Unsecure forum account password - Requesting HTTPS access

Tigerious · 03-13-2012, 06:28 PM

Dear NGD,

Forum account password and regnum online characters are the same and it is unsecure. I know that it''s more easy access for common people who just want to play etc etc but the problem is that we send password in clear text via http protocol.
What about give us secure layer access for identification process ? I think it can be easily done and added to your current webserver configuration and wont take you that much time as for fixing bugs in game.
It's just a suggestion there...

Regards.

Ashnurazg · 03-14-2012, 06:39 PM

I'm requesting that NGD change the Password saving method, too. Now passwords seems to be MD5 hashed.
MD5 is outdated and insecure, even when it's "salted".

There are 5 cryptographic hash functions which are secure for the moment:
RIPEMD-128/256
RIPEMD-160/320
SHA-256/224
SHA-512/384
WHIRLPOOL

DemonMonger · 03-15-2012, 02:34 AM

I warned the people and NGD about this when I first looked at these forums years ago.
I told everyone to make a second account just to use on forums.

My main account is banned from forums due to duplicate account rule that came later, but thats ok because this is only for forums (as it should be).

Sometimes we need to let people stumble and make mistakes in life right?

(Off topic)
The game is good, but it would be GREAT if NGD created a new balance team that knew alot about their specific characters in all situation.

(On topic)
Several things can be done to make sure we don't get hacked like gamigo did. If you have any ideas please send them to ngd asap.

Phrack · 03-15-2012, 08:19 AM

Quote:

Originally Posted by Tigerious

Dear NGD,

Forum account password and regnum online characters are the same and it is unsecure. I know that it''s more easy access for common people who just want to play etc etc but the problem is that we send password in clear text via http protocol.
What about give us secure layer access for identification process ? I think it can be easily done and added to your current webserver configuration and wont take you that much time as for fixing bugs in game.
It's just a suggestion there...

Regards.

mehh

Quick search..

isgandarli · 03-15-2012, 10:14 AM

Quote:

Originally Posted by Phrack

mehh

Quick search..

DDOS won't give you anything useful

Anpu · 03-24-2012, 12:58 PM

Nice one! It should be present on forums, website and ticket system. It should not be much problem to set it, you only need valid certificate (besides setting apache to handle) afaik. NGD cannot influence much on website / forums / tickets core software security, but they can at least enhance it with https.

View Poll Results: Would you like to have the secure access for identification ?
Yes it would be better and safer.	16	72.73%
No it's useless/uneeded.	3	13.64%
I don't know what is the secure layer or I just don't care !	3	13.64%
Voters: 22. You may not vote on this poll

03-13-2012, 06:28 PM	#1
Tigerious Banned Join Date: Nov 2008 Location: France Posts: 496	Unsecure forum account password - Requesting HTTPS access Dear NGD, Forum account password and regnum online characters are the same and it is unsecure. I know that it''s more easy access for common people who just want to play etc etc but the problem is that we send password in clear text via http protocol. What about give us secure layer access for identification process ? I think it can be easily done and added to your current webserver configuration and wont take you that much time as for fixing bugs in game. It's just a suggestion there... Regards.

03-14-2012, 06:39 PM	#2
Ashnurazg Initiate Join Date: May 2010 Location: Europe, Germany Posts: 128	I'm requesting that NGD change the Password saving method, too. Now passwords seems to be MD5 hashed. MD5 is outdated and insecure, even when it's "salted". There are 5 cryptographic hash functions which are secure for the moment: RIPEMD-128/256 RIPEMD-160/320 SHA-256/224 SHA-512/384 WHIRLPOOL __________________ One Ring to rule ... Regnum!

03-24-2012, 12:58 PM	#6
Anpu Count Join Date: Jun 2007 Posts: 1,186	Nice one! It should be present on forums, website and ticket system. It should not be much problem to set it, you only need valid certificate (besides setting apache to handle) afaik. NGD cannot influence much on website / forums / tickets core software security, but they can at least enhance it with https. __________________ Inquisition

03-15-2012, 02:34 AM	#3
DemonMonger Marquis Join Date: Mar 2007 Location: Edge of the Abyss Posts: 2,066	I warned the people and NGD about this when I first looked at these forums years ago. I told everyone to make a second account just to use on forums. My main account is banned from forums due to duplicate account rule that came later, but thats ok because this is only for forums (as it should be). Sometimes we need to let people stumble and make mistakes in life right? (Off topic) The game is good, but it would be GREAT if NGD created a new balance team that knew alot about their specific characters in all situation. (On topic) Several things can be done to make sure we don't get hacked like gamigo did. If you have any ideas please send them to ngd asap.