Remove salt from default plugin config

netizen539 / civcraft

GNU General Public License v2.0

35 stars 64 forks source link

Remove salt from default plugin config #26

Open githubnemo opened 10 years ago

githubnemo commented 10 years ago

Steps to hijack your users:

Get a good look at the database (atlas.civcraft.net):

select count(*), password from users group by password order by 1;
Take one from the highest and guess that it must be a standard password
Try to re-create the password

echo -n 1337539sdfwwfWWDWFwwdfwQWFSCQqEFSAZ123456 | sha1sum

You should really use a different salt. At least now.

netizen539 commented 10 years ago

Yeah it should probably be removed. However that database is no longer active.

githubnemo commented 10 years ago

But there are still passwords from users. It is not unlikely they use the same password for other services (like minecraft). These passwords are now easily guessable and are available to the public with their minecraft usernames. If that database is not used anymore, remove it or make it non-public for the sake of your users.

netizen539 commented 10 years ago

Thanks for pointing that out. The database should no longer be accessible.