MULTIPLAYER QUESTION ( PARADOX READ )

  • We have updated our Community Code of Conduct. Please read through the new rules for the forum that are an integral part of Paradox Interactive’s User Agreement.
Status
Not open for further replies.

Kentti

Captain
8 Badges
Aug 27, 2007
401
2
  • Crusader Kings II
  • Europa Universalis III
  • Divine Wind
  • Europa Universalis IV
  • Heir to the Throne
  • Sword of the Stars
  • 500k Club
  • Stellaris Sign-up
What do you mean by "not safe"? If you save the hash, tell me how you can revers engineer it? You guys just have to implement it correct ;-) And i am sure that you guys are able to do so.

The "not safe" part is having to save and pass the hashed password around in the save file. While hash functions aren't reversible, they're also simple to attack by brute force. While brute forcing a hash would definitely be something that your co-players in a MP game wouldn't be able to do and thus wouldn't be able to cheat, the criminals who do it for living could just collect the hashes from the saves passed around in paradox MP forums and brute force the passwords out of them and add them to their collections.
 
  • 2
  • 1
Reactions:

agentgb

AgentGB
58 Badges
Aug 10, 2012
614
515
  • Crusader Kings II
  • Europa Universalis IV: Pre-order
  • Victoria 2: Heart of Darkness
  • Victoria 2: A House Divided
  • Victoria 2
  • The Showdown Effect
  • Semper Fi
  • Victoria: Revolutions
  • Europa Universalis IV: Res Publica
  • March of the Eagles
  • Magicka
  • Heir to the Throne
  • Hearts of Iron III: Their Finest Hour
  • Hearts of Iron III
  • For the Motherland
  • Europa Universalis IV: Call to arms event
  • Europa Universalis IV: Conquest of Paradise
  • Cities in Motion
  • Crusader Kings II: Legacy of Rome
  • Crusader Kings II: The Old Gods
  • Crusader Kings II: The Republic
  • Crusader Kings II: Sons of Abraham
  • Crusader Kings II: Sunset Invasion
  • Crusader Kings II: Sword of Islam
  • Europa Universalis III
  • Europa Universalis III: Chronicles
  • Europa Universalis III Complete
  • Divine Wind
  • Europa Universalis IV
  • Europa Universalis IV: Art of War
  • Europa Universalis IV: Wealth of Nations
  • Crusader Kings II: Way of Life
  • Europa Universalis IV: Common Sense
  • Steel Division: Normand 44 Sign-up
  • Europa Universalis IV: Cossacks
  • Europa Universalis IV: Mare Nostrum
  • Stellaris
  • Hearts of Iron IV Sign-up
  • Hearts of Iron IV: Cadet
  • Europa Universalis IV: Rights of Man
  • Crusader Kings II: Reapers Due
  • Mount & Blade: With Fire and Sword
  • Mount & Blade: Warband
  • Europa Universalis IV: El Dorado
  • Cities: Skylines
  • 500k Club
  • War of the Roses
  • Teleglitch: Die More Edition
  • Europa Universalis III Complete
  • Europa Universalis III Complete
We have talked about it, but as you guys just said; we cannot make anything "safe and secure" for this as it is right now, and since we do not want to encourage ppl to use their passwords for something that is not safe (yeah most ppl do reuse their passwords), we will delay this feature some more (it is under great consideration thou)

somthing that would lock you into playing a faction would be neat, so you couldn't change in between to look at others, don't think it needs to be passworded, just not so easy to swap between countries and look at other players countries techs, armies etc, i don't think people will go to huge efforts, i believe EU4 has somthing like this which can be toggled on and off by the host?
 

