Topic: Hide the password
Vassili Topic Opener |
Posted at: 2016-07-30, 23:55
If somebody is too stupid for use same password for this different utilities, with two tierce entity... he deserve to be hacked :p Top Quote |
GunChleoc |
Posted at: 2016-07-31, 09:36
The problem is that people use computers without having been taught how to, and not all the people who are expected to teach it have gotten proper training... And if I had a separate password for every single account like I should, they would fill a book by now. Who can remember 100 passwords? Busy indexing nil values Top Quote |
SirVer |
Posted at: 2016-08-04, 11:47
I agree, but it needs to be done right. Doing encryption wrong is very easy - and once you did it will take a while until people notice, but the damage is done. Case in point: https://dgl.cx/2014/10/vim-blowfish.
base64 is an encoding, I am not aware of an encryption scheme that builds on that. I think not having any encryption and pointing this out prominently (as I think we do) is better than rolling a weak scheme and giving users the feeling of security - without guarantees. Should we roll security, it needs to be done properly, building on a well established crypto library. It also needs to be open, available on all systems we run on and not export restricted. I think there are now a couple of libraries that tick all these boxes, but I'd much prefer some experienced crypto hacker took this on than somebody rolling this as her starter project on the code. Just my 2c of course. Top Quote |
Vassili Topic Opener |
Posted at: 2016-08-04, 12:01
For back to the base topic, i do not think a password for widelands need a special level of encryption to be send to your server, lost your account will not be dramatic, and we can discuss it with you in case. I just ask to NOT show the characters, only dot/stars. Top Quote |
kaputtnik |
Posted at: 2016-08-07, 21:11
I've never seen any password on the metaserver, but i am not often in there. So hiding the password as Vassili suggests is a good workaround... IMHO Fight simulator for Widelands: |
SirVer |
Posted at: 2016-08-07, 22:00
Hiding the password gives the impression that the password is somehow secured - I think it is correct to show it, because it is not secure in any ways. To hide the password on stream as Vassili requires is already possible: start widelands -> Multiplayer -> next to Internet game click on "Show login dialog" -> fill in your data and check the box "Automatically use this login information from now on". This saves the data into Top Quote |
GunChleoc |
Posted at: 2016-08-07, 22:36
Also, I just remembered that you can play without logging in. Since there is no player ranking list anywhere, it doesn't make much of a difference. Busy indexing nil values Top Quote |
freem |
Posted at: 2016-08-09, 11:54
Hiding password on screen IS a security. But, it is NOT to counter attackers which have access to hard disk, network or RAM. It's against people who can only access the screen. And using a constant number of stars or dots is the weakest way to do that: an attacker can always build a script to brute force, knowing the exact number of characters reduce the time a lot. Note that I don't say that it's a bad solution: it depends on what there is to protect. About streaming, why not simply start the stream after having logged in the game? This would solve that particular issue, but not the one of people with enough time to sneak behind you when you are starting a widelands game Top Quote |
GunChleoc |
Posted at: 2016-08-09, 18:01
We could of course also remove the login - problem solved. People will then be able to "hijack" your username though. Busy indexing nil values Top Quote |
freem |
Posted at: 2016-08-09, 19:02
Heh, true :) But I don't get why you said that? Top Quote |