Re: [Senseless Drivel] password encryption from "George" at Sep 10, 98 03:07:56 pm

From: Andrew Helm (ashe@IGLOU.COM)
Date: 09/10/98

On Thu, 10 Sep 1998, George wrote:
>I have yet to hear a good reason that requires seeing the character's real
>password in the file.

There is none unless you count the Just Because I Want To reason.
There isn't much of a reason to encrypt the passwords either.

[snip domain name stuff and some good points on bad points]
>And of course, the 'strings' program makes a very good point _for_ crypt.

If the baddie has access to your pfile yer kinda screwed anyways. :)
Unlike people with UNIX shell access, CircleMUD players can't hack
the MUD from inside to download the passwords. They would have to
hack the system your mud runs on, and in that case they could easily use
mudpasswd to get whatever access they wanted regardless of password

Has there been a single instance of player password encryption/lack of
encryption making a difference? I kinda doubt it.

>I'm not so much against not using crypt().  What I am against is the people
>who say, "oh, there are many valid reasons to want the real password," and
>then either give a half-assed idea which works just fine with crypt()'ing
>them (or other better methods) or don't give a reason at all.

I don't see where the controversy on this issue is either. It seems to
be mostly a matter of opinion.

I was a bit surprised to find that some people thought their passwords
should be private from mud's implementor, though.

>BTW, be careful with bpl15, it's going to break pfile and rent file

Will you be marking the pfile with a version number? It would
make playerfile conversions much easier.

     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     | |

This archive was generated by hypermail 2b30 : 12/15/00 PST