Guraan

Emperor Penguin
Paradox Staff
1 Badges
Sep 17, 2012
1.210
380
  • Hearts of Iron IV Sign-up
What do you mean by "not safe"? If you save the hash, tell me how you can revers engineer it? You guys just have to implement it correct ;-) And i am sure that you guys are able to do so.
Not reverse engineer, but as stated before by brute force and/or rainbow tables etc. It is just "not safe" to give out even a digest in my opinion, but heck with some googling around there might be a simple solution just right around the corner O;)
somthing that would lock you into playing a faction would be neat, so you couldn't change in between to look at others, don't think it needs to be passworded, just not so easy to swap between countries and look at other players countries techs, armies etc, i don't think people will go to huge efforts, i believe EU4 has somthing like this which can be toggled on and off by the host?
I believe in the same, locked by paradox account, steam id or something similar. And then just have the savegame in non human readable format just as ironman.
 
  • 2
  • 2
Reactions:

Guraan

Emperor Penguin
Paradox Staff
1 Badges
Sep 17, 2012
1.210
380
  • Hearts of Iron IV Sign-up
The "not safe" part is having to save and pass the hashed password around in the save file. While hash functions aren't reversible, they're also simple to attack by brute force. While brute forcing a hash would definitely be something that your co-players in a MP game wouldn't be able to do and thus wouldn't be able to cheat, the criminals who do it for living could just collect the hashes from the saves passed around in paradox MP forums and brute force the passwords out of them and add them to their collections.
Tbh you wrote all the things i feel when it comes to this O;)
We are not worried about you guys here at the forum, we are skeptical about the rest of internet. And I always say; "Prepare for the worst, hope for the best"
 
  • 3
  • 1
Reactions:

KiwiNoob

Colonel
50 Badges
Sep 26, 2015
804
1.409
  • Europa Universalis IV: Res Publica
  • Magicka
  • Leviathan: Warships
  • Hearts of Iron III: Their Finest Hour
  • Cities: Skylines - After Dark
  • Europa Universalis IV
  • Europa Universalis IV: Art of War
  • Europa Universalis IV: Conquest of Paradise
  • Europa Universalis IV: Wealth of Nations
  • Hearts of Iron III
  • Hearts of Iron IV: Expansion Pass
  • Hearts of Iron IV: Colonel
  • Europa Universalis IV: Cradle of Civilization
  • Hearts of Iron IV: Death or Dishonor
  • Surviving Mars
  • BATTLETECH
  • Europa Universalis IV: Mandate of Heaven
  • Europa Universalis IV: Rights of Man
  • Hearts of Iron IV: Field Marshal
  • Europa Universalis IV: Mare Nostrum
  • Europa Universalis IV: Rule Britannia
  • Europa Universalis IV: Dharma
  • BATTLETECH: Flashpoint
  • Europa Universalis IV: Golden Century
  • Imperator: Rome Deluxe Edition
  • Imperator: Rome
  • Hearts of Iron IV: Expansion Pass
  • Prison Architect
  • Age of Wonders: Planetfall
  • Age of Wonders: Planetfall Deluxe edition
  • Stellaris Sign-up
  • Cities: Skylines
  • Europa Universalis IV: El Dorado
  • Europa Universalis IV: Common Sense
  • Stellaris
  • Hearts of Iron IV Sign-up
  • Hearts of Iron IV: Cadet
  • Europa Universalis IV: Third Rome
  • Crusader Kings II
  • Europa Universalis IV: Cossacks
  • Cities: Skylines Deluxe Edition
  • Semper Fi
  • For the Motherland
  • Crusader Kings II: Sword of Islam
  • Crusader Kings II: Sunset Invasion
  • Crusader Kings II: Sons of Abraham
  • Crusader Kings II: The Republic
  • Crusader Kings II: Rajas of India
  • Crusader Kings II: The Old Gods
  • Crusader Kings II: Legacy of Rome
I think the 'not safe' camp has forgotten a couple of extremely important points.

Firstly, hashing is secure enough for this purpose - especially if they are (as all people should) be adding a salt to the hash (which can also be stored in the save file) to prevent a straight up hash-only rainbow table from working. When it comes to cracking the hash they need to bear in mind that 99.5% of players either:
  1. Lack the technical skills to do it; or
  2. Cant be bothered to do it (as people have already pointed out - it would require a lot of time to brute force the hash); or
  3. Wont do it because it's a stink thing to do
Secondly, if you want to bypass the security all together then you're getting into cracking the EXE. This would take a significant amount of time and is something that only an extremely small number of people would have the technical skills to do as you are now having to bypass all of PDS's security features (as they check if any of the game files are modified/tampered with) and not just a single hashed password. I'm willing to bet that of the people that are able to do this roughly 0 of them will ever be bothered to put in that much time just so they can play someone else's country in a MP game.

