Passwords should not be shared even in hashed format

[TradeMark]

I just noticed something reallly scary, in the replay file each player has password hash next to their nicks:

Code: Select all

password=41379EA3;

I am afraid this makes it easy to hijack other players accounts, since most probably people dont bother making super strong passwords for games in general. And i have a bad feeling that 32bits hash is waayyy too easy to crack.

But, someone please tell me why is this password hash needed to be stored there at all?

I also wonder is it possible to get any player password hash from a tweaked lobby?

If this is meant to be a way to validate players, so others cant hijack your player name when game starts, then its a really bad idea since eventually you will find almost any player password hash from replays.adune.nl or any other replays site out there. And think of me (or any other replays site) being able to collect all this information. ITS A BAD IDEA.

[Kloot]

They are not server-account password hashes. Panic attack over.

[TradeMark]

What are they then?

[aegis]

they're randomly generated and between the host and player to validate the player joining the server is the same as the player in the lobby

[TradeMark]

Oh i see, *phew*, maybe the "password" is a bad name for it then. I suggest "randomhash" or something like that to prevent future panic attacks.