"GetPassword"

*Edwards · **Posted:** Thu Feb 21, 2008 7:54 pm

Well I gave the opportunity to my higher staff to see the account informations using a command but it is impossible with pol to "getpassword" and display it. Would be great if it could be added in the futur..

OldnGrey · **Joined:** Sat Feb 04, 2006 6:26 pm **Posts:** 576

I personally would like the password to be impossible to retrieve.

As a security administrator it's a key part of password management to make them unreadable due to encryption so all we can do is set a password for the user.

Of course pol allows you to have cleartext or md5 encrypted passwords stored in the accounts.txt file, but I really dislike this feature. I much prefer players to have the security of knowing their password cannot be read by anyone, me included.

*Edwards · **Posted:** Thu Feb 21, 2008 11:41 pm

Just addind the possibility for... would simply give an opportunity to use it or not.

We are 3 friends running a shard together since 1 year and I can trust them at 100%. Plus our server seems well secured. That could be an option in pol.cfg or something... A lot of oldies would like to start fast and I would gave the opportunity to my friends to read a password through a command. Few would say it is not safe at all Edwards! but considering the fact that only specific ips are now allowed to use a staff member and in addition a secret code for using the command... it makes it safer... I still really care about the hard work spent by our players on our lands

Pierce · **Joined:** Thu Feb 02, 2006 8:33 am **Posts:** 319

OldnGrey wrote:

I personally would like the password to be impossible to retrieve

I couldn't state that better. I am strongly against such a command.
You can give your trusted staff members the command to change the current password but why should they read the old one? If someone forgets his password he needs to be send his old or new one. So you can simply give a new one via email. A command to read it is always a possible security leak.

*Edwards · **Posted:** Fri Feb 22, 2008 4:36 pm

That's not horrible to ask?

How that could be a problem? Our staff is irl's friends and we are running it together since a year now.. Would just make possible for them to see it. Just an option as getprop.password working.... You can use it or not that's it... Even if it's added you can take your own decision about "do I use it or not"..

CWO · **Posted:** Fri Feb 22, 2008 5:31 pm

Well it would all depend on if the passwords are even saved as pure text in the accounts.txt file (pol.cfg option) because POL can't reverse an MD5 hashed password.

MontuZ · **Posted:** Sat Feb 23, 2008 2:23 am

Eddyboy, reading your post just gave me an idea.

Anytime someone creates a new account or changes their password just;
account.SetProp("Password", new_password);

That way later you can just;
account.GetProp("Password");

If you want to grab it.

*Edwards · **Posted:** Sun Feb 24, 2008 11:56 pm

That could be a solution obviously but still add unecessary data. But anyways, I shall simply deal with a password re-sender or something similar. Thanks anyway.

Pierce · **Joined:** Thu Feb 02, 2006 8:33 am **Posts:** 319

@Montuz:
Really a good idea. For security reasons i would choose a datafile for that, so its not quite that open if somebody perhaps infiltrated that server searching the account files.

"GetPassword"

Who is online