Re: [SILLY QUESTION] Uncrypting passwords

From: Bryan Britt (beltane@BELTANE.COM)
Date: 08/25/98


There is no need to decrypt the passwords.  It is proper and accepted
for the imp to create a new temporary password for a forgetful player.
You are opening up a HUGE security problem there.  For example, I
typically use the same passwords for my GOD and my player char.  so if
another IMP got my PC password, he could instantly log on to my
IMPLEMENTOR char.

Or, even worse.  I know a lot of people that use the same passwords for
thier MUD char as they do the shell account.  So if someone could get
their password on the MUD, login to the server shell and demolish a
major internet server.

PS:  This is also why it is recommended to dedicate a machine to MUD and
IRC.  Those two services are targets for more hackers than any other
servers.

Just a gold coin or two.


Bryan Britt
Beltane Web Services


At [Tue, 25 Aug 1998 23:55:21 -0400], George <greerga@CIRCLEMUD.ORG> wrote:

> On Tue, 25 Aug 1998, Chuck Reed wrote:
>
> >I'm working on two different places right now, and I wrote some code to
> >show imps the password of any player in the game for one of them.  In my
> >transfering of the code to the second mud, the GET_PASSWD(ch) and
> >chdata.pwd return the crypted passwords.  This was not the case for the
> >first mud, but both use password encryption.  I'm guessing that since one
> >is FreeBSD and the other is Linux (redhat 4.0 i think), that the
> >encryption is a ton different.  What I'm asking is where I could find a
> >way to DEcrypt the password string.
>
> Buy yourself the DES cracking machine recently in the DES-II-2 contest and
> it'll have it done in 56 hours.  I think its going for a bit over $50,000
> now...
>
> In other words, forget it unless you have lots of time to brute force it
> with a puny processor. :)
>
> (Of course, you _might_ get lucky with a dictionary attack...)
>
> --
> George Greer, greerga@circlemud.org | Genius may have its limitations, but
> http://mouse.van.ml.org/ (not done) | stupidity is not thus handicapped.
> http://www.van.ml.org/CircleMUD/    |                  -- Elbert Hubbard
>
>
>      +------------------------------------------------------------+
>      | Ensure that you have read the CircleMUD Mailing List FAQ:  |
>      | http://democracy.queensu.ca/~fletcher/Circle/list-faq.html |
>      +------------------------------------------------------------+

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ICQ: 386326
Bryan L. Britt                                        501-327-8558
Beltane Web Services, Conway, AR            http://www.beltane.com
~~~~~~~~~~Support Private Communications on the Internet~~~~~~~~~~
finger beltane@beltane.com  -- for PGP Public Key and Privacy Info


     +------------------------------------------------------------+
     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     | http://democracy.queensu.ca/~fletcher/Circle/list-faq.html |
     +------------------------------------------------------------+



This archive was generated by hypermail 2b30 : 12/15/00 PST