Date: 04/22/95

> I have to agree with you on this jeremy. I was keeping my players 
> passwords as text and all I got was complaints from my players saying 
> that if I didn't change it they would not play.

Well, I'm not going to even tell my players -- but I have no choice to 
keep them in text, as the crypt() here is absolutely brain-dead and I 
think my players would rather me be able to see their passwords instead 
of not being able to relogin.  I also have a use for passwords and pfiles 
in text.  I can use it to rid of players that have more than 2 players 
(yea, I allow a person to have two chars) using the same pwd.  Sure, it's 
completely POSSIBLE that two seperate people would be using the same 
password, but you don't find 4 seperate people using "yggdrasil" (Yes, 8 
multis) as their password.

Anyway, this is ridiculous.  Everyones complaining about crypt() being a 
security risk... Well, any decent hacker that can get into the shell and 
use the mudpasswd.c (whatever), modified of course, to change anyones 
password in the game without knowing it.  Not to mention purgeplay.  Yes, 
it's entirely possible that in a text file the same hacker can set up his 
level, play arond with things, but you can easily change that back and 
site ban provided it's straight ASCII.  What are you going to do in the 
other case?  Purge the entire player file because a person changed a 
password or used a modified purgeplay to set the delete flag on anyone 
they want....  REALLY safe there.

This archive was generated by hypermail 2b30 : 12/07/00 PST