Jump to content

  • Log In with Google      Sign In   
  • Create Account


#Actualrpiller

Posted 07 January 2013 - 06:47 AM

If an attacker can snoop whatever is sent on the wire, they can log in

 

If they hack the wire, yes they will be able to use that bcrypt'd value to log into just this game. If they hack the wire and the clear text pw is there they possibly now know the password for this person for multiple websites. My primary concern/fear is for the users password protection for other websites they may be using the same password for, not just my game. I am also defending on the database side, but doing this 1 extra step looks like it could defend on the other side for passwords that may be used in other spaces.  My game is small and petty compared to a persons banking password. I'm not willing to just pass the blame onto them for using the same password, or more importantly being sued over it if such compromise happened!

 

You are correct my last comment was incorrect about not requiring wire security. I will continue to use RakNet's secure wire transfer system, but will also take the hour or so to implement this double bcrypt in the case the wire security for RakNet is broken somehow to protect against what could possibly be a pw used for other, more important, systems.


#1rpiller

Posted 07 January 2013 - 06:43 AM

If an attacker can snoop whatever is sent on the wire, they can log in

 

If they hack the wire, yes they will be able to use that bcrypt'd value to log into just this game. If they hack the wire and the clear text pw is there they possibly now know the password for this person for multiple websites. My primary concern/fear is for the users password protection for other websites they may be using the same password for, not just my game. I am also defending on the database side, but doing this 1 extra step looks like it could defend on the other side for passwords that may be used in other spaces.  My game is small and petty compared to a persons banking password. I'm not willing to just pass the blame onto them for using the same password, or more importantly being sued over it if such compromise happened!


PARTNERS