Hello,
there is one thing I should have reported long before, but better late than never...
POL gives the option to store MD5 hash strings only in accounts.txt or optional to retain the clear text passwords. (We use the latter, btw.)
But regardless what you use, the MD5 hashes are correct - and unusable. Why?
Consider this: If I want for example to allow players to upload a character picture or similar things, I will need to authenticate the player. So the first idea is to store the accountname-MD5-Hash pairs into a database and verify them, when the player logs into the site. There are other options. I also could export these pairs into my forum user database, because it also uses accountname/MD5 hashes.
But POL has decided to 'salt' the MD5 hashes, using the string 'accountname'+'password' for the MD5 hash. And this is the problem: Many players forget, how they wrote their account names, if they used a capital letter or not. If I want to check account name / password as a hash, the player is forced to write not only her password in correct upper/lower case format, she needs to do this for the account name too. But logging into our forums or into the game, this is not necessary! (Forums because we use a different method to generate the access accounts during registration).
So please: Could we change this mechanism either to MD5 hash for password only (without 'salt'), or if 'salt' is wished could we change it to:
MD5( lower(account name) + password)?
By forcing the account to lower case the value of the 'salt' method is not worse, but I can always use the MD5 hash, even if the player used different upper/lower case while typing the account name. This is the usual behaviour, only passwords need to be typed exactly.
Thanks
OWHorus
PS: If I would start with a shard today, I would change all account names to lower case during registry, and the problem would not be there. But since our shard started in 1999, and we still have accounts which are very old and still valid and used, so I cannot do this, at least not with a lot of hassle.
Change request for POL Core regarding player passwords
Moderator: POL Developer
Re: Change request for POL Core regarding player passwords
That's a fair point. It might also be a good opportunity to change the default hash algorithm to something that is more expensive to brute-force. And a hash string that is more future-proof.
As a workaround for now, could you use a map of lower-case names to the original names in accounts.txt?
As a workaround for now, could you use a map of lower-case names to the original names in accounts.txt?
Re: Change request for POL Core regarding player passwords
Yes, what I have to do to fix this: In my SQL-DB I have the 'correct' Account Names (i.e. with original upper/lower case letters). I need to search the correct name regardless of upper/lower case, then use the name in the DB to replace the entered name, then the generation of the hash will succeed.
I just wanted to mention this, since - after a bit of thought, and not by looking at the code: Login to the game works similar, first you find the correct account disregarding upper/lower case, and then you use the 'real' account name stored in accounts.txt and the submitted password, generate the hash and compare. Am I right?
So it can be fixed, but for the future it would be nice to just use the account/hash pairs as they are. Because in several cases (mainly forum accounts) I use a PERL Script to extract the passwords from accounts.txt, since this cannot be done with POL itself. Since I am thinking about modernising our registration procedure, this came to mind.
Thank you for looking into it
I just wanted to mention this, since - after a bit of thought, and not by looking at the code: Login to the game works similar, first you find the correct account disregarding upper/lower case, and then you use the 'real' account name stored in accounts.txt and the submitted password, generate the hash and compare. Am I right?
So it can be fixed, but for the future it would be nice to just use the account/hash pairs as they are. Because in several cases (mainly forum accounts) I use a PERL Script to extract the passwords from accounts.txt, since this cannot be done with POL itself. Since I am thinking about modernising our registration procedure, this came to mind.
Thank you for looking into it