search

JavidPack / HEROsMod

HERO's Mod for tModLoader
https://forums.terraria.org/index.php?threads/heros-mod-creative-mode-server-management-and-over-25-tools-1-3-4-4-compatible.44650/
GNU General Public License v3.0
85 stars 42 forks source link

Passwords are stored in a plaintext format #24

Open flfy opened 5 years ago

flfy commented 5 years ago

I find this to be a huge security flaw. There are MUCH better ways to do this.

Example: hash the passwords with bcrypt and a few salt rounds, which is a pretty secure way of preventing the takeover of user accounts.

I hope this gets addressed soon because its a huge flaw in what I've seen to be an amazing mod.

JavidPack commented 5 years ago

Duplicate of #15

Anyway, there is no real way to know that the server host is trustworthy, so I'm thinking of just changing the wording away from password to something that hints that it's just a unique word.

Hashing the password would just be a false sense of privacy, there is no way to prevent a server host from hijacking your herosmod user credentials.

The real issue is making sure no one is using real passwords for this.

flfy commented 5 years ago

Are you going to sit here and tell me that hashing a password is less safe than storing it in plaintext format?

JavidPack commented 5 years ago

You mentioned preventing takeover of accounts, in that case yes. Hashing would do nothing because the server host can edit the json file however they want to take over your account, even if hashing were used. You already trust the server host by joining their server. Other clients don't have access to the database, so they aren't a threat.

I guess if we trust that people are using the "only download signed mods" option in tmodloader, we can hash on the client to prevent issues with password reuse issues and trust that the .tmod itself hasn't been tampered with. Problem with that is I believe that feature is broken on mac and linux right now, unfortunately.

Once 0.11 is out I can begin working on a revamp of the sign in feature. I'll probably just get rid of it in some way.

Edit: In the end, I wasn't thinking of hashing on the client and didn't think through the situation fully.

Jofairden commented 5 years ago

The real issue is making sure no one is using real passwords for this. Jackpot. It doesn't really matter what kind of authentication it'll be, since it's still authentication in the end. Be it a password, "passphrase", or some kind of digit code, I can understand why people feel bothered by it being stored plaintext, but I also understand you.

Even though your argument stands, by joining the server you should trust the host, inevitably users are still going to use real passwords because.. it's called a password (even though your intent may not have been to have them use real passwords)

What if you register people by steamID? That's not very sensitive information, and publicly available to everyone.

JavidPack commented 5 years ago

Yeah, I know, just gotta get 0.11 tmod released first and then I'll be able to tackle all these heros mod issues