Be careful about registering for private servers!

[C453]

Recently, @RotMGnub has tricked many into using his MulepackageV1.

I've always noticed this issue, but didn't want to mention it until this event occurred.


This is a Warning!
DO NOT USE YOUR PROD EMAIL AND PASSWORD ON ANY PRIVATE SERVER!

EVEN IF THEY ARE "TRUSTED"


For Players:
I recommend changing your password/email if you are using your credentials for production.

For Server Owners:
I recommend changing the 'email' in the registration to 'Username' instead and avoid using emails.

@nilly Sticky Thread Please
BE CAREFUL WHEN REGISTERING INTO A SKILLY SOURCE SINCE IT HAS BEEN CONFIRMED THAT IT TRACKS YOUR PASSWORD.

IT CAN BE USED TO STEAL YOUR REALM OF THE MAD GOD PRODUCTION INFORMATION AND INFORMATION OF OTHER PRIVATE SERVERS.

DO NOT USE YOUR REALM EMAIL/REAL EMAIL AND DO NOT USE YOUR REALM PASSWORD/EMAIL PASSWORD.

[Botmaker]

I agree with everything you’ve said

People can also use the information, like the email and in game name
As a way for phishing for real rotmg account credentials, granted they don’t know the password and wouldn’t be able to hack the account immediately. However there are many possible ways to gain access to the account with just the email and combined with there in game name allows a hacker to target and attack individuals accounts.

[C453]

I agree with everything you’ve said

People can also use the information, like the email and in game name
As a way for phishing for real rotmg account credentials, granted they don’t know the password and wouldn’t be able to hack the account immediately. However there are many possible ways to gain access to the account with just the email and combined with there in game name allows a hacker to target and attack individuals accounts.

Yes, however, even though MySQL "Hashes" passwords, (I'm not going to say how) it is very easy to match hashes and obtain a password in plain text

[Botmaker]

Yes, however, even though MySQL "Hashes" passwords, (I'm not going to say how) it is very easy to match hashes and obtain a password in plain text

It’s really easy to switch off the hashing and have them stored as plain text, The email and password are sent to the world server using RSA, also the client sends the account details to the account server unencrypted because it only use http post and not https like the official client, however you are right.

[RaymondW]

Will take this into consideration!

[nilly]

How does the auto login to last used account feature of the client fit into the picture here? I'm guessing if you forgot to log out before exiting that your account information will be sent to the server even if you didn't want it to?

[C453]

How does the auto login to last used account feature of the client fit into the picture here? I'm guessing if you forgot to log out before exiting that your account information will be sent to the server even if you didn't want it to?

The account won't be sent to the SQL database, however, I bet you can analyse the request from the client with the credentials

[Botmaker]

Salts also combat the use of rainbow tables for cracking passwords

maybe someone could add a salt to the c# server
Salt (cryptography) - Wikipedia, the free encyclopedia

DEFCON 17: Cracking 400,000 Passwords, or How to Explain to Your Roommate why Power Bill is a High - YouTube

[whiteworld]

Ok thanks for letting us know this even though it should be common sense :P just like you dont use your gmail password for a viagra pill site :P

[ImperiDK]

Thanks for information

[Stellar Spark]

As a little update to the discussion, it is becoming more of a concern that some server owners may want to use emails in logins for the purpose of verification and to combat certain vandalism attempts such as account flooding, especially nowadays where people in general have more knowledge on the server scene and coding. For those willing to go that path, it's good practice to make sure users are reminded on registration about this issue.

[Voula]

Thanks so much

[SevenH]

Register with a random email that you dont even have, y/n

[DimitriSavage]

BE CAREFUL WHEN REGISTERING INTO A SKILLY SOURCE SINCE IT HAS BEEN CONFIRMED THAT IT TRACKS YOUR PASSWORD.

IT CAN BE USED TO STEAL YOUR REALM OF THE MAD GOD PRODUCTION INFORMATION AND INFORMATION OF OTHER PRIVATE SERVERS.

DO NOT USE YOUR REALM EMAIL/REAL EMAIL AND DO NOT USE YOUR REALM PASSWORD/EMAIL PASSWORD.

@Luis @Joe Please add this into it to warn all players to be extra careful when registering into a Skilly Source server.

[Luis]

BE CAREFUL WHEN REGISTERING INTO A SKILLY SOURCE SINCE IT HAS BEEN CONFIRMED THAT IT TRACKS YOUR PASSWORD.

IT CAN BE USED TO STEAL YOUR REALM OF THE MAD GOD PRODUCTION INFORMATION AND INFORMATION OF OTHER PRIVATE SERVERS.

DO NOT USE YOUR REALM EMAIL/REAL EMAIL AND DO NOT USE YOUR REALM PASSWORD/EMAIL PASSWORD.

@Luis @Joe Please add this into it to warn all players to be extra careful when registering into a Skilly Source server.

Guess it couldn't hurt.
/edited.