Warning: New untrusted server launch

Alecs

SPQR
VIP
Jan 10, 2009
3,309
3
1,191
380
Europa
Is there a guide for doing it with the crystal files?
It honestly, not joking, makes me uncomfortable when I click accounts as see peoples passwords and know they are not stored securely....and this is just on a server thats not live yet.

@Far have you thought about importing in zircons account management into crystals? or adding a connected account management system (facebook? google?) I honestly would not know where to start but if its embedded into the default files it would become less of an issue?

I don't know of any guide but it shouldn't be too complex to do. Instead of saving the password in plain text, you use one the C# hash functions hashFunction(password) and it'll return the hashed password which you save. For extra security you can add salt that password with an unique salt for every user or the same for everybody. Let's say you use "hello" as a salt for everybody. You concat the user password with hello and hash it.

Then when the user logs in you have to do the same thing again. You concat his password with hello and check the hashed password against the hashed password stored in your db. If it matches, the password is correct and the user logs in. If you want a unique hash for every user, you need to save it in the user db. For extra security it can be something like the timestamp and a random number/string.

A hash is a one way encryption algorithm so there's no way you get a hash and revert it to the original password. There are some databases with hashed password that's why the salt is important, so no matter what, your hashed password will always be different from others.


What would be the point in hashing passwords in crystal?

It's open source. You host a server. Change your own code to not hash the passwords.

Now you have people's passwords again.

Sent from my SM-G930F using Tapatalk

Most server owners don't have bad intentions and they don't want your password. So what will change? Well, things like the Olymp data base leak won't happen. And if it happens, it won't really matter because passwords are hashed.

That why every open source project out there has hashed password. Even though you should always use different credentials.
 

Far

tsniffer
Staff member
Developer
May 19, 2003
20,172
30
2,767
540
But in that scenario your salt is useless anyway. Unless your database got leaked / stolen without the server files. But in crystals case, the database is stored in the same place as the server holding the salt.

And if your server files got stolen within 2 minutes you can decrypt anyones password / database.

Sure this might stop a few people who want to steal your password and don't know how to look at code. But all it takes is a google search. I just don't think you'd be stopping anyone.
 

Alecs

SPQR
VIP
Jan 10, 2009
3,309
3
1,191
380
Europa
But in that scenario your salt is useless anyway. Unless your database got leaked / stolen without the server files. But in crystals case, the database is stored in the same place as the server holding the salt.

And if your server files got stolen within 2 minutes you can decrypt anyones password / database.

Sure this might stop a few people who want to steal your password and don't know how to look at code. But all it takes is a google search. I just don't think you'd be stopping anyone.

How would you decrypt anything?
 

Alecs

SPQR
VIP
Jan 10, 2009
3,309
3
1,191
380
Europa
They're relaunching the server under the name "Ragnarok" so if you see it somewhere you should know it's a low effort server and they'll use your credentials wherever they can to steal your stuff.
 
  • Like
Reactions: Martyn

Jamie

LOMCN Developer
Developer
Mar 29, 2003
4,797
299
370
United Kingdom
What would be the point in hashing passwords in crystal?

It's open source. You host a server. Change your own code to not hash the passwords.

Now you have people's passwords again.

Sent from my SM-G930F using Tapatalk

A way to possibly find out is to..

"Forget your password" and then request password from GM, if they give you your password, you know they've changed the source.. (Small chance they are dumb enough and forgot that this should be impossible)

Only servers that give reset/temp password(s) have a chance at being honest.