-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Seems this didn't get through first time so trying again.
Rick Tanner wrote: | AnMaster wrote: | | | | Backward compatibility would be supported by plain text login once and | then upgrade | | password in player file to store the "shared secret", then HMAC-SHA256 | would be used in | | future to log in. I feel that it is less of an issue storing an | unencrypted shared secret | | on the server than, as we currently do, sending it in plain text over | network. | | What about password resets in cases where a player returns from a long | hiatus and can't remember their password? | | Under the current system, a person with server/shell access can reset | that players password. Would this new system prevent this? | No. As it is a shared secret, it would actually have to be stored in plain text on the server, (still less of an issue than sending it unencrypted, or if that is considered a very bad issue, I could use a more sophisticated protocol, like that SSH uses). And yes resetting password on server would be possible both ways. Regards, Arvid Norlander -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEAREKAAYFAkhOyjAACgkQWmK6ng/aMNkHLACfff9dwQCC2u/7ILwLzKStkGII Bw4AoKPghXqt4L2WYuPSIWMIuYp9AJW3 =XBxi -----END PGP SIGNATURE----- _______________________________________________ crossfire mailing list [email protected] http://mailman.metalforge.org/mailman/listinfo/crossfire