It is a very good suggestion that players should be strongly advised when picking a password not to use any of their existing ones (maybe tell them that these passwords are ok to write down). I don't agree that the risk of 'criminal elements' is large enough to make a hashed password a bad idea. Other than them have to spend a large amount of time and computing power just to grab a few save game passwords (when there are still thousands of websites with terrible security and huge user databases) it's not a good argument that we should not use passwords because there are some bad people out there trying to crack passwords. It's still a lot better than having no password at all.

There is no reason this couldn't work and the argument that hashing would be an inadequate security measure for this feature is not a strong one.
 
Last edited:
  • 2
Reactions:

paqla

Private
78 Badges
Dec 28, 2012
15
1
  • Crusader Kings II
  • Europa Universalis IV: Mare Nostrum
  • Europa Universalis IV: Pre-order
  • Europa Universalis IV: Third Rome
  • Victoria 2: Heart of Darkness
  • Victoria 2: A House Divided
  • Stellaris: Leviathans Story Pack
  • Semper Fi
  • Europa Universalis IV: Res Publica
  • Crusader Kings II: Monks and Mystics
  • Stellaris - Path to Destruction bundle
  • Heir to the Throne
  • Hearts of Iron III Collection
  • Hearts of Iron III: Their Finest Hour
  • Hearts of Iron III
  • For the Motherland
  • Europa Universalis IV: Conquest of Paradise
  • Crusader Kings II: Charlemagne
  • Crusader Kings II: Legacy of Rome
  • Crusader Kings II: The Old Gods
  • Crusader Kings II: The Republic
  • Crusader Kings II: Sons of Abraham
  • Crusader Kings II: Sword of Islam
  • Europa Universalis III
  • Europa Universalis III: Chronicles
  • Europa Universalis III Complete
  • Divine Wind
  • A Game of Dwarves
  • Europa Universalis IV: Art of War
  • Europa Universalis IV: Wealth of Nations
  • Europa Universalis 4: Emperor
  • Europa Universalis IV: Rights of Man
  • Crusader Kings II: Reapers Due
  • Hearts of Iron IV: Field Marshal
  • Hearts of Iron IV: Colonel
  • Hearts of Iron IV: Cadet
  • Stellaris Sign-up
  • Europa Universalis IV: Mandate of Heaven
  • Hearts of Iron IV Sign-up
  • Stellaris
  • Crusader Kings II: Conclave
  • Europa Universalis IV: Cossacks
  • Crusader Kings II: Horse Lords
  • Europa Universalis IV: Common Sense
  • Crusader Kings II: Way of Life
  • Europa Universalis IV: El Dorado
  • 500k Club
  • Victoria 2
  • Europa Universalis III Complete
  • Europa Universalis III Complete
@KiwiNoob you point about salt is not true i can sill make a hash-only rainbow table because a salt is public data and is stored with the hash offen. I would only be able to crack the single password with a given rainbow table, but in this case it is not alot of hashes i need to crack salt would not help.

If a mod would be so kind as closeing this post it would be nice as there is no more use for it and there is alot a false information about the security of hashing @Guraan
 
Last edited:

podcat

Game Director
Paradox Staff
12 Badges
Jul 23, 2007
12.793
38.305
  • Europa Universalis IV
  • Hearts of Iron III
  • Semper Fi
  • 500k Club
  • Europa Universalis III: Collection
  • Europa Universalis IV: Pre-order
  • Hearts of Iron II: Beta
  • Europa Universalis: Rome Collectors Edition
  • Mount & Blade: Warband
  • Paradox Order
  • Hearts of Iron IV Sign-up
  • Hearts of Iron IV: Together for Victory
Since this thread has veered off course I agree with above.
 
  • 3
  • 1
Reactions:
Status
Not open for further replies.