Advertisement
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Poll Should auth plugins store passwords in encrypted form?

Comments in 'General Discussion' started by PEMapModder, Feb 23, 2015.

?

Should passwords be encrypted?

  1. No. I want to steal passwords.

    6.3%
  2. Yes, but they should be encrypted in a way that I can decrypt them without brute-force.

    12.5%
  3. Yes, but they should be encrypted in a way such that we can't decrypt it without brute-force.

    81.3%
  1. PEMapModder
    Offline

    PEMapModder Notable Member Plugin Developer

    Joined:
    Oct 9, 2013
    Posts:
    7,306
    Plugins:
    11
    Minecraft User:
    PEMapModder
    Personally I agree how they monopolize auth plugins such that the only auth plugin is SimpleAuth, and it uses a quite secure method to hash passwords before saving (adding salt, encrypting with whirlpool and SHA-512, combining them).
    Some say that passwords should be saved in plaintext because that favors owners to replace passwords for players. But actually, you can just replace the hash by the correct one. It is easy to get the hash. (There will be a hash page on http://PEMapModder.zapto.org/SimpleAuthHash.PHP soon)
    Then some say that when players forget their passwords, owners can get the password and send it to the players. But how can the owner confirm that it is the old player? What if he accidentally leaked the password to someone who is just an imposer? We must not exclude the factor that there exists this kind of stupid owners around (no offense if that's you). Moreover, look at all those popular websites around with the "forgot password" button. They just ask you to set a new password, not send you the old one.
    One never feels comfortable if he knows another person knows his password. Personally, only my parents know my password.
    And then, some may say that players should trust the owners, but I highly doubt so. There are new servers every day, and apparently players join them. These new servers may be made by people who are first time in the Minecraft community. (If you need proof, go to the MCPE Servers section on minecraftforum.net) How can players trust an owner that they first time see them? If they have to trust him/her to join, these servers will never have players. Even if the players use a new password there, you can't expect players to memorize a new password for each server. They would generally use the same password on most, if not all, servers. Then it is equally important to secure their passwords, whether they are real passwords or not.
    The community joins servers, based on the faith to servers that they won't read their passwords. And an important factor of such faith is because of how SimpleAuth is monopolized (maybe this is a negative word, but I am using its good meaning), that a lot know that only SimpleAuth is used by most servers (as you know, writing an auth plugin requires something more than basic programming skills). Then they feel comfortable since most servers won't get their passwords.

    What are your opinions?
  2. PEMapModder
    Offline

    PEMapModder Notable Member Plugin Developer

    Joined:
    Oct 9, 2013
    Posts:
    7,306
    Plugins:
    11
    Minecraft User:
    PEMapModder
    Also, thanks to @shoghicp for supporting the hash stance and making SimpleAuth like that. The community would have been different without your decision!
    iksaku likes this.
  3. MegaSamNinja
    Offline

    MegaSamNinja Active Member

    Joined:
    Sep 13, 2013
    Posts:
    138
    Minecraft User:
    Bamuel
    I agree with @PEMapModder because then other servers will know my password and can get access to my server And stir crap up.

    So :cool: good job @shoghicp on simpleauth that its nearly imposible to decript the hash
    PEMapModder likes this.
  4. Lambo
    Offline

    Lambo Notable Member Plugin Developer

    Joined:
    Sep 14, 2013
    Posts:
    431
    Plugins:
    4
    Minecraft User:
    Lambo
    Players should watch out for servers using a non-official/modified auth plugin, owners might just be looking to steal passwords and login on servers LBSG, LegionPE etc..
    thankfully, most servers use the default version of SimpleAuth
    iksaku and PEMapModder like this.
  5. iJoshuaHD
    Offline

    iJoshuaHD Notable Member Plugin Developer

    Joined:
    Nov 7, 2013
    Posts:
    1,196
    Plugins:
    4
    Minecraft User:
    iJoshuaHD
    some server owners CAN still modify SimpleAuth hash mechanism by modifying it to show the unhashed version. No one is safe to server owners like this.
    LDX and iksaku like this.
  6. PEMapModder
    Offline

    PEMapModder Notable Member Plugin Developer

    Joined:
    Oct 9, 2013
    Posts:
    7,306
    Plugins:
    11
    Minecraft User:
    PEMapModder
    If they use MySQL data provider, it is not so easy :p
  7. xFlare
    Offline

    xFlare Active Member Plugin Developer

    Joined:
    Sep 28, 2014
    Posts:
    199
    Plugins:
    1
    Minecraft User:
    xFlare
    There are too many "insufficient" server owners that give op for 25 cents... If owners see players passwords, it can let them do all sorts of bad stuff.

    Most players use the same password on each server. Also, then we can have owners treating to share passwords as well. In conclusion, if you want to see player passwords they should make there own auth plugin. My auth plugin hashes passwords based off a key and half of there username.
    PEMapModder likes this.
  8. PEMapModder
    Offline

    PEMapModder Notable Member Plugin Developer

    Joined:
    Oct 9, 2013
    Posts:
    7,306
    Plugins:
    11
    Minecraft User:
    PEMapModder
    Oh also, LegionPE saves password in hashed form, almost as secure as SimpleAuth. And as far as I heard of, lifeboat saves hashes in md5, which is easier to break but still won't get read easily or accidentally.
  9. iJoshuaHD
    Offline

    iJoshuaHD Notable Member Plugin Developer

    Joined:
    Nov 7, 2013
    Posts:
    1,196
    Plugins:
    4
    Minecraft User:
    iJoshuaHD
    The most complicated hashing method ive seen so far is PHPBB.
    PEMapModder likes this.
  10. PEMapModder
    Offline

    PEMapModder Notable Member Plugin Developer

    Joined:
    Oct 9, 2013
    Posts:
    7,306
    Plugins:
    11
    Minecraft User:
    PEMapModder
    But finally, still vulnerable to brute-force. Correct?
  11. iJoshuaHD
    Offline

    iJoshuaHD Notable Member Plugin Developer

    Joined:
    Nov 7, 2013
    Posts:
    1,196
    Plugins:
    4
    Minecraft User:
    iJoshuaHD
    Not really Sure
  12. Lambo
    Offline

    Lambo Notable Member Plugin Developer

    Joined:
    Sep 14, 2013
    Posts:
    431
    Plugins:
    4
    Minecraft User:
    Lambo
    I think MD5 is more popular.
  13. Lambo
    Offline

    Lambo Notable Member Plugin Developer

    Joined:
    Sep 14, 2013
    Posts:
    431
    Plugins:
    4
    Minecraft User:
    Lambo
    If you can easily decrypt your passwords, then your doing it wrong.
    Also, making a command to change passwords wouldn't be very safe. If anyone got access to the account of an op, it would be over.
  14. Gamecrafter
    Offline

    Gamecrafter Notable Member Plugin Developer

    Joined:
    Nov 20, 2014
    Posts:
    978
    Plugins:
    9
    Yes, anything can be bypassed with brute-force attacks.
  15. iJoshuaHD
    Offline

    iJoshuaHD Notable Member Plugin Developer

    Joined:
    Nov 7, 2013
    Posts:
    1,196
    Plugins:
    4
    Minecraft User:
    iJoshuaHD
    then its their fault for being irresponsible ops ..
    PEMapModder and iksaku like this.
  16. xiaoq
    Offline

    xiaoq Active Member

    Joined:
    Dec 23, 2014
    Posts:
    232
    Minecraft User:
    xiaoq
    My idea is the password will be hash, but the owner can change them password in console.

Share This Page

Advertisement