Search
Forum Home | Login
Zechnophobe
Zechnophobe
Join Date 04/2009
+57

plaintext password in game.prefs?

April 26, 2009 8:12:11 PM from Demigod ForumsDemigod Forums

line 7 of the game.prefs file that Demigod installs, includes your user password for Demigod, in plain text.

As a (somewhat minor) software developer myself, this appears to be one of the biggest security risks I've ever seen.  To make it worse, the actual line 7 says:

 

            ImpulsePassword = 'myPassword',

 

meaning that any kind of utility searching for 'password' comes up with it, and then it even goes ahead and tell that sniffer what the password is for.

 

The argument can be made that 'hey it's just the impulse password, nothing major'.  However this is a well known bag of hooey.  A large number of users use the same or similar login/password combinations for their various accounts, and so knowing one of them can unlock numerous others.

 

Even worse, is that this is a password to a service that demigod isn't the owner of.  Impulse is owned by one company, DG by the other.  Yet here they are ruining the security system of impulse just to take the 'easy way out' in remembering a users login.

 

Locked Post
Search this post
Advanced Search
Subscription Options
Reason for Karma (Optional)
Successfully updated karma reason!
Zechnophobe
kryo
Join Date 05/2003
+458 sdemployee
Reply #1 April 26, 2009 10:02:51 PM
from Demigod ForumsDemigod Forums

We are aware and have requested that GPG fix this.

Reason for Karma (Optional)
Successfully updated karma reason!
Zechnophobe
n3crosys
Join Date 04/2009
0
Reply #2 April 27, 2009 10:19:18 AM
from Demigod ForumsDemigod Forums

Kind of begs the question, why would GPG include it in the first place?

Reason for Karma (Optional)
Successfully updated karma reason!
Zechnophobe
Annatar11
Join Date 11/2006
+527
Reply #3 April 27, 2009 10:28:34 AM
from Demigod ForumsDemigod Forums

Quoting n3crosys,
reply 2
Kind of begs the question, why would GPG include it in the first place?

Because we kept asking during the beta to have a remember password option on login (used to have to type it all in each time). That was before any of the Impulse stuff was coming around, so they probably didn't realize it's the master Impulse account password.

Reason for Karma (Optional)
Successfully updated karma reason!
View all recent posts
Mark all posts as read Delete cookies created by the forum Return to Top
Stardock Forums v        Server Load Time:   Page Render Time:

Stardock Magazine | Register | Online Privacy Policy | Terms of Use

Copyright © 2026 Stardock Entertainment and Gas Powered Games. Demigod is a trademark of Stardock. All rights reserved. All other trademarks and copyrights are the properties of their respective owners. Windows, the Windows Vista Start button and Xbox 360 are trademarks of the Microsoft group of companies, and 'Games for Windows' and the Windows Vista Start button logo are used under license from Microsoft. � 2012 Advanced Micro Devices, Inc. All rights reserved. AMD, the AMD Arrow logo and combinations thereof are trademarks of Advanced Micro Devices, Inc.