Just a little question, many of u shouled know.

[Zhang]

That's helpfull for me.

What encryption(s) does l2 use on the login and gameserver...
Anything special about these algos?
And what other game is very close to that?
You can simply outline the login procedure since theres not that much to say about the gameserver

[snap]

as far as i know, password is sent plaintext to the server. the only encryption that happens is when the password is converted to SHA1 then encoded in base64 (i think, might be wrong about the second part).

what's funny is that we store the password in encrypted format but it's still sent plaintext in the first place. so why even bother storing it in SHA1 then encoded to base64? if someone has access to your accounts table, it's all over anyway.

[_DS_]

You can't do anything with passwords in plain text - this is client and its illegal to mod it.
Also SHA1 is irreversible, and only possible way to retrieve passwords - bruteforce.

[Zhang]

Well you got nothing right ;(

Base64 is not an encryption really nor does the client use SHA1 thats an l2j invention to safely store passwords...
And te password is not send plaintext either.

[snap]

You can't do anything with passwords in plain text - this is client and its illegal to mod it.
Also SHA1 is irreversible, and only possible way to retrieve passwords - bruteforce.

but what's the point of storing the password in the database in an encrypted format? why not store it plaintext?

not asking how to do it, i know how to change that if i wanted. just asking why it's done.

[_DS_]

Personally myself will prefer server with hashed passwords instead of plaintext. Security, you know

[snap]

Personally myself will prefer server with hashed passwords instead of plaintext. Security, you know

security from what? >_>

like i said, if your accounts table is accessible, chances are your password is already gotten. decode from base64, then you have the SHA1 hash and then you can use sites like this to see if it's a relatively simple pass http://www.sha1-lookup.com/

Otherwise you can run a gpu based bruteforcer and do 100 million hashes a second (or more if you have a better video card). :-p

i dunno, just seems silly that we store it like that for no real reason.

[DrHouse]

Well, I feel my balls safer knowing that my bank stores my password hashed rather than plain text. Imagine a hacker (or an employee) gets access and read some of them without being detected... fatal... Despite L2J server is not a bank, in the past we chose to use encryption to increase security a bit (since plaintext password is never really needed by administrator)

[momo61]

Well, I feel my balls safer knowing that my bank stores my password hashed rather than plain text. Imagine a hacker (or an employee) gets access and read some of them without being detected... fatal... Despite L2J server is not a bank, in the past we chose to use encryption to increase security a bit (since plaintext password is never really needed by administrator)

very smart

[_DS_]

security from what? >_>
i dunno, just seems silly that we store it like that for no real reason.

If you fear it - does not use simple passes. Or build your own password storage.

[devo]

a lot of ppl use same password for all their logins, everywhere. if hacker use sql injection (not protected drop tool) he can get all passwords, and try to connect it with other accounts, not just ingame.

[snap]

a lot of ppl use same password for all their logins, everywhere. if hacker use sql injection (not protected drop tool) he can get all passwords, and try to connect it with other accounts, not just ingame.

True, but...

1. At that point the entire accounts table is compromised. Meaning hashes can be grabbed and bruteforced in a matter of hours using a GPU based bruteforcer (I have one, trust me, they work ).

2. Unless the admin also stores email addresses in the accounts table (assuming they have a registration system and they set it up to log the emails in the accounts table), then it would require some social engineering just to get someone's email addy from them in game.

I mean, I understand why someone people like to have it. I just don't see a need for it. Once the accounts table is open, game over. That's the end of it. Regardless of whether or not the passwords were encrypted. Oh, and with an SLI setup, you can do about 200+ million SHA1 hashes per second. Compare that to about 4 million per second with a 2Ghz processor using Cain & Abel.

http://www.insidepro.com/eng/egb.shtml

[_DS_]

And what ? After changing encryption scheme forum will be full of noob-admins, crying "no one can login to my server, help me !!1111".

Not interesting. Feel free to change encryption on your server as you want.

[DrHouse]

Yap... changing crypt now would be messy for a big bunch of newbie administrators without a "change your password" function

If changing crypt algo is really necessary (is it?) we could code a simple temporary web service inside gameserver to change passwords...

[ThePhoenixBird]

da 'ol /password command

it could be rewriten as something like:

Code: Select all

 Step #1/accountupdate <login> <oldpass> <newpass> <email> Step #2/accountverify <login> <newpass> <verifycode> Note: <verifycode> is sent to <email> using the gameserver webserver email function.