So when will our passwords be encrypted?

Mylo · 2015-08-03 18:45:22

So when will our passwords be encrypted? Is this still a thing?

Because imagine following:
> PC1 is infected by virus
> PC1 grabs Wifi stuff
> You log into EE with PC2, which is in the same Wifi
> Virus has your login information
This can happen even when you're at home.
Because e.g. your grandpa's PC1 is infected.

EE, at least use some kind of encryption. An encryption method,
where the password can't be reverted back (which should be standard since a long time, though).
Because these passwords are for some people the key for every lock in the www.
Paypal, Amazon, Facebook, Forums, Tinder etc.

As user you should think about changing passwords by now though.
Shouldn't this be more important, than inventing campaigns n' stuff?

skullz17, Jesse, realmaster42, Arber, Kangxp, Nou, BEE, SirJosh3917, 1448, TSF14, Vasum01, mrjoke, robotkoer

Hexagon · 2015-08-03 18:53:43

Assuming that this is the case, if passwords aren't encrypted, and goods purchased with real money (i.e gems) are associated with our accounts, then that's a no no. At least HTTPS, and have it salted and hashed in the DB.

mrjoke, Mylo

BEE · 2015-08-03 19:49:12

Looks important.

Then again, my password for ee was "password" for like four years... Lol

Nickolai

capasha · 2015-08-03 20:03:51

I don't think EE devs can do anything. Because It's Yahoo/PlayerIO that need to fix it.
I hope they will add HTTPS instead. Not that I care so much because I use different passwords everywhere anyway.

Jesse, CJMaeder

Mylo · 2015-08-03 20:34:27

You can always use md5 or basic stuff @capasha, even if it's not perfect. They don't have to use HTTPS right away though.
Also, Yahoo/PlayerIO are not an acceptable excuse for such major flaw, in my opinion.

capasha · 2015-08-03 20:42:07

Mylo wrote:

You can always use md5 or basic stuff @capasha, even if it's not perfect. They don't have to use HTTPS right away though.
Yahoo/PlayerIO are not an acceptable excuse for such major flaw, in my opinion.

True.

Mylo

eeisold · 2015-08-04 02:24:09

That being said, if we have to wait for PlayerIO to speed up, why not find an alternative server solution? Write your own dang connection code.
Besides requiring a lengthy rewrite for a great deal of software...

Creature · 2015-08-04 02:26:28

Password Hunt 2015

Watch your passwords, they'll change everyday.

mrjawapa · 2015-08-04 03:52:28

Creature wrote:

Password Hunt 2015
Watch your passwords, they'll change everyday.

Making my password a gem code.

Koto, SirJosh3917, 1448

realmaster42 · 2015-08-04 09:04:04

JaWapa wrote:

Creature wrote:
Password Hunt 2015
Watch your passwords, they'll change everyday.
Making my password a gem code.

Imagine this (already happened):

- a hacker gets a player's email (added as friend)
- brings up C#/C++ pass cracker program
- spams letters in pass till it joins

So here is something you should do:

everytime you press the login button, refresh the page automatically:
Hax0rs will no longer work

Aoitenshi · 2015-08-04 09:07:39

yay for being a kongur

Xfrogman43, Arber, eeisold, Vasum01

lrussell · 2015-08-05 03:50:26

eeisold wrote:

That being said, if we have to wait for PlayerIO to speed up, why not find an alternative server solution? Write your own dang connection code.
Besides requiring a lengthy rewrite for a great deal of software...

Because EE is *very* dependent on Yahoo Games Network. It's not just connection code, they store all the account information, levels, and provide multiplayer support. The game would have to be completely rewritten and every bot ever created would be broken. Also, the player account system is standardized throughout YGN, the Everybody Edits staff didn't design it.

Mylo · 2015-08-06 00:24:53

Which does not change the fact they could salt and hash it.. Or do something to at least fix it a little bit.. @lrussell
/mobile

Hexagon · 2015-08-06 00:31:39

I'd like to hear from an admin or moderator regarding this issue, to make sure that we're not misunderstanding something.

