Re: [Senseless Drivel] CODER NEEDEd

From: George (greerga@CIRCLEMUD.ORG)
Date: 09/10/98

On Thu, 10 Sep 1998, Mark A. Heilpern wrote:

>At 11:20 AM 9/9/98 -0700, you wrote:
>>ObPreviousMessageFromList: I'm sorry if i offended any of you by saying
>>that you were trying to hack into ppls accounts, but there is no good
>>valid reason for wanting someones password.
>Although I happen to agree with you on this, others have presented some
>reasonable arguments to the contrary. This is a matter of opinion, not
>fact, and there is no right answer.

I have yet to hear a good reason that requires seeing the character's real
password in the file.

>Where can you get a free domain name?, but you're limited to free hostname unless you have two permanent
internet connected machines for zone transfers.

I have the full domain * so I can put whatever I want in the
nameserver records.

>effort to double check spelling and verbage. Furthermore, I don't believe


The reasons I found in the mailing list archive:

>B) A good way to use this is that people often have more than one
>character.  I log and keep in a file the last 5 passwords a character has
>used.  This makes validating players who have honestly lost passwords
>easier.  For instance, you can ask them some things they have used before,
>you can check their other character's pwords against this char's and see
>if any match, this usually tells you it's the same guy.  -- Chuck Reed

So you ask them what password they previously used, encrypt what they give
you, and compare to the previously saved passwords.  Then you'll
immediately know if they're right and won't have to worry about 1/l 0/O.
They'll be giving away one password of course, but not all five.

>b) i use it for finding multi-players from different ips
>c) it's helpful for when people claim they forgot their password, cause if
>the passwords are similar, it's most likely their char -- Chuck Reed

b) So compare the crypted passwords, they'll be the same too.
c) Have other authentication methods available, such as mother's maiden
name, or an e-mail address to mail a new password to.  I can get a
'similiar' password by watching the person type it on the keyboard in a
computer lab.

>Transferring passwords between operating systems. -- Paraphrase

This is the only remotely valid point that could be made.  However, with
binary pfiles you could have endian and/or variable size problems that
cause it to fail anyway.  The safest way to do it would be ASCII pfiles
anyway (or change your crypt() function MD5/DES to be the same as what
you used to have in the case of FreeBSD).

And of course, the 'strings' program makes a very good point _for_ crypt.

I'm not so much against not using crypt().  What I am against is the people
who say, "oh, there are many valid reasons to want the real password," and
then either give a half-assed idea which works just fine with crypt()'ing
them (or other better methods) or don't give a reason at all.

BTW, be careful with bpl15, it's going to break pfile and rent file

George Greer, | Genius may have its limitations, but            | stupidity is not thus handicapped.    |                  -- Elbert Hubbard

     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     | |

This archive was generated by hypermail 2b30 : 12/15/00 PST