[K0P]

Delete

[iKevin]

Yes it is, I guess.

[Dawny]

No, nothing like that. You can mention in your 'TERMS AND SERVICE AGREEMENT' that :

1. Your passwords are unhashed
2. Company promises not to ever release it

And if they agree to it, you can basically let them play. As simple.

[Burridge]

You shouldn't be saving passwords in plain text, that's just silly! However it isn't against any rules that I am aware of when it comes to SA-MP servers.

[SyS]

Yeah as i told not hashing the pass is like phishing

[K0P]

Alright Thanks All!

[Mauzen]

I wouldnt ever play on a server or use a website when I know that it doesnt hash passwords properly. Thats a personal data leak, and theres not even a valid reason why you shouldnt hash it.
But its not against the rules.

[Vince]

Although the verb "exposing" is quite open for interpretation:

Code:

(f) You may not violate the privacy of a player, service provider or server operator
by means of exposing passwords or identities without consent.

https://sa-mp.com/service_agreement.txt

[Dawny]

Quote:

Originally Posted by Vince Although the verb "exposing" is quite open for interpretation: Code: (f) You may not violate the privacy of a player, service provider or server operator by means of exposing passwords or identities without consent. https://sa-mp.com/service_agreement.txt

Fairly speaking, that still doesn't mean he cannot keep unhashed passwords. Its dumb to do so but there is no policy stating so, which is a fair point for those who want to understand it in whatever way. You're not REALLY exposing passwords, tbh.
Again, if its not wrong doesn't mean you don't do it.
So, yeah. Let's just move to hashing passwords instead.

[Infinity]

Personally, I think that it should be against the law. If ever someone manages to obtain your database/user files (through exploits, social engineering), you just risked the security of everyone who has ever made an account in your server. Do they use the same password for their email? Or maybe even for banking?

In other words, for fucks sake hash the passwords securely.

[Mauzen]

Quote:

Originally Posted by Infinity Personally, I think that it should be against the law. If ever someone manages to obtain your database/user files (through exploits, social engineering), you just risked the security of everyone who has ever made an account in your server. Do they use the same password for their email? Or maybe even for banking? In other words, for fucks sake hash the passwords securely.

Remember the PSN hacks? Later sony said it would simply be cheaper to tell users about the data leak instead of securing it properly. Unless companies especially advertise with personal data security they probably give a shit about security. And thanks to lobby-democracy chances are low that politics will ever rate personal data higher than profit.

[AmigaBlizzard]

The server-owner has access to all your account-data even when it's hashed.
In a MySQL database, all your data is shown in a nice table with all info exposed like money, score, kills, deaths, whatever.

They could even hash their own password and replace your password with their hashed password and sell your account to someone else.
It's just a text-field in the database.

Nothing is safe, even when it's hashed.

Same rules for INI-files.
They're just saved in plain text.

[Infinity]

Quote:

Originally Posted by AmigaBlizzard The server-owner has access to all your account-data even when it's hashed. In a MySQL database, all your data is shown in a nice table with all info exposed like money, score, kills, deaths, whatever. They could even hash their own password and replace your password with their hashed password and sell your account to someone else. It's just a text-field in the database. Nothing is safe, even when it's hashed. Same rules for INI-files. They're just saved in plain text.

You're missing the point. If an owner decides to change some stats around, that's a dick move but nothing else. However, if he stored your password as plain text, he could also try using these passwords, for example, to login on their forum accounts here. Or their email. Or their PayPal/bank accounts. Or even worse, the database gets leaked and your password is out in the open.

@Mauzen:
That is exactly my point. As long as people get away with shit like that, nothing will change. Making it mandatory to secure the passwords, for example by law, would at least prevent shit like this.

[K0P]

I keep the password in both forms (Hashed + Unhashed)
Just for account recovery,i wont misuse that data
Ill never let that data too be leaked
As its against the rules & i dont want to get involved in this kind of stuff

[AndySedeyn]

Quote:

Originally Posted by K0P I keep the password in both forms (Hashed + Unhashed) Just for account recovery,i wont misuse that data Ill never let that data too be leaked As its against the rules & i dont want to get involved in this kind of stuff

Why even bother keeping them in both forms? The hashed version doesn't make any sense then, does it? There are plenty of alternative ways for a player to reset their password without you having to see what it is. Your intentions are probably good but you are pretty naive to think that everyone's intentions are good.

[Burridge]

You still shouldn't store their passwords in plain text. You never know if someone is going to be able to hack into the server and steal the data. Also people only have your word when you say you won't use that data.

[Infinity]

Quote:

Originally Posted by K0P I keep the password in both forms (Hashed + Unhashed) Just for account recovery,i wont misuse that data Ill never let that data too be leaked As its against the rules & i dont want to get involved in this kind of stuff

You say that the data will never be leaked. How will you do what so many others could not? Not even the larger companies such as Sony could prevent their data from being leaked.

[Arastair]

Quote:

Originally Posted by Infinity Personally, I think that it should be against the law. If ever someone manages to obtain your database/user files (through exploits, social engineering), you just risked the security of everyone who has ever made an account in your server. Do they use the same password for their email? Or maybe even for banking? In other words, for fucks sake hash the passwords securely.

I agree

On Topic: I think it's against the agreement

[Vince]

Quote:

Originally Posted by K0P I keep the password in both forms (Hashed + Unhashed) Just for account recovery,i wont misuse that data Ill never let that data too be leaked As its against the rules & i dont want to get involved in this kind of stuff

This is quite probably the dumbest thing I've read today.

[SickAttack]

Quote:

Originally Posted by K0P I keep the password in both forms (Hashed + Unhashed) Just for account recovery,i wont misuse that data Ill never let that data too be leaked As its against the rules & i dont want to get involved in this kind of stuff

Which server do you own? To remind everyone, including myself, to never play on it.

Don't be stupid and hash those passwords!

Tip: Keep your hashing algorithm a secret! With it, people can retrieve anyone's password by enforcing brute force.