Change request for POL Core regarding player passwords

Here you can post threads on the development of the current release of the core (100)

Moderator: POL Developer

Post Reply
OWHorus
Grandmaster Poster
Posts: 105
Joined: Sat Feb 04, 2006 1:24 pm
Location: Vienna, Austria

Change request for POL Core regarding player passwords

Post by OWHorus »

Hello,

there is one thing I should have reported long before, but better late than never...

POL gives the option to store MD5 hash strings only in accounts.txt or optional to retain the clear text passwords. (We use the latter, btw.)

But regardless what you use, the MD5 hashes are correct - and unusable. Why?

Consider this: If I want for example to allow players to upload a character picture or similar things, I will need to authenticate the player. So the first idea is to store the accountname-MD5-Hash pairs into a database and verify them, when the player logs into the site. There are other options. I also could export these pairs into my forum user database, because it also uses accountname/MD5 hashes.

But POL has decided to 'salt' the MD5 hashes, using the string 'accountname'+'password' for the MD5 hash. And this is the problem: Many players forget, how they wrote their account names, if they used a capital letter or not. If I want to check account name / password as a hash, the player is forced to write not only her password in correct upper/lower case format, she needs to do this for the account name too. But logging into our forums or into the game, this is not necessary! (Forums because we use a different method to generate the access accounts during registration).

So please: Could we change this mechanism either to MD5 hash for password only (without 'salt'), or if 'salt' is wished could we change it to:
MD5( lower(account name) + password)?

By forcing the account to lower case the value of the 'salt' method is not worse, but I can always use the MD5 hash, even if the player used different upper/lower case while typing the account name. This is the usual behaviour, only passwords need to be typed exactly.

Thanks
OWHorus

PS: If I would start with a shard today, I would change all account names to lower case during registry, and the problem would not be there. But since our shard started in 1999, and we still have accounts which are very old and still valid and used, so I cannot do this, at least not with a lot of hassle.
Nando
POL Developer
Posts: 282
Joined: Wed Sep 17, 2008 6:53 pm
Contact:

Re: Change request for POL Core regarding player passwords

Post by Nando »

That's a fair point. It might also be a good opportunity to change the default hash algorithm to something that is more expensive to brute-force. And a hash string that is more future-proof.

As a workaround for now, could you use a map of lower-case names to the original names in accounts.txt?
OWHorus
Grandmaster Poster
Posts: 105
Joined: Sat Feb 04, 2006 1:24 pm
Location: Vienna, Austria

Re: Change request for POL Core regarding player passwords

Post by OWHorus »

Yes, what I have to do to fix this: In my SQL-DB I have the 'correct' Account Names (i.e. with original upper/lower case letters). I need to search the correct name regardless of upper/lower case, then use the name in the DB to replace the entered name, then the generation of the hash will succeed.

I just wanted to mention this, since - after a bit of thought, and not by looking at the code: Login to the game works similar, first you find the correct account disregarding upper/lower case, and then you use the 'real' account name stored in accounts.txt and the submitted password, generate the hash and compare. Am I right?

So it can be fixed, but for the future it would be nice to just use the account/hash pairs as they are. Because in several cases (mainly forum accounts) I use a PERL Script to extract the passwords from accounts.txt, since this cannot be done with POL itself. Since I am thinking about modernising our registration procedure, this came to mind.

Thank you for looking into it :)
Post Reply