Official Everybody Edits Forums

drunkbnu

Formerly HG

Joined: 2017-08-16

Posts: 2,306

How to save account details on your bot

Sometimes we're stuck to a point where we don't know what to do, and all what we can do is to ask for help.
But sometimes it's the bot coder's fault for having chosen the wrong way since the start. Simple as that.

Do not hard-code your account into the bot, ever!

Because then, if you post your source with your account on it accidentally, there will always be the chance of someone messing with your account.
Even if you changed your password, someone that managed to log in with your account before you changed it, is still able to do what they want with it.

The best way to avoid this, is not to add reminders, not to remove the account data before posting.
The correct way of avoiding future issues with your account while coding, is not to hard-code your account at all.

The System.IO library provides us 2 easy and safe ways to save account details into external files.

▼Text Files

If you're working on a private bot that only you will use, your best is to use a text file to save your e-mail, password and world ID, then to read it at the moment of connecting.
This not only makes it safer for you to share your code, but you can edit the text file instead of having to open the project, if all what you want to do is to change your account details or the world ID.

Here is a string array that reads the lines of text of a config file.

// Assuming you have a text file called "config.txt", with 3 lines of text (e-mail, password, world ID)
public static string[] config = File.ReadAllLines ("config.txt");

You can then call the string you need from the array.

cli = PlayerIO.QuickConnect.SimpleConnect ("everybody-edits-su9rn58o40itdbnw69plyw", config[0], config[1], null);
con = cli.Multiplayer.JoinRoom (config[2], null);

Of course, it's important to check whether the config array has actually 3 strings, to prevent an index out-of-range exception, but considering this is for private bots, the developers can just make sure that the text file has 3 lines, unless they are trying to implement something different.

▼Binary Files

If you are working on a public bot for everyone, you have to take in mind that you don't want the users' account to get hacked. A curious person could check an user's computer, and find the text file with their account data, and then mess with the account. You'll want to find a way to save their account data, but that it can only be read by the bot.

Working with binary files is very similar to with normal text files, indeed, so you won't have to lose a lot of time trying to protect the account data.

Here is a method that saves the account data submitted via parameters, into a binary file.

public static void SaveData (string email, string password, string world) {
  using (BinaryWriter writer = new BinaryWriter (File.Open ("config", FileMode.Create))) {
    writer.Write (email]);
    writer.Write (password);
    writer.Write (world);
  }
}

Here is another method, this time to read the binary file.

// Assuming the binary file exists, and has 3 strings.
public static string[] ReadData () {
  using (BinaryReader reader = new BinaryReader (File.Open ("config", FileMode.Open))) {
    return new string[] { reader.ReadString (), reader.ReadString (), reader.ReadString () }
  }
}

The read method is written to return a string array, so use it when declaring your config array.

public static string[] config = ReadData ();

And then, just like in the text file example, you only need to call the string you need from the array.

cli = PlayerIO.QuickConnect.SimpleConnect ("everybody-edits-su9rn58o40itdbnw69plyw", config[0], config[1], null);
con = cli.Multiplayer.JoinRoom (config[2], null);

Processor

Member

Joined: 2015-02-15

Posts: 2,246

Re: How to save account details on your bot

I would like to add that the proper method for this is to use the app.config file. It can be easily accessed through something like ConfigurationSettings.AppSettings["Password"] and its easy enough to not accidentally share the file!

---

I have never thought of programming for reputation and honor. What I have in my heart must come out. That is the reason why I code.

N1KF

Wiki Mod

From: ဪဪဪဪဪ From: ဪဪဪဪဪ From: ဪဪဪဪဪ

Joined: 2015-02-15

Posts: 11,113

Website

Re: How to save account details on your bot

But sometimes it's the bot coder's fault for having chosen the wrong way since the start. Simple as that.

This is an excuse to blame AnatolyEE for being a victim.

capasha

Member

Joined: 2015-02-21

Posts: 4,066

Re: How to save account details on your bot

Can't really say it's safe to store login details in binary either. If someone want to hack anyone, they would do so too.
I had different ways of encryptions for EEditor's account data. But then people would break through that anyway, like I said before.

