Signed up but not logged in?

[kiz5000]

Hi ive just noticed how many people have signed up to my game but have never actually logged in.

After browsing through my members and noticing a few people who have never logged in i decided to do a quick sql select command to show how many people have actually never logged in, And out of the 400 members 49 of them have never logged in which is a pretty alarming number as it sits at over 10% of the game population.

I was just wondering if anybody had noticed this on their games and if so what percentage of your members have never signed in?

I cannot understand it as ive checked the signup process and the links and login form on the page work fine so im lost for ideas on why they would be doing this, i thought at first that maybe some of them are that thick that they forget their user/pass within seconds of signing up so i started displaying their user/pass to them with the text that tells them the signup was successful but its still happening??

[kiz5000]

Hey thanks for the reply, Yeah ive owned a few games before and i understand that your looking at about 100 players out of every 1,000 that will stay active, It just confuses me about the people who sign up and then never login once, And i may have to look into your idea about the automatic login after signup, This way they will be in the game instantly, I just cannot understand why over 49 people have signed up to the game and then suddenly just thought.. "No actually, i dont feel like logging in"..

[mixmaster]

Just to let you know , seen as you are able to show the user their password , i would think of upgrading to a new password encryption (im guessing you have kept the encryption mccodes used "md5"

[kiz5000]

Hey thanks for the advice, The pass word is already md5 encrypted and gets encrypted in the INSERT command but to show the pass word to them i just show the POST password variable which has no encryption on it at the time of showing if you get what i mean.

[mixmaster]

Yes that is what i am saying , md5 should not be used for password encyption , anyone can go on google and find a sql injection to retrieve any md5 password from your database then use an md5 decrypter to get the plain text password , so upgrade as soon as you can

http://uk.php.net/manual/en/function.crypt.php

Edited June 15, 2012 by mixmaster

[HauntedDawg]

Yes that is what i am saying , md5 should not be used for password encyption , anyone can go on google and find a sql injection to retrieve any md5 password from your database then use an md5 decrypter to get the plain text password , so upgrade as soon as you can

This is rainbow tables. It had millions of MD5 password encryptions. But, it does not mean that my exact password will be on there. Not everyone has thought of the password so its not in the rainbow table.

For example,

I have a password as, kyletodo123

but, some where on a rainbow table, there is a kyletod0123

notice the difference?

His posting what the user has posted. No security threat there, unless he has people around him, or perhaps on teamviewer. Which then his password will be visible, to the people around him, or if his on teamviewer.

[kiz5000]

Oh sorry mixmaster i read your post wrong. Yeah i did feel abit alarmed about the fact that if you did manage to get the passwords from the database you can search on google and easily decrypt passwords but like Haunted said not all the passwords are in those tables as 3 out of the 20 i tried couldn't be found but it did only try 2 or 3 sites. I will look at that link and look into upgrading in the future, Thanks.

Edited June 15, 2012 by kiz5000

[mixmaster]

So you are saying that using md5 as a password encryption is fine , because to me any form of it being so easy to attempt a decryption in seconds of getting the md5 encrypted password , IS a security threat

[HauntedDawg]

So you are saying that using md5 as a password encryption is fine , because to me any form of it being so easy to attempt a decryption in seconds of getting the md5 encrypted password , IS a security threat

MD5 can not be decrypted. The way it has been decrypted now, is millions of people used md5encrypter.com, which stores your password into a rainbow table. Then, md5decrypter.com searches that Database for the md5 and gives you the password. In no way is this called decrypting.

[mixmaster]

It isn't just your admin account's password that you have to worry about , if someone does get all the md5 passwords from your database and finds JUST 1 that is able to be decrypted and then starts shouting it off to all the other uses , how long do you think they will stay knowing the could have their account breached ?

Edited June 15, 2012 by mixmaster

[HauntedDawg]

Firstly, after owning many game's, all the hacker's try to do is gain money from the game. Not the passwords.

By this, i am NOT saying it is safe to use md5, but if you don't know how to add salt's, then leave it as MD5. The chances of your game being hacked out of the millions of websites out there are scarce. But obviously, anyone on MWG will only target mccode game's.

After owning multiple mccode game's, there was one way to gain some ones password. But mccode's have now blocked that.

[KyleMassacre]

How about a random pw generator that way its all randon(hence the term random) and if players dont want to use it and get their passwords stolen then its kinda their bad. Or maybe make it alarm you every so many weeks, months or whatever to make you chang the password