English French German Spanish Russian
"The password is too long, please choose a shorter one." - Technical Support - Ryzom Community ForumHomeGuest

Technical Support


uiWebPrevious1uiWebNext

#1 [en] 

I would think changing a password regularly and choose a *good* password will make it harder for any malicious attacker to breach into a server and allow her to steal confidential information, like credit card info and so force.

After looking at my password and judge that with regard to security, it was immediately clear, that this doesn't fulfil current standards. So, I though changing it and make it more secure would be a good idea.

However, the attempt to use a stronger password which consisted of *just* 12 characters failed due to:

"The password is too long, please choose a shorter one."

Huh? This is hilarious! --- No, actually this is incredible foolhardy - and it is actually quite *dangerous* from a security point of view!

First, when a *length* of a string matters, the reason could be that it is stored *as is* into a database. So, are the passwords stored *as is* in the database? Today, nobody stores passwords in clear on the server, right? (Maybe except Sony). We should use a randomly salted SHA-256 instead - or better. You clearly know what this is, so I don't point you to the wiki. A side effect of this is that the length of the original password does not matter on the server side.

But if this matters, I suspect passwords are saved in the clear on the database. If this is true, this will be a huge security vulnerability, to say the least. This would be intolerable, actually.


The other thing is, the longer the password (or phrase) the more harder it becomes to crack it. Using just more characters, or a phrase with random words "Not Munich after 1205" in favour of a short cryptic one, e.g. "+x2U[&@Bx" is generally preferred to get *stronger* and better passwords.

Sure, how this eventually turns out depends on the kind of attack (dictionary attack, brute force, etc). But the experiences showed that a *phrase* of random words is more secure and more memorable than a word of short random characters.



So, now back to Ryzom:

How does Ryzom handle passwords? Is it considered sufficiently secure? I think it's not!


Now, that I sit here in front of the login page, trying to change my password and have to choose a weak one and with all that above in mind it gives me gripes and leaves me very uncomfortable since I fear my confidential information is not secure.



For the interested reader:

There's are *a lot* of security related articles in the web. It's a complex topic - and choosing a strong password is just one tiny bit to enforce security. Here is just one but quite informative blog post that doesn't go too deep into cryptographic details covering this specific topic:

https://stormpath.com/blog/5-myths-password-security/

See also the links contained in this article.

Edited 2 times | Last edited by Biir (5 years ago)

#2 [en] 

See comments #14 and onward on this topic.

tl;dr No answer despite several people raising the same issue over and over.

---

#3 [en] 

https://bitbucket.org/ryzom/ryzomcore/pull-request/88/rolling-bac k-to-include-a-crypt-3/diff
Ryzomcore already took care of it :)

---

#4 Multilingual 

Multilingual | Fran├žais | [English]
Hello,

Ryzom only stores the personal information entered by the user on his account page, and in no case whatsoever is banking data stored in our systems. Instead the transactions in connection with subscriptions are done exclusively by third party operators (Worldpay, PlaySpan).

No passwords are saved without encryption in the data base, in effect a salt is used to secure it.

The length and the encryption of the passwords have been changed in the code by Ryzom Core.Once tested and validated, these changes will be applied to Ryzom services.

The improvement of security is an integral part of Ryzom Roadmap for 2015: https, secure.ryzom.com, passwords.

Edited 3 times | Last edited by Tamarea (5 years ago)

---

Tamarea
Ryzom Team Manager
(FR / EN / ES)

tamarea@ryzom.com



Ryzom Forge Wiki

#5 [en] 

Icus (atys)
https://bitbucket.org/ryzom/ryzomcore/pull-request/88/rolling-bac k-to-include-a-crypt-3/diff
Ryzomcore already took care of it :)


This issue seems to be solved five month ago. So, why is it not in effect?

Ahh, that was sarcasm :)

And a side note: the forum is not secure too, and requires me to send my password in the clear. I can't believe that!!

Don't have forum frameworks this feature included and enabled by default? Certificates are affordable, too now adays.

#6 [en] 

Good to know, because i just checked the roadmap, and i couldn't find anything ...

---

uiWebPrevious1uiWebNext
 
Last visit Mon Oct 21 13:38:44 2019 UTC
P_:

powered by ryzom-api