Security and handling of passwords

  • General

  • Security and handling of passwords

    Not a bug, but a general complain.

    When someone registers to OGame, the user and password is sent through an e-mail. That is not a modern and secure handling of passwords. Ideally it should not be possible to GameForge to access any raw password.

    Are there plans of implementing a more up to date system about security/privacy in this case?
    I think it could be good. And one would expect it to be implemented by 2017 :D

  • That's true, but the password is only send to you and only the system knows which password you use.

    Only maybe some higher people at GameForge can look into the system and get to see your password, we don't get that kind of information as a team :)

    And people who handle that kind of stuff have a DPA, so your data is protected that way and there will be consequences for breaking a DPA if it happens :)
    Origin Supporter
    TM - OGame.dk
    Mail: erikfyr@ogame.dk

  • There are no plans to change that behavior.
    It is the same reason why there is only 1 logout per day and not every 15 minutes as on high security pages.

    The reason is the usability and the experience of many years with that game. There was that behavior to not send passwords in the mail > problem: users did not find the way back into the game, becaue they forgot the password. Sure they can use now the forgotten password function, but it is a barrier.

    For sure from security sight it is better to never send out a password via mail and handle everything in the game. It is also better to have a well working session handling but you have to find a balanced way of security and usability.

    LG

    P.S.: Just to be sure, passwords are secure stored. No one can figure out your password, also no teamler, coma and also no developer.
    Being a QA is sort of like being a goal keeper. People only talk about you when you’ve screwed up. We are the silent guardians of game development, and they will never have to thank us.

  • @JoKy, yes, I know that a balance is necessary. However I do not see the benefit there regarding the password. And when I mention 2017 I mean that it's a behaviour that we can see almost everywhere (in every common webs and apps), so if someone forgets, I think it's reasonable to expect them to use the forgot the password.

    In any case, we can assume that when one registers, the game takes that password, and sends it through mail (this is a security flaw) and after that it's secured (hashed and all those things) and stored that way for ever. I know we are not talking about bank accounts or mail accounts, but still, I wanted to bring your attention to this subject because this is definitely not the “standard procedure” (at least for 2017, in the past security was much less widespread in this sense).

    Thanks for your attention.

  • the fact that your password is sent by email after registration don't want to see that password is saved in clear in database (and so who can watch database should see your password).

    I'm pretty sure that site work in this way:
    1) user write nick and password in form in homepage
    2) dates is sent to server page
    3) dates is readed by code and create and sent email
    4) dates is stored in database by md5 or other system encryption

    Many registration system provide that the user at the registration stage does not choose the password but that it is generated randomly and sent by email

  • JoKy wrote:

    There are no plans to change that behavior.

    JoKy wrote:

    The reason is the usability and the experience of many years with that game. There was that behavior to not send passwords in the mail > problem: users did not find the way back into the game,

    JoKy wrote:

    P.S.: Just to be sure, passwords are secure stored. No one can figure out your password, also no teamler, coma and also no developer.

    JoKy explained.
    So passoword is crypted and stored.


    If that first part is security flaw, can you catch someones password in that time when backend of game sends you a email, i don't think so. If you get it, contact us.

    :closed2: