BEWARE: New untrusted server launch

Alecs

SPQR
Staff member
Super Moderator
Jan 10, 2009
2,295
500
175
Europa
Some time ago we learned that the owner of a Mir 3 server called Dragons used his player credentials to log into dozens of accounts on DarkSide server.

This wasn't reported to us. By the time we found about it the server was practically dead and the owner was inactive in the forums. We took down his old advert and set him as untrusted.

He's back now with a server called Dragons: The Age Of The Goods (¯\_(ツ)_/¯). He's obviously not allowed to advertise here but they always find a way to let everyone know they have a new server.

We can't stop anyone from playing but we suggest you to find a better server and no matter where you play, please DO NOT USE THE SAME USER/PASSWORD. Use a password manager or even a password protected spreadsheet to store all your server credentials if you can't remember them all.
 
Legend Of Mir 3 HispaRed

LightBringer

Mir2 Server Under Development!
Supporter
Loyal Member
Feb 13, 2014
2,634
676
145
But I want to be part of the Age of the Goods.
 

Alecs

SPQR
Staff member
Super Moderator
Jan 10, 2009
2,295
500
175
Europa
  • Thread Starter Thread Starter
  • #6
This guy is back at it but we can't do anything else than tell you to use different usernames and passwords for every server. Also make sure you don't use the same recovery questions/answers or they will be able to reset your password.
 

IHaveALongName

The Last Chapter C# Mir
Supporter
Dedicated Member
Sep 8, 2012
1,332
55
90
Qatar
This guy is back at it but we can't do anything else than tell you to use different usernames and passwords for every server. Also make sure you don't use the same recovery questions/answers or they will be able to reset your password.
thelastchapter-mir-ii.104737/#post-1155368


807.png





#MOH_FTW
 

Attachments

mrgreaper

LOMCN Supporter
Supporter
Dedicated Member
Jan 16, 2006
354
114
75
When testing the crystal server code I was surprised by the fact we can see passwords, I understand that with out the email functionality of zircon theres no way to recover so thats one reason we can see them but there has to be a better way? if only we could use authenticate with discord or similar
 

Alecs

SPQR
Staff member
Super Moderator
Jan 10, 2009
2,295
500
175
Europa
  • Thread Starter Thread Starter
  • #9
When testing the crystal server code I was surprised by the fact we can see passwords, I understand that with out the email functionality of zircon theres no way to recover so thats one reason we can see them but there has to be a better way? if only we could use authenticate with discord or similar
I've said a hundred times that passwords must be always hashed. Always, no matter what. Database leaks happen and if passwords are stored in plain text...you can image the outcome.
 

mrgreaper

LOMCN Supporter
Supporter
Dedicated Member
Jan 16, 2006
354
114
75
I've said a hundred times that passwords must be always hashed. Always, no matter what. Database leaks happen and if passwords are stored in plain text...you can image the outcome.
Is there a guide for doing it with the crystal files?
It honestly, not joking, makes me uncomfortable when I click accounts as see peoples passwords and know they are not stored securely....and this is just on a server thats not live yet.

@Far have you thought about importing in zircons account management into crystals? or adding a connected account management system (facebook? google?) I honestly would not know where to start but if its embedded into the default files it would become less of an issue?
 

Far

tsniffer
Developer
May 19, 2003
17,394
602
351
  • Most Helpful 2019
  • Most Popular 2018
  • Most Helpful 2018
  • Most Helpful 2017
  • Most Helpful 2015
  • Most Popular 2015
What would be the point in hashing passwords in crystal?

It's open source. You host a server. Change your own code to not hash the passwords.

Now you have people's passwords again.

Sent from my SM-G930F using Tapatalk
 
  • Like
Reactions: IceMan

TheOnlyOne

Coming Soon
Oct 6, 2017
985
58
50
New DarkZone Coming
What would be the point in hashing passwords in crystal?

It's open source. You host a server. Change your own code to not hash the passwords.

Now you have people's passwords again.

Sent from my SM-G930F using Tapatalk
he was mean if u can add to orginal source for if any person open server not see password so they cant use in anothere place to hack players etc...
 

mrgreaper

LOMCN Supporter
Supporter
Dedicated Member
Jan 16, 2006
354
114
75
What would be the point in hashing passwords in crystal?

It's open source. You host a server. Change your own code to not hash the passwords.

Now you have people's passwords again.

Sent from my SM-G930F using Tapatalk
If it was in the public source code as the passwords hashed it would stop opportunists. Also protect users from admin error or leaks.
I mean sure you can change the code to see the password but it would atleast help some?
 

Far

tsniffer
Developer
May 19, 2003
17,394
602
351
  • Most Helpful 2019
  • Most Popular 2018
  • Most Helpful 2018
  • Most Helpful 2017
  • Most Helpful 2015
  • Most Popular 2015
So you're expecting a dishonest person to do be honest and not change their source to see passwords they'll use.

That's just not logical.

Encrypting the db or hashing passwords would only help if your files got stolen. Aside from that it would be useless to add to the source.

Sent from my SM-G930F using Tapatalk
 

mrgreaper

LOMCN Supporter
Supporter
Dedicated Member
Jan 16, 2006
354
114
75
So you're expecting a dishonest person to do be honest and not change their source to see passwords they'll use.

That's just not logical.

Encrypting the db or hashing passwords would only help if your files got stolen. Aside from that it would be useless to add to the source.

Sent from my SM-G930F using Tapatalk
Well I am also thinking of people that may not have the skill to change the code back would be thwarted by the source being updated to have the paswords encrypted.
 

IceMan

LOMCN Supporter
Supporter
Legendary
Apr 17, 2003
8,023
181
231
Michigan,Usa
  • Most Friendly 2011
you guys still not understand me and you will not use our players pass or try hack them

but few server owners did this before and we know good who was them so for this things should we all not see our players pass etc....
you dont get it , any one with a open code set can change it to read the the info. if you write your own way to stop it no one will know. Far is saying
 

TheOnlyOne

Coming Soon
Oct 6, 2017
985
58
50
New DarkZone Coming
you dont get it , any one with a open code set can change it to read the the info. if you write your own way to stop it no one will know. Far is saying
bro i know what far mean and know good what he saying

but i mean for all new comer server owner and we see this last year 2 or 3 ppl did that and othere ppl come and fight us for that so why notput this to orginal soruce and be hard for normal ppl change code back