Search
Forum Home | Login
lukkas_ROCKUS
lukkas_ROCKUS
Join Date 04/2009
+17

Security breach: Unencrypted passwords in games.pref

June 1, 2009 11:00:33 AM from Demigod ForumsDemigod Forums

If you go to My Documents --> My Games --> Demigod, there's a file called games.pref.

In that file, it stores your Impulse password unencrypted.  If your system is hacked or if you share your computer with inquisitive people, this is a serious security breach.  Demigod should hash that password before storing it, at the very least.

Locked Post
Search this post
Advanced Search
Subscription Options
Reason for Karma (Optional)
Successfully updated karma reason!
lukkas_ROCKUS
Annatar11
Join Date 11/2006
+527
Reply #1 June 1, 2009 11:07:25 AM
from Demigod ForumsDemigod Forums

It's supposed to be getting fixed, hopefully in this upcoming patch.

Reason for Karma (Optional)
Successfully updated karma reason!
lukkas_ROCKUS
Raknor
Join Date 04/2007
+11
Reply #2 June 1, 2009 11:22:20 AM
from Demigod ForumsDemigod Forums

You can encrypt it all you want. If your system is tainted, any malware can simply install a keylogger.

It does not matter whether the program reads the password from that file, from memory or simply waits for you to type it in. You need to prevent the infection in the first place.

Reason for Karma (Optional)
Successfully updated karma reason!
lukkas_ROCKUS
Anarchy
Join Date 05/2009
+5
Reply #3 June 1, 2009 7:04:34 PM
from Demigod ForumsDemigod Forums

Storing your passwords locally without a master-password to protect them is never secure. For example in Firefox or IE, when you let them store your login data, those infos can easily be retrieved again by potential malware. So "encrypting" that stuff really only gives you a false sense of security.

Reason for Karma (Optional)
Successfully updated karma reason!
lukkas_ROCKUS
lukkas_ROCKUS
Join Date 04/2009
+17
Reply #4 June 2, 2009 12:35:06 AM
from Demigod ForumsDemigod Forums

Storing your passwords locally without a master-password to protect them is never secure. For example in Firefox or IE, when you let them store your login data, those infos can easily be retrieved again by potential malware. So "encrypting" that stuff really only gives you a false sense of security.

It's always a false sense of security, isn't it?  I mean, the Department of Defense invests millions in securing its systems and they still get hacked.  Any computer system hooked up to the internet is insecure, plagued by a false sense of security.

That being said, there are still degrees of security.  Would the DoD ice always protect me 100%?  No.  But I'd still love to have it.

Will encrypting my Demigod passwords protect me from a moderately experienced and dedicated intruder?  No.  But I'd still love to have it.  For example, it would keep an amateur like my nephew from visiting and pulling up my password.  He wouldn't know how to reverse a hash but he can open a file in notepad.

Hashing a password is a low-effort activity that would protect me from casual intruders.  It's a basic, standard practice that Demigod should follow.

Reason for Karma (Optional)
Successfully updated karma reason!
lukkas_ROCKUS
Spooky__
Join Date 10/2008
+74
Reply #5 July 3, 2009 6:06:40 PM
from Demigod ForumsDemigod Forums

Quoting Annatar11,
reply 1
It's supposed to be getting fixed, hopefully in this upcoming patch.
Still not fixed.

Quoting Anarchy,
reply 3
Storing your passwords locally without a master-password to protect them is never secure. For example in Firefox or IE, when you let them store your login data, those infos can easily be retrieved again by potential malware. So "encrypting" that stuff really only gives you a false sense of security.
A master password gives you a false sense of security? In your example, the "master password" is the unencrypted impulse password in the Game.prefs

Reason for Karma (Optional)
Successfully updated karma reason!
View all recent posts
Mark all posts as read Delete cookies created by the forum Return to Top
Stardock Forums v        Server Load Time:   Page Render Time:

Stardock Magazine | Register | Online Privacy Policy | Terms of Use

Copyright © 2025 Stardock Entertainment and Gas Powered Games. Demigod is a trademark of Stardock. All rights reserved. All other trademarks and copyrights are the properties of their respective owners. Windows, the Windows Vista Start button and Xbox 360 are trademarks of the Microsoft group of companies, and 'Games for Windows' and the Windows Vista Start button logo are used under license from Microsoft. � 2012 Advanced Micro Devices, Inc. All rights reserved. AMD, the AMD Arrow logo and combinations thereof are trademarks of Advanced Micro Devices, Inc.