CJMaeder · 2015-08-06 03:38:15

Hexagon wrote:

I'd like to hear from an admin or moderator regarding this issue, to make sure that we're not misunderstanding something.

It will be addressed sooner or later.

lrussell · 2015-08-07 02:19:52

Mylo wrote:

Which does not change the fact they could salt and hash it.. Or do something to at least fix it a little bit.. @lrussell
/mobile

Except it does since they have no control of how passwords are stored or verified. They'd need to nag Yahoo Games Network to get somewhere.

mrjawapa · 2015-08-07 03:56:02

lrussell wrote:

Mylo wrote:
Which does not change the fact they could salt and hash it.. Or do something to at least fix it a little bit.. @lrussell
/mobile
Except it does since they have no control of how passwords are stored or verified. They'd need to nag Yahoo Games Network to get somewhere.

Which is usually like talking to a brick wall.

lrussell

Mylo · 2015-08-07 23:32:20

But doesn't EE decide what passwords they store? Can't they store an already encrypted one? Also, I do think this is way more important than "sooner or later" - it should be more like "ASAP!" with actions following.
/mobile

lrussell · 2015-08-08 02:47:31

Mylo wrote:

But doesn't EE decide what passwords they store? Can't they store an already encrypted one? Also, I do think this is way more important than "sooner or later" - it should be more like "ASAP!" with actions following.
/mobile

As I've already said, EE is powerless to do any of this. Account registration, login, password changes, etc. is all handled by Yahoo Games Network. There is a function to register a new user within the universal API and you can view/delete them from their control panel. At any rate, I'm sure they hash them before storing them anyway. You're making this request to the wrong people. Regardless, a middleman attack would still be difficult to carry out. It's been like this for 5 years, so any potential damage is done.

Check your address bar, did you use HTTPS to login and view the forums? If not, congratulations! Your password may have been taken through a middleman attack.

Official Everybody Edits Forums

#1 2015-08-03 18:45:22, last edited by Mylo (2015-08-03 19:14:34)

So when will our passwords be encrypted?

#2 2015-08-03 18:53:43, last edited by Hexagon (2015-08-03 19:14:55)

Re: So when will our passwords be encrypted?

#3 2015-08-03 19:49:12

Re: So when will our passwords be encrypted?

#4 2015-08-03 20:03:51

Re: So when will our passwords be encrypted?

#5 2015-08-03 20:34:27, last edited by Mylo (2015-08-03 20:41:09)

Re: So when will our passwords be encrypted?

#6 2015-08-03 20:42:07

Re: So when will our passwords be encrypted?

#7 2015-08-04 02:24:09

Re: So when will our passwords be encrypted?

#8 2015-08-04 02:26:28

Re: So when will our passwords be encrypted?

#9 2015-08-04 03:52:28

Re: So when will our passwords be encrypted?

#10 2015-08-04 09:04:04

Re: So when will our passwords be encrypted?

#11 2015-08-04 09:07:39, last edited by Aoitenshi (2015-08-04 09:43:00)

Re: So when will our passwords be encrypted?

#12 2015-08-05 03:50:26, last edited by lrussell (2015-08-05 03:51:19)

Re: So when will our passwords be encrypted?

#13 2015-08-06 00:24:53

Re: So when will our passwords be encrypted?

#14 2015-08-06 00:31:39

Re: So when will our passwords be encrypted?

#15 2015-08-06 03:38:15

Re: So when will our passwords be encrypted?

#16 2015-08-07 02:19:52

Re: So when will our passwords be encrypted?

#17 2015-08-07 03:56:02

Re: So when will our passwords be encrypted?

#18 2015-08-07 23:32:20

Re: So when will our passwords be encrypted?

#19 2015-08-08 02:47:31, last edited by lrussell (2015-08-08 02:49:54)

Re: So when will our passwords be encrypted?

Board footer