions of everything in settings_authentication.cfg.

[Z-Man]

Yes, local accounts need to have their passwords in plaintext in your config files. It would be technically possible to instead store the appropriate md5 digest there, but that would not add any security: the first digest step is done on the client side, too, so modified clients could just as well skip the step and use a digest stolen from your config files. This was a choice we had to make in order to keep the data sent over the network useless to identity thieves, which is much more important, especially for global IDs. (End-to-end public key cryptography would be a way to get everything, I guess, but then we'd be subject to various import and export regulations since some silly governments consider these things weapons.)

[TechnoCat]

I have set GLOBAL_ID to 1. How do I authenticate using my forum login data? And how do I give my forum account level zero (owner) access?

[Tank Program]

Code: Select all

USER_LEVEL TechnoCat@forums 0

In the config and then in game:

Code: Select all

/login TechnoCat@forums

[TechnoCat]

I'm getting a “Command /LOGIN unknown” error.

[TechnoCat]

Is there some way I can configure the server so that I can use the authentication submenu?

[Z-Man]

I'm getting a “Command /LOGIN unknown” error.

Do it in chat, not the console.

And you can configure the client so you can use the authentication menu. Put TechnoCat@forums in the "Global ID" field of your player configuration. You can even activate automatic login somewhere around that.

[TechnoCat]

Thanks, everything works now. Now to find a way to securely store the password so I don't have to type it every time.…

[TechnoCat]

I just thought of something.
What if the authentication file was encrypted using some other application and automatically decrypted when Armagetron tries to use it?

[Z-Man]

Ah, you mean the password storage in your client? That's encrypted all right. But, of course, it's still stored in a way that if someone steals your user.cfg file, he can log in as you.

Maybe we should think about external password manager integration, that's right. Is the Firefox password manager accessible via some API? Or, even better, is there a cross-platform API to access several password managers the user may have installed anyway?

Edit: Or you could simply store your user.cfg on an encrypted file system. Yeah, that makes it easier to access for a hacker once they have access to your computer in some way while it's running with that partition mounted, but if they're that far, you're doomed anyway. A dedicated password manager program is then usually just a small obstacle.

[TechnoCat]

I'm not sure. For Macs, there's always Keychain Access, and gpg for Linux. Not sure about Windows though.…