Notice: Any messages purporting to come from this site telling you that your password has expired, or that you need to verify your details, confirm your email, resolve issues, making threats, or asking for money, are
spam. We do not email users with any such messages. If you have lost your password you can obtain a new one by using the
password reset link.
Due to spam on this forum, all posts now need moderator approval.
Entire forum
➜ SMAUG
➜ SMAUG coding
➜ Unsettling problem with DBSC2.5.2... password issues
|
Unsettling problem with DBSC2.5.2... password issues
|
It is now over 60 days since the last post. This thread is closed.
Refresh page
| Posted by
| Aqueus
USA (47 posts) Bio
|
| Date
| Fri 19 Jan 2007 05:45 AM (UTC) |
| Message
| We just got DBSC running a few days ago, we've been poking around in the code, changing the message that prints out here, the color of something there, so I don't think we're responsible, but we randomly have a crash where all the passwords become 'wrong'. Every person's password becomes something different.
Has this ever happened to anyone else?
When looking at the player files, I get that the password is encrypted, is there any method of decrypting it? Or, god-forbid turning off encrypting of passwords, since I think that's the problem...
Can anyone think of a workaround? Whenever a player is created they can save just fine, but if they try and change their password they get the 'wrong original password' message. So I can't just save a character and up his level (to godset someone's password...)
I'm desperate. REALLY desperate. So desperate that I've considered commenting out the code that tries to verify that your password is correct. Please, someone heeeelp. =( | | Top |
|
| Posted by
| Zeno
USA (2,871 posts) Bio
|
| Date
| Reply #1 on Fri 19 Jan 2007 05:49 AM (UTC) |
| Message
| | I didn't think of this before, but compare the code for the ifcheck in the password login and the ifcheck with the delete code. |
Zeno McDohl,
Owner of Bleached InuYasha Galaxy
http://www.biyg.org | | Top |
|
| Posted by
| Samson
USA (683 posts) Bio
|
| Date
| Reply #2 on Fri 19 Jan 2007 05:56 AM (UTC) |
| Message
| /* This should stop all the mistyped password problems --Shaddai */
if( str_cmp( sha256_crypt( arg1 ), ch->pcdata->pwd ) )
{
send_to_char("Old password is incorrect, try again.\n\r", ch );
return ;
}
Is that the message you see? | | Top |
|
| Posted by
| Zeno
USA (2,871 posts) Bio
|
| Date
| Reply #3 on Fri 19 Jan 2007 06:05 AM (UTC) |
| Message
| | It's different in DBSC, you get the "Wrong password, wait 10 seconds" message I think. |
Zeno McDohl,
Owner of Bleached InuYasha Galaxy
http://www.biyg.org | | Top |
|
| Posted by
| David Haley
USA (3,881 posts) Bio
|
| Date
| Reply #4 on Fri 19 Jan 2007 07:14 AM (UTC) |
| Message
| It's quite easy to turn off the encryption of passwords. You just have to find the places where it encrypts passwords using crypt, and get rid of the crypt calls. In fact, there might even be a flag in the makefile, NOCRYPT or something like that, that will #define crypt(foo) to be simply foo.
However you cannot decrypt the passwords since they aren't technically speaking actually encrypted; they're hashed. The way it works is that you check the password by hashing it (which gives you essentially a numeric value) and comparing that against the stored hash. So it's a one-way encryption, if you will, that only serves to verify that whatever was entered hashes to what we expect it to hash to.
