Warning For Custom Clients

[jaguar]

Theyre very easy to dig up i agree. But i think some more secure way doing that would be very difficult maybe even cost some money.

Take a look into Ender client. He use tokens, not clear passwords. You can stole token, but you can't get password from that and token expiring when you change your password.

[romovs]

It doesn't write any settings to files at all. logininfo.conf is from somewhere else.

But it write password to registry. And you can access those passwords using regedit if it is public user logged in...so, not secure. Please consider to use tokens.

Tokens being a more security conscious approach I definitely agree on that.
But imo, the benefits are overestimated in this particular case. This is not exactly bank account authentication.
Probability of someone wanting to snatch H&H passwords, having the know-how, and being able to access same public comp is almost non existent (in b4 we have whole office/class playing on a single pc but even if that's the case, with public computers you are pretty much fucked no matter whether it's tokens or passwords).

[jaguar]

Tokens being a more security conscious approach I definitely agree on that.
But imo, the benefits are overestimated in this particular case. This is not exactly bank account authentication.
Probability of someone wanting to snatch H&H passwords, having the know-how, and being able to access same public comp is almost non existent (in b4 we have whole office/class playing on a single pc but even if that's the case, with public computers you are pretty much fucked no matter whether it's tokens or passwords).

Are you ready to loos your account after 1 year of game play?
Because for now I can easily steal any user pass who used your client, all what I need to do:
create custom client or map tool and add exploit that will deliver to me registry: [HKEY_CURRENT_USER\SOFTWARE\JavaSoft\Prefs\haven]
That it...

[romovs]

To be fair with malicious client you could snatch tokens too, websites cookies, install key loggers, use some 0-day exploit to embed trojan in the BIOS to own someone for life
I suppose an argument could be made that with tokens you potentially loose only characters while with passwords chars plus account, but meh.. the consequences are pretty much equal imo.

Once again I agree tokens are better generally but doesn't worth spending 30min on that atm and then keeping answering everyone why the client suddenly stopped working after the update . Dunno..

[loftar]

the consequences are pretty much equal imo.

Not in the event that people use the same password as for other services, like e-mail or whatnot.

[romovs]

Fair enough.

[czaper2]

Are .res files (graphical mods) potentially dangerous at all?

[loftar]

Are .res files (graphical mods) potentially dangerous at all?

They may contain code that the client will run, so yeah, you shouldn't get them from untrusted sources.

[shubla]

Basically everything you download from some haven players might be potential keylogger or tool to send your passwords to them. Wouldnt be anything new on this community really