Joined: 29 Dec 2007 Posts: 85 Location: Montreal, Canada
Posted: Thu Feb 21, 2008 11:54 pm Post subject: "GetPassword"
Well I gave the opportunity to my higher staff to see the account informations using a command but it is impossible with pol to "getpassword" and display it. Would be great if it could be added in the futur..
I personally would like the password to be impossible to retrieve.
As a security administrator it's a key part of password management to make them unreadable due to encryption so all we can do is set a password for the user.
Of course pol allows you to have cleartext or md5 encrypted passwords stored in the accounts.txt file, but I really dislike this feature. I much prefer players to have the security of knowing their password cannot be read by anyone, me included.
Author
Message
*Edwards
Joined: 29 Dec 2007 Posts: 85 Location: Montreal, Canada
Posted: Fri Feb 22, 2008 3:41 am Post subject:
Just addind the possibility for... would simply give an opportunity to use it or not.
We are 3 friends running a shard together since 1 year and I can trust them at 100%. Plus our server seems well secured. That could be an option in pol.cfg or something... A lot of oldies would like to start fast and I would gave the opportunity to my friends to read a password through a command. Few would say it is not safe at all Edwards! but considering the fact that only specific ips are now allowed to use a staff member and in addition a secret code for using the command... it makes it safer... I still really care about the hard work spent by our players on our lands
I personally would like the password to be impossible to retrieve
I couldn't state that better. I am strongly against such a command.
You can give your trusted staff members the command to change the current password but why should they read the old one? If someone forgets his password he needs to be send his old or new one. So you can simply give a new one via email. A command to read it is always a possible security leak.
Author
Message
*Edwards
Joined: 29 Dec 2007 Posts: 85 Location: Montreal, Canada
Posted: Fri Feb 22, 2008 8:36 pm Post subject:
That's not horrible to ask?
How that could be a problem? Our staff is irl's friends and we are running it together since a year now.. Would just make possible for them to see it. Just an option as getprop.password working.... You can use it or not that's it... Even if it's added you can take your own decision about "do I use it or not"..
Author
Message
CWO
Joined: 04 Feb 2006 Posts: 691 Location: Chicago, IL USA
Posted: Fri Feb 22, 2008 9:31 pm Post subject:
Well it would all depend on if the passwords are even saved as pure text in the accounts.txt file (pol.cfg option) because POL can't reverse an MD5 hashed password.
Author
Message
MontuZ Distro Developer
Joined: 10 Feb 2006 Posts: 293 Location: Myrtle Beach, South Carolina
Posted: Sat Feb 23, 2008 6:23 am Post subject:
Eddyboy, reading your post just gave me an idea.
Anytime someone creates a new account or changes their password just;
account.SetProp("Password", new_password);
That way later you can just;
account.GetProp("Password");
If you want to grab it.
Author
Message
*Edwards
Joined: 29 Dec 2007 Posts: 85 Location: Montreal, Canada
Posted: Mon Feb 25, 2008 3:56 am Post subject:
That could be a solution obviously but still add unecessary data. But anyways, I shall simply deal with a password re-sender or something similar. Thanks anyway.
@Montuz:
Really a good idea. For security reasons i would choose a datafile for that, so its not quite that open if somebody perhaps infiltrated that server searching the account files.
