https://smaugmuds.afkmods.com/index.php?a=rssfeed&t=1900 The largest Smaug community resource site. - en SmaugMuds 60 https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=13988#p13988 [quote=Quixadhal]I was more thinking of key pairs being more secure because you don't need to remember them, and aren't tempted to write them down, or tell your friends what they are so they can do something "real quick". [/quote] Well, something somewhere needs to store at least the private key, so that you can send it during authentication. Granted that could happen automatically by the client, but still... And then, once you have it written down (digitally), you could be tempted to leave it https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=13988#p13988 Sat, 5 Jan 2008 05:31:35 CST General Discussions nobody@example.com (David Haley) https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=13984#p13984 Possibly. I was more thinking of key pairs being more secure because you don't need to remember them, and aren't tempted to write them down, or tell your friends what they are so they can do something "real quick". For example... here's one of my public keys. [code]ssh-dss AAAAB3NzaC1kc3MAAACBAMv8Jg081lUXybub4PEZxc5gNFM0G833oK5chIi2BXNEC/J5DrvYwc6Iz6FVVZ3Ijnvc8L+mnAyUJf+PMsz2EblJig4rh+lAcTo6HcAMqA9a/ 2+IdZXNWSDTcXdoVCrwPDH+eFme3gCBvPkaN4sUOwWl8sopWk/H6hzE9WfgInjlAAAAFQCRrjfgX5HPhS3Xfrfmp https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=13984#p13984 Fri, 4 Jan 2008 22:48:50 CST General Discussions nobody@example.com (Quixadhal) https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=13982#p13982 [quote=Quixadhal]It solves the problem (...) Unlike a password, these aren't things that can be tossed about unless you have a photographic memory.[/quote] I think we must not have been talking about the same problem. :wink: I wasn't talking about the strength of passwords vs. strength of key pairs. Besides, a password can be made as secure as a key pair (insofar as sending something to a perhaps untrusted MUD server is secure to begin with) by just having a very complicated password... But https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=13982#p13982 Fri, 4 Jan 2008 22:23:50 CST General Discussions nobody@example.com (David Haley) https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=13979#p13979 [quote=DavidHaley]That's not really solving the problem; instead of having passwords, you have a key. And then you have to have your key with you when you want to connect to the MUD. I certainly couldn't remember my keys. :smile:[/quote] It solves the problem only in that a public/private key pair is (normally) unique to an individual. If the mud generates a key pair, and when you create an account, you upload (or otherwise exchange) the public side if your keypair, it becomes associated wit https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=13979#p13979 Fri, 4 Jan 2008 21:35:59 CST General Discussions nobody@example.com (Quixadhal) https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=13975#p13975 [quote=Quixadhal]If you supported the full ssh 2 protocol, you could even avoid passwords entirely and do key exchange to validate logins. [/quote] That's not really solving the problem; instead of having passwords, you have a key. And then you have to have your key with you when you want to connect to the MUD. I certainly couldn't remember my keys. :smile: [quote=Quixadhal]Of course, the downside is that folks who like using custom clients would no longer be able to do so unless the author https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=13975#p13975 Fri, 4 Jan 2008 15:14:26 CST General Discussions nobody@example.com (David Haley) https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=13974#p13974 Actually, they have one. It's called ssh. Unfortunately, very few muds support using it for connections (there's some LPC code for doing so, I believe). If you supported the full ssh 2 protocol, you could even avoid passwords entirely and do key exchange to validate logins. Of course, the downside is that folks who like using custom clients would no longer be able to do so unless the author of said client added ssh as a connection method. https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=13974#p13974 Fri, 4 Jan 2008 15:07:51 CST General Discussions nobody@example.com (Quixadhal) https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=8744#p8744 it can be optional... https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=8744#p8744 Wed, 8 Nov 2006 06:17:56 CST General Discussions nobody@example.com (kiasyn) https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=8736#p8736 Um, yeah, Kia, let's rewrite every client and mud out there to use a new protocol that's more secure.. of course the encrypted version of the password still has to be stored where the mud can verify it and it still doesn't prevent someone from just giving it out.. :rolleyes: https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=8736#p8736 Tue, 7 Nov 2006 03:04:58 CST General Discussions nobody@example.com (Conner) https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=8729#p8729 Perhaps its time for a new protocol, where the client can enter an encrypted password and the MUD use that, the true password never going into the mud. https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=8729#p8729 Mon, 6 Nov 2006 18:24:46 CST General Discussions nobody@example.com (kiasyn) https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=8722#p8722 I do not doubt the reasons behind putting the encryption there. I'm just saying we should warn people to be careful. https://smaugmuds.afkmods.com/topic/changeover-to-sha-256-encryption-1900/&p=8722#p8722 Sat, 4 Nov 2006 23:18:22 CST General Discussions nobody@example.com (Kigen)