Re: merc

From: VampLestat (vamp@csulb.edu)
Date: 04/06/94


On Wed, 6 Apr 1994, Jeff Teker Fink wrote:

> > It would definitely help me on those glorious occasions when someone 
> > wants to know what their password is, so that I don't have to go change 
> > it,

Now thats a great idea.  Store passwords in cleartext.  Bleh.

> > or when you want to look at a char's stats w/o entering the game (for 
> > whatever reasons....).  As for people hacking into files and modifying 
> > them..... well, OLC will keep people out of the root account, and anyone 
> > who got caught doing something like that would be deleted anyway.... *grin*

If you catch em.

> Storing someone's password in cleartext (on any system) is generally a bad
> idea.

Now thats a novel concept.  :)

> While a MUD is generally pretty safe (most MUDs don't let you shell
> to the OS) it makes it one step easier to hack.

Also makes in interesting as I'd bet you could gather some good information
by collecting all the cleartext passwords, and then running the mud with
something like identd to find user ID's ... probably crack more than a couple
accounts with users that had mud passwords that were the same as thier
account passwords. 

> Earlier this year we had
> someone hack our campus email server which stored the passwords in cleartext, 

You sysadmins deserve all the trouble they got for storing passwords in 
cleartext.

> If you want to make it easy to change passwords, I'd suggest implementing a
> local override password that works in all cases (entering the game, changing
> an existing password, deleting a character) and have them give you a new
> password to enter.  If that sounds unsafe, make it so that the override is
> only checked for people logging in from loopback (127.0.0.1).

Sounds like a decent idea.

_O_ Ryan L. Watkins                   e-mail: vamp@csulb.edu
 |  Academic Computing Services       url   : http://www.acs.csulb.edu/~vamp/
 |  CSU Long Beach - Network Support  pgpkey: finger vamp@gothic.acs.csulb.edu



This archive was generated by hypermail 2b30 : 12/07/00 PST