[v1k1nG]

Hello everyone, hope you're doing alright.

I have this case to submit to you guys:
Yesterday, on a SAMP server, an admin banned me for multi-accounting (because we are 2 with this IP playing) and I had to open a thread on their forums to get unbanned.
After "solving" this, this admin guy, before locking the thread, wrote "change your password".
What, did he get his nose into my account info and also read my password? Really?

Answer is.. yes, he probably did. He told me "You and your brothers are using the same passwords" using that admin tone.
Personally I didn't and I don't like this at all, this is no shit and everyone here knows.

Now, the scenarios are mainly 4:

1 - They do NOT hash passwords,
2 - Administrators have the "tools" to un-hash the passphrase,
3 - The hash is so simple that g00gle search can decrypt your passwords,

Quote:

Originally Posted by Mauzen 4 - They hash passwords. Maybe salt them, but with a global salt. Same hashs mean same passwords then.

What are your thoughts?

[Johny32]

This is really disrespectful, admins represent the server.
About the hash well.. this is why some people advise you to use a different password for every site/service.
If I was you I would probably get the hell out of their server or that is me.
That's my opinion though oh about the hash they could probably check if both of the hashes match but the fact they expose these type of information lol..
Have a nice day mate.

[iKarim]

I wouldn't expect any better from a SA-MP server and I am not sure why you would be surprised either. Most of the servers you join doesn't handle user data privacy (or passwords for this case) properly.

[Variable™]

Talking about my thoughts, I would regret playing in such server where someone would be telling me what my password is or if I have to change it. If my password is '123', it is my business. If the administrators have access to passwords then this is hilarious, whether they have a command to compare passwords or the passwords aren't hashed, this is all shit.

The ban is invalid in the first place, having multiple accounts shouldn't hurt them unless one of the accounts is banned which I highly doubt.

[iLearner]

maybe he checked the hashes and they were the same?

[Mauzen]

4. They hash passwords. Maybe salt them, but with a global salt. Same hashs mean same passwords then.

[v1k1nG]

Quote:

Originally Posted by iKarim I wouldn't expect any better from a SA-MP server and I am not sure why you would be surprised either. Most of the servers you join doesn't handle user data privacy (or passwords for this case) properly.

I am not only surprised, but totally amazed by the lack of interest about our personal infos. The server management accept donations too, and do not even care about your "secret word".
That admin I was talking about is a random admin whose skills are all about using admin commands in game. Why does he have the chance of getting these personal infos?
Also, I learnt on this forum to never never put online any of my projects without ensuring myself the register/login system was correctly working and passwords were encrypted.

Quote:

Originally Posted by iLearner maybe he checked the hashes and they were the same?

Possible, yet any good.

Quote:

Originally Posted by Mauzen 4. They hash passwords. Maybe salt them, but with a global salt. Same hashs mean same passwords then.

Damn, obv!
Will add your quote in 1st post, thanks I didn't think about that when posting!

Thanks for posting guys, I was starting to think I was the alien lol.

[darkhunter332]

Most of the old scripts, YINI scripts have no hashed passwords,
Therefor we need to change passwords each server we play on.

I agree with you, very immature.

[Hunud]

You tried to complain against this administrator ? If they keep doing that just leave this community.

[v1k1nG]

Yes Hunud, I am waiting for its developer to tell me though, he is a member here.

[Sithis]

Probably means they are either pure shit and don't hash your password at all, in which case you should leave their server because they obviously don't care about security at all.

Other scenario is that they hash your passwords but without a salt or the same salt for every account. In that case they have no idea what they are doing but it seems plausible this is just because of their lack of knowledge. You can either attempt to suggest them how it should be done or just leave the server.

In any decent setup, the stored passwords are hashed with a decent cipher (SHA-256 or above) and have a unique salt per account. Even better would be if they repeated the process multiple times to create a stronger hash (stretching), however that's optional IMHO.

[NoahF]

Account security is the responsibility of server owners and developers. Unfortunately, this is often overlooked and rushed. Sorry you had to endure that. Poor ownership and development!

[ShihabSoft]

As many of 'em mentioned. Most of the GMs which are released after 2k14 uses the whirlpool or some sorta password hashing system.

He must have compared your's and your brother's password hashes and warned you to change it. But that's really none of one's business, even if he's the server owner. If he knows your exact password, then possibly the passwords are stored plain or the server must be collecting your passwords in a separate log or some sort. I'd advice not to use the same password for different servers, including the passwords which are associated with any of your non samp accounts like Gmail, ********, etc.

There's a HIGH RISK in it. Be safe!

[AdamCooper]

You can see if the HASH is the same no need to see your password.
useless thread..

[d3Pedro]

Quote:

Originally Posted by NoahF Account security is the responsibility of server owners and developers. Unfortunately, this is often overlooked and rushed. Sorry you had to endure that. Poor ownership and development!

I totally agree with you. Also nowadays you see a lot of upcoming projects handled by immature people.

[v1k1nG]

Quote:

Originally Posted by AdamCooper You can see if the HASH is the same no need to see your password. useless thread..

Hello mr developer. What is password salting to you?
EDIT: And you are offering online services too?

Quote:

Originally Posted by ConnorW I totally agree with you. Also nowadays you see a lot of upcoming projects handled by immature people.

True

[Zeus666]

you just made me change every social media + every password on any website

at 05:00 morning. good job

[AdamCooper]

Well first of all its obvious you wont insert your paypal email and password as your SAMP account unless you brainless.

Second and I will say this again and explain your more good mr.sarcasm :
My password : 123456 = HASH password AS23%SS ==== Your password : 123456 = HASH password:AS23%SS

[d3Pedro]

Quote:

Originally Posted by AdamCooper Well first of all its obvious you wont insert your paypal email and password as your SAMP account unless you brainless. Second and I will say this again and explain your more good mr.sarcasm : My password : 123456 = HASH password AS23%SS ==== Your password : 123456 = HASH password:AS23%SS

It doesn't matter bro, there's a lot ways to get your password even if it's hashed, let's say at the login dialog, you simply add a

PHP код:

new string[64]; format(string, sizeof(string), "%s", inputtext); printf(string); 


and walah the developer/owner got your password, the only way to avoid that, just don't use the same password you use in other platforms.

EDIT: Basically, there are servers around which they don't use HASH for password, they just don't touch them, but when there are more than three people, having access to your database or files, the owner should hash the password, just to avoid "account hacking" later on if there any conflict happened.

[v1k1nG]

Quote:

Originally Posted by AdamCooper Well first of all its obvious you wont insert your paypal email and password as your SAMP account unless you brainless.

Since you do not salt passwords and act like this, I would be brainless in registering an account in one of your services too. Despite of the service, my informations are mine and so they are private and need to be protected!

Quote:

Originally Posted by AdamCooper Second and I will say this again and explain your more good mr.sarcasm : My password : 123456 = HASH password AS23%SS ==== Your password : 123456 = HASH password:AS23%SS

In 2 posts you are repeating the same thing. Everyone here knows that, no one here in this thread is asking how hashing works. The thread is about people thoughts about all these people (like you, it seems) telling people "register register register an account! my services: bla bla bla" to earn money but then you do not even know how to manage passwords properly.
And since this is a dev forums, this is even worse, since not only passwords are info to protect and keep secret.

Now I do not even know you, but please learn how to manage users' data proeprly. Peace.