MNG Posted January 5, 2014 Share Posted January 5, 2014 Not sure if you guys know the person name "MrAshly" But this person hasn't did any sql injection from sending points or anything, They have a way to access other accounts. Do anyone know how to prevent this. I could post Header,login and register. If needed but I sort of need help with this ASAP Quote Link to comment Share on other sites More sharing options...
dnenb Posted January 5, 2014 Share Posted January 5, 2014 I have a player named that in my game. You're saying "he just" has access to other accounts? Quote Link to comment Share on other sites More sharing options...
MNG Posted January 5, 2014 Author Share Posted January 5, 2014 He got member passwords out of no where and the game been out for 2 days. Quote Link to comment Share on other sites More sharing options...
Veramys Posted January 5, 2014 Share Posted January 5, 2014 Are you using stock forums? I seem to remember a way to get login info from forums. Quote Link to comment Share on other sites More sharing options...
MNG Posted January 5, 2014 Author Share Posted January 5, 2014 Are you using stock forums? I seem to remember a way to get login info from forums. Yes and how is getting info from it? Quote Link to comment Share on other sites More sharing options...
Veramys Posted January 5, 2014 Share Posted January 5, 2014 Ahh my bad, 7 am and I've not been to bed, didn't see this wasn't mccodes. I've not had much experience with the setup on GRPG. Sorry man :/ Quote Link to comment Share on other sites More sharing options...
MNG Posted January 5, 2014 Author Share Posted January 5, 2014 I hashed the password with sha512, just want to know how to make the existing accounts passwords sha512? Quote Link to comment Share on other sites More sharing options...
sniko Posted January 5, 2014 Share Posted January 5, 2014 SHA-512 is a cryptographic hash function. Cryptographic hash functions are one way - so you're safe (at least for the actual raw passwords, unless MrAshly has a super-computer, or NSA's help, which I doubt.) - so you could force a password reset via the e-mail players signed up with, assuming they're not fake e-mails. He's probably just session stealing - hopefully, as this is a somewhat easy exploit to fix. May I have a game link so I can test my theory? With regards to hashing existing passwords with SHA-512, you'd have to deploy some routine to md5 encrypt, then SHA-512 on certain passwords - which isn't hard to do. Quote Link to comment Share on other sites More sharing options...
Guest Posted January 5, 2014 Share Posted January 5, 2014 You will need to force the users to change there password on login into the new format, on login detect if they have an md5 pass, then take them to the account page, don't let them do anything else. Make sure you change the change password to suit the sha512 EDIT: Sniko beat me to it Quote Link to comment Share on other sites More sharing options...
sniko Posted January 5, 2014 Share Posted January 5, 2014 You will need to force the users to change there password on login into the new format, on login detect if they have an md5 pass, then take them to the account page, don't let them do anything else. Make sure you change the change password to suit the sha512 EDIT: Sniko beat me to it If he has access to their game accounts, he will have the power to render their account useless, as he will be welcome to the password change screen. Best way is to make use of the e-mail address they signed up with. Quote Link to comment Share on other sites More sharing options...
MNG Posted January 5, 2014 Author Share Posted January 5, 2014 Thanks to Sniko he have found the problem. Quote Link to comment Share on other sites More sharing options...
Lithium Posted January 5, 2014 Share Posted January 5, 2014 I actually think everyone gets what deserves. A quick look to your posts, a quick look throughout the forums and you would have seen that plain text passwords are simply dumb, even more on an engine full with security holes everywhere. The rush to publish a game, with such a thing happening just 48 hours after launch... A game voted to fail. Sorry if this sounds harsh but its reality. Quote Link to comment Share on other sites More sharing options...
MNG Posted January 5, 2014 Author Share Posted January 5, 2014 I actually think everyone gets what deserves. A quick look to your posts, a quick look throughout the forums and you would have seen that plain text passwords are simply dumb, even more on an engine full with security holes everywhere. The rush to publish a game, with such a thing happening just 48 hours after launch... A game voted to fail. Sorry if this sounds harsh but its reality. I have been working on it for 3 months now and just published it. Quote Link to comment Share on other sites More sharing options...
Lithium Posted January 5, 2014 Share Posted January 5, 2014 I have been working on it for 3 months now and just published it. Exactly as I said... In a rush! Quote Link to comment Share on other sites More sharing options...
dnenb Posted January 6, 2014 Share Posted January 6, 2014 Exactly as I said... In a rush! Are you saying that's rushing things for a browser game? I disagree. Launch the game as soon as you can. The issues that arise will make you get to fixing them fast, and you'll learn something new every time. As a new developer you can't possibly read up on every single mistake you might make. http://www.codinghorror.com/blog/2009/12/version-1-sucks-but-ship-it-anyway.html If I misunderstood: Sorry. But that link is still worth reading. Quote Link to comment Share on other sites More sharing options...
Seker Posted January 6, 2014 Share Posted January 6, 2014 Not to mention, a subject like "too soon" is very subjective. I get the feeling this guy isn't the most experienced. However, you or I do not actually know this. You never have any idea how long it will take one person to the next to do a certain task. Just because one project may take one developer a year plus to finish does not mean it will take another developer the same amount of time to complete a different project. It's silliness and there's no reason for that line of thinking. Quote Link to comment Share on other sites More sharing options...
Lithium Posted January 6, 2014 Share Posted January 6, 2014 Not to mention, a subject like "too soon" is very subjective. I get the feeling this guy isn't the most experienced. However, you or I do not actually know this. You never have any idea how long it will take one person to the next to do a certain task. Just because one project may take one developer a year plus to finish does not mean it will take another developer the same amount of time to complete a different project. It's silliness and there's no reason for that line of thinking. I can agree with this point of view, but looking just a bit for previous MNG's posts, not hard to find that experience... is not his strong. Also, an experienced developer, does take their time, not 3 month even. And my line of thinking, may be wrong, though all through the years, I have seen this too many times, and usually... "rushed" games are voted to fail, mostly for the initial rush and the lack of experience to solve problems. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.