search

multitheftauto / mtasa-blue

Multi Theft Auto is a game engine that incorporates an extendable network play element into a proprietary commercial single-player game.
https://multitheftauto.com
GNU General Public License v3.0
1.41k stars 438 forks source link

Auto-Login #2117

Open Allerek opened 3 years ago

Allerek commented 3 years ago

Is your feature request related to a problem? Please describe. Yeah, some players store their login as a bind(to make it quicker), this is unsafe as password is visible as clean tex.

Describe the solution you'd like Add auto-login option in options(with hashed password), while in same time we should add option in server.conf about disabling auto-login.

CrosRoad95 commented 3 years ago

rather than add feature easy to implement by servers itself, better to add "streamer mode" where binds and other sensitive data are censored, if someone is stupid and taking a screenshots of such things, his problem

Allerek commented 3 years ago

rather than add feature easy to implement by servers itself, better to add "streamer mode" where binds and other sensitive data are censored, if someone is stupid and taking a screenshots of such things, his problem

Its more about how they're stored on PC, they can be easly stolen.

Dezash commented 3 years ago

Its more about how they're stored on PC, they can be easly stolen.

Using custom implementation, you wouldn't need to store passwords on client device at all

AlexTMjugador commented 3 years ago

What about disallowing binding the login command? Also, custom server commands that have sensitive data as parameters may be marked as such by adding a new parameter to addCommandHandler or something like that, to extend that protection to custom commands that need it. This approach seems to be both the simplest and safest one I can come up with, as no password data would be stored at all.

Using custom implementation, you wouldn't need to store passwords on client device at all

While doing so has many advantages, I don't think that extra security should be one of them. MTA out of the box login system should be secure by default, in my opinion.

Its more about how they're stored on PC, they can be easly stolen.

I think this is a valid concern, especially in the case of client computers that are used by several people, like a shared PC at home.

Allerek commented 3 years ago

What about disallowing binding the login command? Also, custom server commands that have sensitive data as parameters may be marked as such by adding a new parameter to addCommandHandler or something like that, to extend that protection to custom commands that need it. This approach seems to be both the simplest and safest one I can come up with, as no password data would be stored at all.

Using custom implementation, you wouldn't need to store passwords on client device at all

While doing so has many advantages, I don't think that extra security should be one of them. MTA out of the box login system should be secure by default, in my opinion.

Its more about how they're stored on PC, they can be easly stolen.

I think this is a valid concern, especially in the case of client computers that are used by several people, like a shared PC at home.

Thats good idea, to stick with 'disableBinding' parameter to addCommandHandler(and acl.xml prob)