Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove salt from default plugin config #26

Open
githubnemo opened this issue Jun 4, 2014 · 3 comments
Open

Remove salt from default plugin config #26

githubnemo opened this issue Jun 4, 2014 · 3 comments

Comments

@githubnemo
Copy link

Steps to hijack your users:

  1. Get a good look at the database (atlas.civcraft.net):

    select count(*), password from users group by password order by 1;

  2. Take one from the highest and guess that it must be a standard password

  3. Try to re-create the password

    echo -n 1337539sdfwwfWWDWFwwdfwQWFSCQqEFSAZ123456 | sha1sum

You should really use a different salt. At least now.
@netizen539
Copy link
Owner

Yeah it should probably be removed. However that database is no longer active.

@githubnemo
Copy link
Author

But there are still passwords from users. It is not unlikely they use the same password for other services (like minecraft). These passwords are now easily guessable and are available to the public with their minecraft usernames. If that database is not used anymore, remove it or make it non-public for the sake of your users.

@netizen539
Copy link
Owner

Thanks for pointing that out. The database should no longer be accessible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@githubnemo @netizen539