Well, I believe at this point we are talking more about ethics than a security risk. The risk is not so much that a hacker can penetrate your system (which they can), but that an unethical administrator can procure player passwords, which as Andy pointed out, are often related to unix passwords, or player on another mud game. Most users are not smart about choosing passwords, which is as close to a fact as it needs to be in this case. ==================================================================== Christopher Herringshaw Networking and Special Projects Division Medical Center Information Technology (MCIT) xxviper@med.umich.edu University of Michigan Medical Center, B1911 CFOB 1414 Catherine Street, Ann Arbor, MI 48109-0704 (313) 747-2778 ==================================================================== On Sat, 22 Apr 1995, Spawn@KrimsonMud wrote: > > Anyway, this is ridiculous. Everyones complaining about crypt() being a > security risk... Well, any decent hacker that can get into the shell and > use the mudpasswd.c (whatever), modified of course, to change anyones > password in the game without knowing it. Not to mention purgeplay. Yes, > it's entirely possible that in a text file the same hacker can set up his > level, play arond with things, but you can easily change that back and > site ban provided it's straight ASCII. What are you going to do in the > other case? Purge the entire player file because a person changed a > password or used a modified purgeplay to set the delete flag on anyone > they want.... REALLY safe there. > >
This archive was generated by hypermail 2b30 : 12/07/00 PST