Vanigo wrote:Yeah, except that he apparently had access to everyone's passwords, presumably including yours and the real Jorb's, and we all know that we use the same password for the forum and the game. Not that I think he did anything with them, of course; just pointing this out.
Don't worry. He did not have access to the passwords, and even though he says he could change peoples' passwords, that's just what the forum tells him -- I haven't "removed" the build-in functionality of phpBB to change the passwords in the forum database, which has no bearing whatsoever. The passwords in the forum database are never used, even by the forum itself, because I've replaced its authentication mechanism.
EDIT: I guess I can take the opportunity to expand a bit on the handling of passwords, sessions and accounts, for people in doubt.
* I've written a system of my own that stores information about users, including an SHA256 hash of their password. SHA256 has, in my knowledge, no known exploits. It should be admitted that the passwords are not salted, which can be considered a weakness in case the entire database would be leaked (which it has not been), and I am considering fixing it by salting the hash with the name of each account.
* There are exactly two places where the passwords are visible in plaintext. One is in the client, when you type it in. The client, however, hashes the password before sending it to the authentication server, and even the hash is sent over SSL. The other is when the password is transmitted over HTTP, which I don't like, but there isn't a thing in the world I can do about it. HTML forms work that way, after all.
* The most ugly aspect of the system is the forum integration, but AFAIK it should be secure. There are, in total, three different sessions in effect. One is the session for my own pages (the ones in /portal), which are written using mod_python and use its session handler, and the /portal pages authenticate users against the info stored in my account server. They also create a site-global session that covers both /portal and /forum, and only contains the authenticated username. The phpBB authentication module I've written picks that up and does an auto-login into phpBB. PhpBB then keeps its own session after that. Since I use my own authentication module, phpBB's conception of passwords is not used. At all. The "change password" function in the forum is, thus, entirely ineffective.
* Login against the game server uses a temporary authentication cookie, which is generated in one of two ways: Either by the authentication server (to which the client connects when you use its login screen) or by the web pages, which generate a cookie when you use the "Play" button in the top menu. In the latter case, the cookie is part of the JNLP file you get. The cookie is discarded once used to log in one time, or after a rather short lifetime (30 seconds when generated by the auth server, 5 minutes when generated by the web pages (to allow time for downloading the client)).
* When you click to "remember me" in the client, the client doesn't actually save your password. Rather, it asks the auth server for an extended-life cookie, which is generated anew every time you choose to do so and stored in the account. That cookie, in turn, is used in place of the password hash on subsequent logins to generate the temporary login cookies. Obviously, that means only one computer can remember you at one time, which is a security feature I am quite content with.