Nexus Clash

Login

Nickname

Password

Don't have an account yet? You can create one. Registered players can create up to three free characters to battle, team up with your friends and explore the worlds of the Nexus! To create a character once you have registered, click on Game Map at the top of the page.
Nexus Clash :: View topic - [Technical] Stop sending passwords in plaintext email
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

[Technical] Stop sending passwords in plaintext email

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Nexus Clash Forum Index -> Promoted Suggestions
View previous topic :: View next topic  
Author Message
episkopos
Mortal
Mortal


Joined: Nov 01, 2012
Posts: 6

PostPosted: Fri Nov 02, 2012 3:21 pm    Post subject: [Technical] Stop sending passwords in plaintext email Reply with quote

Email is not a secure service. There is absolutely no need to ever send passwords through email.

On registration, simply don't do it. There's no reason to. If the person registering wants a password reminder, they can write it down or save it in a text file. It's really not a lot more secure than that. Or use a password manager, which is much better practice.

For password resets, (if this isn't done already, I don't know), simply send a link to a webpage that expires after 24 hours and allows the entering of a new password.
Back to top
View user's profile Send private message
Zamiel
Active Member
Active Member


Joined: Jan 19, 2010
Posts: 219

PostPosted: Fri Nov 02, 2012 4:53 pm    Post subject: Reply with quote

The account management system is entirely PHP-Nuke's, as the creator of this game is entirely self-taught and likely wanted to get straight to the game instead of dealing with the "boring" stuff.

Unfortunately since PHP-Nuke hails from 7 years ago, well... That leaves it rather lacking conceptually and quite severely vulnerable.

Bob should most certainly be adding the now-standard notice that noone should ever use the same password for two different things, but otherwise I don't know how much he can actually do about the account code.
Back to top
View user's profile Send private message
episkopos
Mortal
Mortal


Joined: Nov 01, 2012
Posts: 6

PostPosted: Fri Nov 02, 2012 6:58 pm    Post subject: Reply with quote

What about porting to a more regularly maintained framework, perhaps one that allows more control over these things?

It seems PHP-Nuke has a large number of unpatched vulnerabilities. I admit it would be a lot of work, but the consequences of a security breach could be very damaging and time-consuming indeed.
Back to top
View user's profile Send private message
Kylinn
Nexus Clash Veteran
Nexus Clash Veteran


Joined: Feb 26, 2010
Posts: 1702

PostPosted: Sat Nov 03, 2012 2:09 pm    Post subject: Reply with quote

Do you have any suggestions of a decent free modern forum system? This is not meant to be snarky; I am considering starting some forums for a small group of my own and don't know anything about how the different services compare.
Back to top
View user's profile Send private message
episkopos
Mortal
Mortal


Joined: Nov 01, 2012
Posts: 6

PostPosted: Sun Nov 04, 2012 6:12 am    Post subject: Reply with quote

Kylinn wrote:
Do you have any suggestions of a decent free modern forum system? This is not meant to be snarky; I am considering starting some forums for a small group of my own and don't know anything about how the different services compare.


I've never run a forum. The actual forums system this site uses, phpBB, is not a bad forum engine: it's possibly the most popular free forum engine in the world. The problem is PHP-Nuke, which is the framework used to join the game and the forums together.

For a forum engine, I'd probably try Simple Machines or phpBB if you want a free one.

I assume you know how to set up hosting, and install web server software if it doesn't come pre-installed with your hosting plan.

If you don't, and you only need a small, low traffic forum, you can always use one of the numerous free forum hosts out there. Ultimately, though, you get what you pay for.
Back to top
View user's profile Send private message
Zamiel
Active Member
Active Member


Joined: Jan 19, 2010
Posts: 219

PostPosted: Sun Nov 04, 2012 4:10 pm    Post subject: Reply with quote

Hosting and server management is handled and not a problem, if memory serves.

It would be nice if there was an account bridge between MediaWiki and SMF or phpBB, but all the ones that get made are never maintained and don't function with current versions.

I know XenForo has an actively maintained MediaWiki bridge, however the forum software itself is not free.
Back to top
View user's profile Send private message
BobGeneric
Administrator
Administrator


Joined: Nov 07, 2009
Posts: 1762

PostPosted: Thu Nov 08, 2012 8:15 pm    Post subject: Reply with quote

Phpnuke will not be used to underpin breath 4. I am currently using phpbb to underpin the Breath 4 code with whatever the latest stable version of phpbb was as of October 2012 (don't have exact version number handy).

I could have coded an independent login system at this point but it would be inelegant to do so; having one login for both forums and game is useful and the forums add to the ability for conversation. Thus, it seemed logical not to reinvent the wheel and just borrow phpbb's login tracking. That is the only piece that is borrowed; the rest of the code (including database calls and data cleaning) is my doing.

The wiki is its own beast; I am staying clear of mucking with it for now
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Nexus Clash Forum Index -> Promoted Suggestions All times are GMT - 7 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB © 2001, 2005 phpBB Group
Forums ©
Credit: Site homepage artwork (C) 2017 Acaisha Buffo
Character creation and raid ticker icons by Lorc and Delapouite at game-icons.net
Original Nexus War classes, powers, and lore copyright 2003 - 2019 Brandon Harris (bharris@gaijin.com) used with permission.
PHP-Nuke Copyright © 2005 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.