• Blogs
Thursday, May 06, 2004
06:19 pm UTC @Creator MightyE Security Upgrades
Hits: 4130891
I mentioned in a MoTD that there was a password upgrade. For those who want to know, what we're doing now is utilizing a javascript based md5 algorithm to hash your password before it is sent to the server. This is then md5'd again server-side and compared against the hash in the database. If they match, your password is good and you get to sign in. If you don't have javascript enabled, the game picks up on the fact that your password was in fact *not* md5'd, and md5's it two times before comparing to the database. Ultimately the password stored in the database is a double md5 of your original password.

We don't md5 the password two times for a that being any harder to reverse than a single md5, but rather this way your password doesn't have to go across the network in plain text, so no one can sniff you, and even the hash that goes across the network is also not stored directly in the database. Not having the hash that you send across the network be the same one we store in the database means that if I wanted to look in the database and steal your password to log in to another LoGD site by forging the javascript, it won't do me any good. For the same reasons we md5 a password before storing it in the database, we md5 the hash you send us when you log in before storing that in the database. You're afforded two levels of protection, one against prying eyes, and one against prying admins.

The other upgrade we're doing security-wise is using a new module to control administrative access by IP address. With this module, should I go over to a friend's house, I'd not be able to perform most administrative tasks. Although that part's not particularly fantastic, what is fantastic is that if someone managed to figure out my password (or the password of another admin) the worst they'd be able to do would be to get that admin killed in the forest, and post some comments. All too often someone claims to have admin passwords, then I end up doing a bunch of detective work to find out they indeed don't. Now it won't matter so much even if they do get it because they won't be able to go crazygonuts on the game.

We already protect against password brute forcing on admin accounts, so this adds yet another level of protection.

Also this update brings us a new translation engine, but I doubt most of you really want to hear all the boring details of *that*. Sorry if any of the above didn't make sense, it's the end of the day, and I haven't had coffee for over 10 hours now. YoM me if you don't understand something and are curious, and I'll try to answer you =)

MightyE
Creative Commons License This work is licensed under a Creative Commons License.
Game Design and Code: Copyright © 2002-2008, Eric Stevens & JT Traub
Design: Jade Template © Josh Canning 2004 of HFS
View PHP Source
Version: 1.0.6+classic
(Page gen: 0.05s, Ave: 0.05s - 0.05/1)