[MUD-Dev] strong encryption for authentication

Travis Casey efindel at earthlink.net
Thu Jul 12 19:59:13 New Zealand Standard Time 2001

On Thursday July 12, 2001 00:13, Caliban Tiresias Darklock wrote:
> On Wed, 11 Jul 2001 15:02:44 -0400, Travis Casey
> <efindel at earthlink.net> wrote:

>> 1 - In a commercial game, you may want users to be able to pay
>> their account within the game, change their billing address,
>> update credit card information, update their real email address,
>> etc.  Encryption for any such personal or financial info is a
>> good idea, and *not* encrypting it could potentially form a basis
>> for negligence lawsuits... or at least require you to add some
>> scary language to your user agreement.

> Encryption of THAT data makes sense. Encryption of ALL data really
> doesn't.

Which is basically what I said in part of what you cut out -- that
#1 only requires encrypting *some* data, not all of it.

>> If you're not using some form of encryption, then what good does
>> a cookie-based OTP scheme do?  If someone running a sniffer
>> intercepts the cookie

> ...it will be worthless.

> The cookie is randomly generated by the server when the password
> prompt is presented. It is then hashed into the player's password
> and returned.

Which is a form of encryption.  As I said above... "If you're not
using some form of encryption..."

>> (On the other hand, though, why re-invent the wheel?

> My point exactly. If you have a special purpose use, you will need
> special purpose software -- which, in most cases, already
> exists. ;)

That still doesn't address all of the reasons, though -- e.g., point

       |\      _,,,---,,_     Travis S. Casey  <efindel at earthlink.net>
 ZZzz  /,`.-'`'    -.  ;-;;,_   No one agrees with me.  Not even me.
      |,4-  ) )-,_..;\ (  `'-' 
     '---''(_/--'  `-'\_) 

MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the MUD-Dev mailing list