LukeM

Member

From: England

Joined: 2016-06-03

Posts: 3,009

Website

Re: How to save account details on your bot

Can't really say it's safe to store login details in binary either. If someone want to hack anyone, they would do so too.
I had different ways of encryptions for EEditor's account data. But then people would break through that anyway, like I said before.

Anyone looked into how the EE website saves your login info? Im fairly sure that whatever way they use would be the best (at least best moderately easy) way to do it

But sometimes it's the bot coder's fault for having chosen the wrong way since the start. Simple as that.

This is an excuse to blame AnatolyEE for being a victim.

It was definately AnatolyEEs fault (he should have been more careful), but I definately do feel sorry for him, and think we should do what we can to help him with getting his stuff back

capasha

Member

Joined: 2015-02-21

Posts: 4,066

Re: How to save account details on your bot

Can't really say it's safe to store login details in binary either. If someone want to hack anyone, they would do so too.
I had different ways of encryptions for EEditor's account data. But then people would break through that anyway, like I said before.

Anyone looked into how the EE website saves your login info? Im fairly sure that whatever way they use would be the best (at least best moderately easy) way to do it

Are you talking about this forum or EE.com? If you are talking about how EE.com saves the login data, it's plaintext.
The flash is saving a flash cookie/LSO and if you want anyone's password you can look there. EE.com isn't so much safer.

I can say EE is using PlayerIO. If you login to PlayerIO on a wifi that people can do a MITM, they can read your login details. Because PlayerIO doesn't use a secure connection.

And therefor I don't see a reason to encrypt bot passwords.

LukeM

Member

From: England

Joined: 2016-06-03

Posts: 3,009

Website

Re: How to save account details on your bot

Can't really say it's safe to store login details in binary either. If someone want to hack anyone, they would do so too.
I had different ways of encryptions for EEditor's account data. But then people would break through that anyway, like I said before.

Anyone looked into how the EE website saves your login info? Im fairly sure that whatever way they use would be the best (at least best moderately easy) way to do it

Are you talking about this forum or EE.com? If you are talking about how EE.com saves the login data, it's plaintext.
The flash is saving a flash cookie/LSO and if you want anyone's password you can look there. EE.com isn't so much safer.

I can say EE is using PlayerIO. If you login to PlayerIO on a wifi that people can do a MITM, they can read your login details. Because PlayerIO doesn't use a secure connection.

And therefor I don't see a reason to encrypt bot passwords.

Oh... Thats quite bad... Especially because PlayerIO is quite a big (or at least was quite a big) thing

I would have thought that there would have been some sort of temporary key which you are given when you log on or something, that can then be used later to log in again

I guess its not as bad as storing them server-side though... unless PlayerIO stores the Usernames / passwords as plaintext too... (hopefully they're better than that though)

I find password safety quite an interesting topic, as there are almost always elegant solutions that can safely store passwords

Raphe9000

Member

Joined: 2015-03-16

Posts: 1,864

Re: How to save account details on your bot

But sometimes it's the bot coder's fault for having chosen the wrong way since the start. Simple as that.

This is an excuse to blame AnatolyEE for being a victim.

Nobody is happy about the situation he's in, but he did mess up. We have to learn from his mistake.

HeyNK

Member

Joined: 2017-04-07

Posts: 1,318

Re: How to save account details on your bot

This is an excuse to blame AnatolyEE for being a victim.

This is was what was in my pastebin when I got hacked. Tell me I was asking for it!

▼Hidden text

hunter2

Swarth100

Member

Joined: 2015-07-18

Posts: 305

Re: How to save account details on your bot

Can't really say it's safe to store login details in binary either. If someone want to hack anyone, they would do so too.
I had different ways of encryptions for EEditor's account data. But then people would break through that anyway, like I said before.

Anyone looked into how the EE website saves your login info? Im fairly sure that whatever way they use would be the best (at least best moderately easy) way to do it

Are you talking about this forum or EE.com? If you are talking about how EE.com saves the login data, it's plaintext.
The flash is saving a flash cookie/LSO and if you want anyone's password you can look there. EE.com isn't so much safer.

I can say EE is using PlayerIO. If you login to PlayerIO on a wifi that people can do a MITM, they can read your login details. Because PlayerIO doesn't use a secure connection.