A good hashing is one that will minimize collision, i.e. two different strings yielding the same value. An interesting feature of crypt is that it only considers the first 8 letters of a string, so that the passwords thisisapassword and thisisapasswordtoohaha are equivalent as far as crypt is concerned. (That's why some people have moved to more modern functions, such as Samson's example with the sha256 algorithm.) |
David Haley aka Ksilyan
Head Programmer,
Legends of the Darkstone
http://david.the-haleys.org | | Top |
|
| Posted by
| Aqueus
USA (47 posts) Bio
|
| Date
| Reply #5 on Fri 19 Jan 2007 07:23 AM (UTC) |
| Message
| Ouch, ok, I'll see about turning off encrypting, but it'd be nice to encrypt it some way so that my coders couldn't see every players (including my) password. Not to say that I dont' trust them, but if a player pushes their buttons they might be inclined to make that player do stupid things.
On the other hand, we'd see their IP, so we'd know it was them. Ok, whatever - away I go!
Thank you all.
Also: Samson is right. That's the message I get when I try to change my passwords. | | Top |
|
| Posted by
| David Haley
USA (3,881 posts) Bio
|
| Date
| Reply #6 on Fri 19 Jan 2007 07:53 AM (UTC) |
| Message
| Well, hey, putting restrictions on your coders is kind of like hiding your address from the guy who knows where your house is and has your keys. Or like restricting commands to level 65 when the guy with shell access can set their trust to 65 through the shell anyhow, or worse yet, prevent all of their commands from being logged in the first place. Somebody with shell access is basically supergod as far as the MUD is concerned.
What I'd be more concerned about is that many people use the same passwords all over the place, and so if you got a MUD password, you might also have e.g. an email account password.
One thing you could do is to store the passwords with an easy and reversible encryption (such as shifting all letters three places). It would prevent accidental viewing of passwords (sometimes I need to open up pfiles to fix them manually) and let you retrieve passwords in case you need to for some reason.
However, I'm still fairly concerned about your original problem: somehow the passwords are going 'wrong', you say, becoming something different. Well, that means they aren't being saved correctly, and that could mean that even using plain-text passwords, they will occasionally get changed around.
Maybe Samson knows something about this (it might be something SMAUGfuss has dealt with) since he posted that code snippet. |
David Haley aka Ksilyan
Head Programmer,
Legends of the Darkstone
http://david.the-haleys.org | | Top |
|
| Posted by
| Samson
USA (683 posts) Bio
|
| Date
| Reply #7 on Fri 19 Jan 2007 03:16 PM (UTC) |
| Message
| Goku may have added the sha_256 stuff to the DBSC code. Either way, someone did, cause all I did was upload the copy I had sitting around over to MudBytes.
Anyway, if you can go into act_info.c, look for the do_password function, and post what you have there. Then find the affected pfile, and post the password line so we can see it. However, if the password is *NOT* encrypted, please don't post it.
This will tell us what needs to be done to fix it. You may have a conflict between encryption types for some reason. The SHA256 password encryption code works regardless of the platform you're on. | | Top |
|
| Posted by
| Volk
(5 posts) Bio
|
| Date
| Reply #8 on Thu 08 Mar 2007 10:47 AM (UTC) |
| Message
| | I know this is a month old or so, but i'm pretty sure Goku as of DBSC 2.5 was using MD5 for encryption. :) | | Top |
|
| Posted by
| Samson
USA (683 posts) Bio
|
| Date
| Reply #9 on Thu 08 Mar 2007 04:50 PM (UTC) |
| Message
| | All I know is the excerpt I posted earlier came from the copy of 2.5 I have lying about and uploaded to MudBytes. Maybe Goku converted to sha256 before shutting down? | | Top |
|
| Posted by
| Volk
(5 posts) Bio
|
| Date
| Reply #10 on Tue 13 Mar 2007 04:04 AM (UTC) |
| Message
| Possibly, I haven't seen or spokent to him for a while now.. We ended up putting in sha-256 ourselves anyway, it's not too hard.
Probably the best bet is if your pfiles are all unencrypted now anyway, just remove the code and set up the sha-256 snippet? | | Top |
|
The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).
To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.
27,683 views.
It is now over 60 days since the last post. This thread is closed.
Refresh page
![[Go to top]](/images/gototop.gif)
top