Warning: New untrusted server launch

smoochy boys on tour

Alecs

SPQR
VIP
Jan 10, 2009
3,309
3
1,191
380
Europa
Some time ago we learned that the owner of a Mir 3 server called Dragons used his player credentials to log into dozens of accounts on DarkSide server.

This wasn't reported to us. By the time we found about it the server was practically dead and the owner was inactive in the forums. We took down his old advert and set him as untrusted.

He's back now with a server called Dragons: The Age Of The Goods (¯\_(ツ)_/¯). He's obviously not allowed to advertise here but they always find a way to let everyone know they have a new server.

We can't stop anyone from playing but we suggest you to find a better server and no matter where you play, please DO NOT USE THE SAME USER/PASSWORD. Use a password manager or even a password protected spreadsheet to store all your server credentials if you can't remember them all.
 
Last edited:

Alecs

SPQR
VIP
Jan 10, 2009
3,309
3
1,191
380
Europa
This guy is back at it but we can't do anything else than tell you to use different usernames and passwords for every server. Also make sure you don't use the same recovery questions/answers or they will be able to reset your password.
 

IHaveALongName

LOMCN Veteran
Veteran
Sep 8, 2012
1,598
2
253
150
Qatar
This guy is back at it but we can't do anything else than tell you to use different usernames and passwords for every server. Also make sure you don't use the same recovery questions/answers or they will be able to reset your password.

thelastchapter-mir-ii.104737/#post-1155368


807.png





#MOH_FTW
 

Attachments

  • 807.png
    807.png
    189 KB · Views: 3

mrgreaper

Golden Oldie
Golden Oldie
Jan 16, 2006
574
203
155
When testing the crystal server code I was surprised by the fact we can see passwords, I understand that with out the email functionality of zircon theres no way to recover so thats one reason we can see them but there has to be a better way? if only we could use authenticate with discord or similar
 

Alecs

SPQR
VIP
Jan 10, 2009
3,309
3
1,191
380
Europa
When testing the crystal server code I was surprised by the fact we can see passwords, I understand that with out the email functionality of zircon theres no way to recover so thats one reason we can see them but there has to be a better way? if only we could use authenticate with discord or similar

I've said a hundred times that passwords must be always hashed. Always, no matter what. Database leaks happen and if passwords are stored in plain text...you can image the outcome.
 

mrgreaper

Golden Oldie
Golden Oldie
Jan 16, 2006
574
203
155
I've said a hundred times that passwords must be always hashed. Always, no matter what. Database leaks happen and if passwords are stored in plain text...you can image the outcome.
Is there a guide for doing it with the crystal files?
It honestly, not joking, makes me uncomfortable when I click accounts as see peoples passwords and know they are not stored securely....and this is just on a server thats not live yet.

@Far have you thought about importing in zircons account management into crystals? or adding a connected account management system (facebook? google?) I honestly would not know where to start but if its embedded into the default files it would become less of an issue?
 

Far

tsniffer
Staff member
Developer
May 19, 2003
20,172
30
2,767
540
What would be the point in hashing passwords in crystal?

It's open source. You host a server. Change your own code to not hash the passwords.

Now you have people's passwords again.

Sent from my SM-G930F using Tapatalk
 
  • Like
Reactions: IceMan

TheOnlyOne

DarkReturn Server High Rate
Loyal Member
Dark Return
Game Master
Oct 6, 2017
1,795
1
276
115
Jordan
What would be the point in hashing passwords in crystal?

It's open source. You host a server. Change your own code to not hash the passwords.

Now you have people's passwords again.

Sent from my SM-G930F using Tapatalk
he was mean if u can add to orginal source for if any person open server not see password so they cant use in anothere place to hack players etc...
 

Far

tsniffer
Staff member
Developer
May 19, 2003
20,172
30
2,767
540
he was mean if u can add to orginal source for if any person open server not see password so they cant use in anothere place to hack players etc...
It's open source..

Sent from my SM-G930F using Tapatalk
 

IceMan

Hero's Act Mir 2
Legendary
Apr 17, 2003
8,544
2
369
350
Far is saying find your wn way to protect your db, i am sure there is ways.
 

mrgreaper

Golden Oldie
Golden Oldie
Jan 16, 2006
574
203
155
What would be the point in hashing passwords in crystal?

It's open source. You host a server. Change your own code to not hash the passwords.

Now you have people's passwords again.

Sent from my SM-G930F using Tapatalk
If it was in the public source code as the passwords hashed it would stop opportunists. Also protect users from admin error or leaks.
I mean sure you can change the code to see the password but it would atleast help some?
 

TheOnlyOne

DarkReturn Server High Rate
Loyal Member
Dark Return
Game Master
Oct 6, 2017
1,795
1
276
115
Jordan
Far is saying find your wn way to protect your db, i am sure there is ways.
you guys still not understand me and you will not use our players pass or try hack them

but few server owners did this before and we know good who was them so for this things should we all not see our players pass etc....
 

Far

tsniffer
Staff member
Developer
May 19, 2003
20,172
30
2,767
540
So you're expecting a dishonest person to do be honest and not change their source to see passwords they'll use.

That's just not logical.

Encrypting the db or hashing passwords would only help if your files got stolen. Aside from that it would be useless to add to the source.

Sent from my SM-G930F using Tapatalk
 

mrgreaper

Golden Oldie
Golden Oldie
Jan 16, 2006
574
203
155
So you're expecting a dishonest person to do be honest and not change their source to see passwords they'll use.

That's just not logical.

Encrypting the db or hashing passwords would only help if your files got stolen. Aside from that it would be useless to add to the source.

Sent from my SM-G930F using Tapatalk
Well I am also thinking of people that may not have the skill to change the code back would be thwarted by the source being updated to have the paswords encrypted.
 

IceMan

Hero's Act Mir 2
Legendary
Apr 17, 2003
8,544
2
369
350
you guys still not understand me and you will not use our players pass or try hack them

but few server owners did this before and we know good who was them so for this things should we all not see our players pass etc....

you dont get it , any one with a open code set can change it to read the the info. if you write your own way to stop it no one will know. Far is saying
 

TheOnlyOne

DarkReturn Server High Rate
Loyal Member
Dark Return
Game Master
Oct 6, 2017
1,795
1
276
115
Jordan
you dont get it , any one with a open code set can change it to read the the info. if you write your own way to stop it no one will know. Far is saying
bro i know what far mean and know good what he saying

but i mean for all new comer server owner and we see this last year 2 or 3 ppl did that and othere ppl come and fight us for that so why notput this to orginal soruce and be hard for normal ppl change code back