Does any1 remember that this is a FUN game? Why do we have to use a password at all to enter the lobby?
Do we want to restrict people from playing Glob2 online? 2nd question. If somebody were to masquerade as me, to login in as me and play a game as me -- or even hack my password or Stephane. Who would be hurt? I am not being silly by asking. 3rd question. Which is more important, ensuring the passwords used by YOG are secure or reducing the number of outstanding bug reports (even the most insignificant kind) by one? BTW:Please email me directly if you are even slightly interested knowing my YOG password. I will post the total number of emails I get on this subject in 1 month. OMG On Sat, Jul 16, 2011 at 10:51 AM, Austin H <[email protected]> wrote: > Having a random salt really does make it much harder to crack the > passwords and I would highly recommend that. With a random salt they > would have to attack each password individually rather than attacking > them all as a group but a fixed salt will eliminate the use of rainbow > tables. > > However, I am not sure of the purpose of hashing it twice. And by the > way, please use sha256 or sha512 to avoid the collisions with sha1. > > On 07/16/2011 05:25 AM, Jannis Froese wrote: > > Hi, > > I would strongly suggest to hash them a second time after appending a > > salt (the salt could even be fixed). The Server would then check the > > password by generating the hash sha1(sha1(password + salt)). > > If we don't do add a salt of any way, the passwords are not very secure, > > as unsalted Passwords are quickly decrypted using Rainbow Tables (sort > > of heavily compressed hash lookup). To see how easy this is look at > > http://freerainbowtables.com, where you can download tables for > > passwords with up to 9 characters, depending on complexibility of the > > password. > > > > Regards > > > > > > On Sat, 16 Jul 2011 11:01:39 +0200, Stéphane Magnenat > > <[email protected]> wrote: > >> Hello, > >> > >>> Stephane do you have any idea how to handle this correctly? > >> > >> The correct way would be to see where yog checks the passwords and to > >> add a hash there. We can then apply the same hash function to the > >> password data. > >> > >> I've been looking in YOG's source code, the passwords seem to be > >> already hashed using SHA1, see src/YOGServerPasswordRegistry.cpp:113 > >> > >> Therefore, it is probably safe to transmit password data. What do you > >> think? > >> > >> Stéph > >> > >> -- > >> Dr Stéphane Magnenat > >> http://stephane.magnenat.net > >> > >> _______________________________________________ > >> glob2-devel mailing list > >> [email protected] > >> https://lists.nongnu.org/mailman/listinfo/glob2-devel > > > > > > _______________________________________________ > > glob2-devel mailing list > > [email protected] > > https://lists.nongnu.org/mailman/listinfo/glob2-devel > > > _______________________________________________ > glob2-devel mailing list > [email protected] > https://lists.nongnu.org/mailman/listinfo/glob2-devel >
_______________________________________________ glob2-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/glob2-devel
