MULTIPLAYER QUESTION ( PARADOX READ )

[Kentti]

What do you mean by "not safe"? If you save the hash, tell me how you can revers engineer it? You guys just have to implement it correct ;-) And i am sure that you guys are able to do so.

The "not safe" part is having to save and pass the hashed password around in the save file. While hash functions aren't reversible, they're also simple to attack by brute force. While brute forcing a hash would definitely be something that your co-players in a MP game wouldn't be able to do and thus wouldn't be able to cheat, the criminals who do it for living could just collect the hashes from the saves passed around in paradox MP forums and brute force the passwords out of them and add them to their collections.

 

[agentgb]

We have talked about it, but as you guys just said; we cannot make anything "safe and secure" for this as it is right now, and since we do not want to encourage ppl to use their passwords for something that is not safe (yeah most ppl do reuse their passwords), we will delay this feature some more (it is under great consideration thou)

somthing that would lock you into playing a faction would be neat, so you couldn't change in between to look at others, don't think it needs to be passworded, just not so easy to swap between countries and look at other players countries techs, armies etc, i don't think people will go to huge efforts, i believe EU4 has somthing like this which can be toggled on and off by the host?

 

[Guraan]

What do you mean by "not safe"? If you save the hash, tell me how you can revers engineer it? You guys just have to implement it correct ;-) And i am sure that you guys are able to do so.

Not reverse engineer, but as stated before by brute force and/or rainbow tables etc. It is just "not safe" to give out even a digest in my opinion, but heck with some googling around there might be a simple solution just right around the corner O

somthing that would lock you into playing a faction would be neat, so you couldn't change in between to look at others, don't think it needs to be passworded, just not so easy to swap between countries and look at other players countries techs, armies etc, i don't think people will go to huge efforts, i believe EU4 has somthing like this which can be toggled on and off by the host?

I believe in the same, locked by paradox account, steam id or something similar. And then just have the savegame in non human readable format just as ironman.

 

[Guraan]

The "not safe" part is having to save and pass the hashed password around in the save file. While hash functions aren't reversible, they're also simple to attack by brute force. While brute forcing a hash would definitely be something that your co-players in a MP game wouldn't be able to do and thus wouldn't be able to cheat, the criminals who do it for living could just collect the hashes from the saves passed around in paradox MP forums and brute force the passwords out of them and add them to their collections.

Tbh you wrote all the things i feel when it comes to this O
We are not worried about you guys here at the forum, we are skeptical about the rest of internet. And I always say; "Prepare for the worst, hope for the best"

 

[KiwiNoob]

I think the 'not safe' camp has forgotten a couple of extremely important points.

Firstly, hashing is secure enough for this purpose - especially if they are (as all people should) be adding a salt to the hash (which can also be stored in the save file) to prevent a straight up hash-only rainbow table from working. When it comes to cracking the hash they need to bear in mind that 99.5% of players either:

1. Lack the technical skills to do it; or
2. Cant be bothered to do it (as people have already pointed out - it would require a lot of time to brute force the hash); or
3. Wont do it because it's a stink thing to do

Secondly, if you want to bypass the security all together then you're getting into cracking the EXE. This would take a significant amount of time and is something that only an extremely small number of people would have the technical skills to do as you are now having to bypass all of PDS's security features (as they check if any of the game files are modified/tampered with) and not just a single hashed password. I'm willing to bet that of the people that are able to do this roughly 0 of them will ever be bothered to put in that much time just so they can play someone else's country in a MP game.

It is a very good suggestion that players should be strongly advised when picking a password not to use any of their existing ones (maybe tell them that these passwords are ok to write down). I don't agree that the risk of 'criminal elements' is large enough to make a hashed password a bad idea. Other than them have to spend a large amount of time and computing power just to grab a few save game passwords (when there are still thousands of websites with terrible security and huge user databases) it's not a good argument that we should not use passwords because there are some bad people out there trying to crack passwords. It's still a lot better than having no password at all.

There is no reason this couldn't work and the argument that hashing would be an inadequate security measure for this feature is not a strong one.

 

[paqla]

@KiwiNoob you point about salt is not true i can sill make a hash-only rainbow table because a salt is public data and is stored with the hash offen. I would only be able to crack the single password with a given rainbow table, but in this case it is not alot of hashes i need to crack salt would not help.

If a mod would be so kind as closeing this post it would be nice as there is no more use for it and there is alot a false information about the security of hashing @Guraan

 

[podcat]

Since this thread has veered off course I agree with above.