Re: CRYPT

From: Andy Davidoff (dert@concrete.resnet.upenn.edu)
Date: 05/05/95


theres enuf ass-kissin goin on in this list to make _my_ cheeks red, and 
fer once it aint even my ass... this is the last fuel i'm offering this 
subject.

> I can see where this is going, I think we should all stop now before this 
> turns into a large scale war (like the one I unknowingly caused earlier)
> > > I have to agree with you on this jeremy. I was keeping my players 
> > > passwords as text and all I got was complaints from my players saying 
> > > that if I didn't change it they would not play.
> > Well, I'm not going to even tell my players -- but I have no choice to 
> > keep them in text, as the crypt() here is absolutely brain-dead and I 
> > think my players would rather me be able to see their passwords instead 
> > of not being able to relogin.  I also have a use for passwords and pfiles 
> > in text.  I can use it to rid of players that have more than 2 players 
> > (yea, I allow a person to have two chars) using the same pwd.  Sure, it's 
> > completely POSSIBLE that two seperate people would be using the same 
> > password, but you don't find 4 seperate people using "yggdrasil" (Yes, 8 
> > multis) as their password.
> > Anyway, this is ridiculous.  Everyones complaining about crypt() being a 
> > security risk... Well, any decent hacker that can get into the shell and 
> > use the mudpasswd.c (whatever), modified of course, to change anyones 
> > password in the game without knowing it.  Not to mention purgeplay.  Yes, 
> > it's entirely possible that in a text file the same hacker can set up his 
> > level, play arond with things, but you can easily change that back and 
> > site ban provided it's straight ASCII.  What are you going to do in the 
> > other case?  Purge the entire player file because a person changed a 
> > password or used a modified purgeplay to set the delete flag on anyone 
> > they want....  REALLY safe there.

from my point of view, it certainly aint an issue of ethics; i'm an
asshole. it certainly aint an issue of security; crypt is the least of
your problems. it's an issue of power, and if having access to the
passwords of the players will help the mud, then i'm gonna code it. i
_haven't_ coded it, and i doubt i will. if i ever felt that multi-playing
was a problem, etc. i wouldn't hesitate to write in a few lines to let me
in on the secret. this is an issue as old as security itself, no reason 
to start a flamewar over it, newsgroups exist for this very purpose.



This archive was generated by hypermail 2b30 : 12/07/00 PST