Complete.Org: Mailing Lists: Archives: freeciv-dev: July 2005:
[Freeciv-Dev] Re: Auth and gamelog reporting rewrite
Home

[Freeciv-Dev] Re: Auth and gamelog reporting rewrite

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: Per Inge Mathisen <per@xxxxxxxxxxx>
Cc: freeciv-dev@xxxxxxxxxxx
Subject: [Freeciv-Dev] Re: Auth and gamelog reporting rewrite
From: Vasco Alexandre Da Silva Costa <vasc@xxxxxxxxxxxxxx>
Date: Sun, 24 Jul 2005 21:04:09 +0100 (WET DST)

On Sun, 24 Jul 2005, Per Inge Mathisen wrote:
> I do not see the big deal in using md5 to store passwords, as is currently
> done on pubserver. I would rather have the possibility to send players
> their passwords on request by email. For security purposes, sending
> passwords in cleartext over the network is the threat.

This adds no security. Regular e-mail is not any more secure than any
other plain-text communication method. Quite the contrary in fact.

Other apps use the request by email method mostly to defend against
one person having several accounts. It is quite feeble a method to prevent
that too, what with free e-mail being available from several providers.

If you want real authentication, you would want to use public key
authentication. The keys could be generated the first time the client or
server bootstraps. Just like SSH does...

Storing the passwords using MD5 server side is just to make it harder for
someone who hacks into pubserver to know everyone's password.

I would stick with easy first. You can add public key authentication
later.

> My pubserver rewrite-in-progress is (and will be further) documented at
> http://www.freeciv.org/index.php/Publite

To me, this is all part of metaserver functionality (this is a server of
civservers you are writing here).

---
Vasco Alexandre da Silva Costa @ Instituto Superior Tecnico, Lisboa




[Prev in Thread] Current Thread [Next in Thread]