And therefor I don't see a reason to encrypt bot passwords.

Wasn't packet sniffing ... uhm .... unethical?

den3107

Member

From: Netherlands

Joined: 2015-04-24

Posts: 1,025

Re: How to save account details on your bot

Can't really say it's safe to store login details in binary either. If someone want to hack anyone, they would do so too.
I had different ways of encryptions for EEditor's account data. But then people would break through that anyway, like I said before.

Anyone looked into how the EE website saves your login info? Im fairly sure that whatever way they use would be the best (at least best moderately easy) way to do it

Are you talking about this forum or EE.com? If you are talking about how EE.com saves the login data, it's plaintext.
The flash is saving a flash cookie/LSO and if you want anyone's password you can look there. EE.com isn't so much safer.

I can say EE is using PlayerIO. If you login to PlayerIO on a wifi that people can do a MITM, they can read your login details. Because PlayerIO doesn't use a secure connection.

And therefor I don't see a reason to encrypt bot passwords.

Wasn't packet sniffing ... uhm .... unethical?

Wasn't hacking or using accidentally received information in general ... uhm ... unethical?

XxAtillaxX

Member

Joined: 2015-11-28

Posts: 4,202

Re: How to save account details on your bot

Oh... Thats quite bad... Especially because PlayerIO is quite a big (or at least was quite a big) thing

I would have thought that there would have been some sort of temporary key which you are given when you log on or something, that can then be used later to log in again

I guess its not as bad as storing them server-side though... unless PlayerIO stores the Usernames / passwords as plaintext too... (hopefully they're better than that though)

I find password safety quite an interesting topic, as there are almost always elegant solutions that can safely store passwords

Well internally there are temporary and permanent session keys within Player.IO, which has it's own weaknesses and the like attributed towards it.
As for whether they are stored in plain-text within Player.IO, they aren't - however, they were stored in SHA-1 prior to SHA-256. SHA-1, of which, isn't much of an improvement.

I've seen far too many misplaced and naive security concerns like this, which itself requires fairly bold assumptions and/or ludicrous and impractical methods (as is mandating every software to implement local encryption.)
If you have privacy concerns as well as a functional brain, you would already have your software portable in a encrypted container, isolated through sand-boxing. Which sounds difficult, however it really isn't. I'll put out a tutorial sometime, perhaps.

If you are on a shared or corporate network where privacy is moot, you would not only be likely violating their policies, but you'd be incredibly stupid for not tunneling and deserve to be fired for running non-permitted software.
In the event that your local security is so poor that your plain-text credentials stored locally is at risk, honestly, your jumping smiley face game should be the least of your concerns.

---

*u stinky*

LukeM

Member

From: England

Joined: 2016-06-03

Posts: 3,009

Website

Re: How to save account details on your bot

Well internally there are temporary and permanent session keys within Player.IO, which has it's own weaknesses and the like attributed towards it.
As for whether they are stored in plain-text within Player.IO, they aren't - however, they were stored in SHA-1 prior to SHA-256. SHA-1, of which, isn't much of an improvement.

I've seen far too many misplaced and naive security concerns like this, which itself requires fairly bold assumptions and/or ludicrous and impractical methods (as is mandating every software to implement local encryption.)
If you have privacy concerns as well as a functional brain, you would already have your software portable in a encrypted container, isolated through sand-boxing. Which sounds difficult, however it really isn't. I'll put out a tutorial sometime, perhaps.

If you are on a shared or corporate network where privacy is moot, you would not only be likely violating their policies, but you'd be incredibly stupid for not tunneling and deserve to be fired for running non-permitted software.
In the event that your local security is so poor that your plain-text credentials stored locally is at risk, honestly, your jumping smiley face game should be the least of your concerns.

Its good to know that your data is stored (at least fairly) securely on the PlayerIO servers, which was my main concern

Im not majorly concerned that the data stored on your local machine is stored as plain text, but would have thought that PlayerIO would have implimented external keys or whatever, failing that, there is not much that the actual EE website could do to improve it, as storing encrypted data in the same place as the key would be basically pointless, and they wouldnt be able to do much else without having access to the PlayerIO servers