Technical Support

I would think changing a password regularly and choose a *good* password will make it harder for any malicious attacker to breach into a server and allow her to steal confidential information, like credit card info and so force.

After looking at my password and judge that with regard to security, it was immediately clear, that this doesn't fulfil current standards. So, I though changing it and make it more secure would be a good idea.

However, the attempt to use a stronger password which consisted of *just* 12 characters failed due to:

"The password is too long, please choose a shorter one."

Huh? This is hilarious! --- No, actually this is incredible foolhardy - and it is actually quite *dangerous* from a security point of view!

First, when a *length* of a string matters, the reason could be that it is stored *as is* into a database. So, are the passwords stored *as is* in the database? Today, nobody stores passwords in clear on the server, right? (Maybe except Sony). We should use a randomly salted SHA-256 instead - or better. You clearly know what this is, so I don't point you to the wiki. A side effect of this is that the length of the original password does not matter on the server side.

But if this matters, I suspect passwords are saved in the clear on the database. If this is true, this will be a huge security vulnerability, to say the least. This would be intolerable, actually.


The other thing is, the longer the password (or phrase) the more harder it becomes to crack it. Using just more characters, or a phrase with random words "Not Munich after 1205" in favour of a short cryptic one, e.g. "+x2U[&@Bx" is generally preferred to get *stronger* and better passwords.

Sure, how this eventually turns out depends on the kind of attack (dictionary attack, brute force, etc). But the experiences showed that a *phrase* of random words is more secure and more memorable than a word of short random characters.



So, now back to Ryzom:

How does Ryzom handle passwords? Is it considered sufficiently secure? I think it's not!


Now, that I sit here in front of the login page, trying to change my password and have to choose a weak one and with all that above in mind it gives me gripes and leaves me very uncomfortable since I fear my confidential information is not secure.



For the interested reader:

There's are *a lot* of security related articles in the web. It's a complex topic - and choosing a strong password is just one tiny bit to enforce security. Here is just one but quite informative blog post that doesn't go too deep into cryptographic details covering this specific topic:

https://stormpath.com/blog/5-myths-password-security/

See also the links contained in this article.

See comments #14 and onward on this topic.

tl;dr No answer despite several people raising the same issue over and over.

https://bitbucket.org/ryzom/ryzomcore/pull-request/88/rolling-bac k-to-include-a-crypt-3/diff
Ryzomcore already took care of it :)

This issue seems to be solved five month ago. So, why is it not in effect?

Ahh, that was sarcasm :)

And a side note: the forum is not secure too, and requires me to send my password in the clear. I can't believe that!!

Don't have forum frameworks this feature included and enabled by default? Certificates are affordable, too now adays.

Good to know, because i just checked the roadmap, and i couldn't find anything ...