View Full Version : Message for Dev. Team

12-01-2013, 04:44 PM
Today I must used the Password Recovery and what i saw. Your website sent me my password.
I cannot understand which person/persons are able to write code which save password (personal data!) of thousand users into a database. This is such a fail like a paper vault.
I must appeal on dev. team change it!

12-02-2013, 10:29 AM
Pm me i'd love to help!

01-19-2014, 06:33 AM
hes saying your security sucks
which it does

Konstantin Fomenko
01-20-2014, 10:08 AM
Your website sent me my password.
Our security is not something to be proud of - but we have some layers of protection. We do not store any sensitive information for our users like credit cards, home address e.t.c. Only username and passwords. The website form you were using communicates to a secure database on a separate server reserved for all the user info. So payer info is not stored on our website like you`ve assumed.

Could we make security better? Given time yes. But is it worth the investment of time and funds that our team can spend on making the game better? Amateur hacker migght not be able to get the info, someone much more advance - there is a chance, but all they can get is separate entrees of username and password - that hold no real value, other than the small % that someone uses the same username/password somewhere - but most people pick unique in-game nicks, and there is no good way to track this, as we don`t even store user IP.

01-28-2014, 11:08 AM
This issue is always my first port of call with any new account creation.

The clear fact that you are storing all passwords as plain text makes you the first port of call to ANY level of hacker as password scraping is a VERY sought after type of information gathering, you don't just open the door to your own site but expose unwary users to security issues on other sites using the same information they use here, because not everyone uses different credentials elsewhere.
So you owe it to your customers to protect their information above all else! regardless of how small it may be.

All that needs to be done is to MD5/SHA1 the password with a Salt to prevent easy reading and have anyone really wanting this info to waste a LOT of CPU time, and if the user forgets their password just create a random array of password characters for them to login, so they can change it. It's more than simple & I really shouldn't have to suggest this in the first place!

Don't be so naive in thinking it won't happen to you! You have exposure on Steam and how many Steam users are involved in hacking? If you can't implement this simple security then what's to say your game coding doesn't have the potential to expose this data?

Maybe just think of the bad press and loss of business when all your users find their passwords were stolen due to the most simple of security fixes?

I just hope that when it happens you get forewarned of the data being disclosed & they give you time to fix it.

Konstantin Fomenko
01-28-2014, 11:42 AM
Well said. We are planning to remedy this later this winter before we continue to grow out player population.

02-03-2014, 07:08 PM
As a web/software developer I would recommend to put migration of clear text password to hashed password + salt as one of the top priority as well.

We had one of legacy projects that stored password in clear text. Although it is convenient for the client to obtain the password for their day-to-day operation (on behalf of their clients), it makes the system become risky target for bad guys trying to find information.

We basically did the following steps for conversion on the database site (not literally, but this is the overview).
1. Write shared helper method that create salt and hashed password.
2. Write shared helper method that create hashed password based on given salt.
3. Create two columns on the login table: Hashed Password and Salt.
4. Create a script that go through each entry on the login table and then convert clear text to hashed with new random salt.
5. Initially update the login validation to use both clear text/password until the conversion is done.
6. Remove clear text and login add/edit/delete method that use clear text altogether.

To work with less data entry is probably better..