From: DragonMUD [ 4000] [ 4000 (
Date: 04/22/95

I can see where this is going, I think we should all stop now before this 
turns into a large scale war (like the one I unknowingly caused earlier)

		- David 'Dave' Berthiaume of DragonMUD [ 4000]
------------------------------------------------------------------------------                      |        |

On Sat, 22 Apr 1995, Spawn@KrimsonMud wrote:

> > I have to agree with you on this jeremy. I was keeping my players 
> > passwords as text and all I got was complaints from my players saying 
> > that if I didn't change it they would not play.
> > 
> Well, I'm not going to even tell my players -- but I have no choice to 
> keep them in text, as the crypt() here is absolutely brain-dead and I 
> think my players would rather me be able to see their passwords instead 
> of not being able to relogin.  I also have a use for passwords and pfiles 
> in text.  I can use it to rid of players that have more than 2 players 
> (yea, I allow a person to have two chars) using the same pwd.  Sure, it's 
> completely POSSIBLE that two seperate people would be using the same 
> password, but you don't find 4 seperate people using "yggdrasil" (Yes, 8 
> multis) as their password.
> Anyway, this is ridiculous.  Everyones complaining about crypt() being a 
> security risk... Well, any decent hacker that can get into the shell and 
> use the mudpasswd.c (whatever), modified of course, to change anyones 
> password in the game without knowing it.  Not to mention purgeplay.  Yes, 
> it's entirely possible that in a text file the same hacker can set up his 
> level, play arond with things, but you can easily change that back and 
> site ban provided it's straight ASCII.  What are you going to do in the 
> other case?  Purge the entire player file because a person changed a 
> password or used a modified purgeplay to set the delete flag on anyone 
> they want....  REALLY safe there.

This archive was generated by hypermail 2b30 : 12/07/00 PST