Beta Release: Sophisticated Banking System

[Kristi]

Quote:

Originally Posted by Gambet

Not at all.

You can only have one username per Graal account.

Really? All i see on the serverside is this. Doesn't seem to check if the player account already has a bank account. If its on the clientside then youre screwed anyway because someone can always screw with clientside scripts and just trigger the server. This means they could still endlessly flood the database.

PHP Code:

 else if (params[0] == "Register")
   {
    if (gambet_bankDB.(@params[1]) == "")
     {
      if (gambet_bankDB.counter == "") 
       { 
         gambet_bankDB.counter = 1;
       } else 
        {
          gambet_bankDB.counter+=1;
        }
       gambet_bankDB.(@params[1]) = {params[2],params[3],gambet_bankDB.counter,0};
       gambet_bankDB.usernames_used.add(params[2]);
       this.success = "true";
     } else
      {
        this.success = "failed";
      }
    player.triggerclient(name,"Registered",params[2],params[3],gambet_bankDB.counter,this.success);
   } 


Quote:

Originally Posted by Gambet

That doesn't really matter because of the fact that I made it a 10 character limit and I even added a password strength checker.

I don't know about you, but I find it hard to believe that people would use 10 character passwords for things such as emails and so forth.

Besides, why would you use the same password for your personal information on a registration NPC on Graal?

I overlooked the password length check. That keeps people from using their graal password, so its a good start. However, even if its not an IDENTICAL password, that ten char password could lead to hints of what they use as passwords elseware. like "hey, i always use butter as my password, so ill use Butter1984 here." someone who can see this can still with a few tricks and turns still crack a password they use elseware. Its still a risk.

Quote:

Originally Posted by Gambet

I don't know about you, but I wouldn't be bothered with having a 10 character password for every site I have to register with. Not to mention it's quite easy to give -r to the DB NPC so that no one except the Manager or so can access it (assuming that right doesn't allow you to access it even via script).

Like i said, you dont even need access to it, or even the clientside weapon. You can construct another weapon to add to their account that reads the string in other weapons. its very possible. its still a risk, and one you cant avoid.

Quote:

Originally Posted by Gambet

I don't really understand what you mean by this.

You have one big long function serverside. Its good practice to break it up into tasks.
You had things like function onCheckWhatever(temp.stuff,temp.that). On just denotes an event (like onPlayerEnters). you dont need on in your custom declared functions. Also, you dont have to put temp. in the function declaration, they are temp. by default. CheckWhatever(stuff,that) is sufficient. inside that function you can access it as stuff or temp.stuff.

Quote:

Originally Posted by Gambet

This was the only part of the script I did not fully make, the password strength checker. As I stated in my first post, Joey helped me with this part.

Are there better ways to do it? Most of the time there are always better ways of doing something, mostly due to the type of habits that certain scripters have, where they prefer one method over the other and so forth.

Yes! I provided a function even!

Quote:

Originally Posted by Gambet

This system isn't perfect, but it's a 'core' system that can be tampered with to be made even greater to fit any server, really.

No one expects things to be perfect, however, its a security risk. I cannot just say thats okay.

[Gambet]

Quote:

Originally Posted by Kristi

Really? All i see on the serverside is this. Doesn't seem to check if the player account already has a bank account. If its on the clientside then youre screwed anyway because someone can always screw with clientside scripts and just trigger the server. This means they could still endlessly flood the database.

I'm going to assume you overlooked this part, then:

PHP Code:

if (gambet_bankDB.(@params[1]) == "") 


Quote:

Originally Posted by Kristi

I overlooked the password length check. That keeps people from using their graal password, so its a good start. However, even if its not an IDENTICAL password, that ten char password could lead to hints of what they use as passwords elseware. like "hey, i always use butter as my password, so ill use Butter1984 here." someone who can see this can still with a few tricks and turns still crack a password they use elseware. Its still a risk.

I guess, but I can't exactly make up for the stupidity of some of the users. No matter how much thought you give into it, there will always be a skilled scripter that can find out the information anyways.

I don't exactly see a fullproof way of doing it.

Quote:

Originally Posted by Kristi

You have one big long function serverside. Its good practice to break it up into tasks.
You had things like function onCheckWhatever(temp.stuff,temp.that). On just denotes an event (like onPlayerEnters). you dont need on in your custom declared functions. Also, you dont have to put temp. in the function declaration, they are temp. by default. CheckWhatever(stuff,that) is sufficient. inside that function you can access it as stuff or temp.stuff.

That onCheckWhatever part was created by Joey.

If you look at the rest of the script, I didn't do such in my custom functions.

Quote:

Originally Posted by Kristi

No one expects things to be perfect, however, its a security risk. I cannot just say thats okay.

Wouldn't be a risk if the players would use some logic.

Though, I still don't know of a fullproof way of doing it, because there will always be methods of finding the password data.

[Kristi]

Quote:

Originally Posted by Gambet

I'm going to assume you overlooked this part, then:
if (gambet_bankDB.(@params[1]) == "")

params[1] can be anything the client passes it, for example, sadgkhssdfsdkjlj! So its still exploitable to keep filling your database, even claiming bank accounts for other peoples graal accounts BEFORE they do :O.
if(gambet_bankDB.(@player.account) == "")

Quote:

Originally Posted by Gambet

I guess, but I can't exactly make up for the stupidity of some of the users. No matter how much thought you give into it, there will always be a skilled scripter that can find out the information anyways.

I don't exactly see a fullproof way of doing it.

Then just DONT do it! Graal, as of now, has no safe way to protect data in a client. Why even present a risk you KNOW is there. Do you plan on telling the players its POSSIBLE a rouge staff could get their password if they wanted to? How would they feel about it? You cannot just let them believe its safe.
I don't ever make my passwords the same theme, but MOST people do.

Quote:

Originally Posted by Gambet

That onCheckWhatever part was created by Joey.

If you look at the rest of the script, I didn't do such in my custom functions.

Hey, in the end it was your release.

Quote:

Originally Posted by Gambet

Wouldn't be a risk if the players would use some logic.

Though, I still don't know of a fullproof way of doing it, because there will always be methods of finding the password data.

You cannot assume all (even most) players are logical. It is your job to protect such data if you are going to ask for it, and honestly, with what is available to graal, you can't.

[Gambet]

Quote:

Originally Posted by Kristi

Then just DONT do it! Graal, as of now, has no safe way to protect data in a client. Why even present a risk you KNOW is there. Do you plan on telling the players its POSSIBLE a rouge staff could get their password if they wanted to? How would they feel about it? You cannot just let them believe its safe.
I don't ever make my passwords the same theme, but MOST people do.

It doesn't really matter if anyone sees what password you put as your password for your Graal bank account unless they feel like assuming you use that same password for other things and bother checking into it, which is an unlikely situation if you have trustworthy staff.

Hell, anyone could easily send a keylogger over to another person to steal their information if they wanted to. You think most Graalians could even bother to learn about anti-virus protection? And even with that there are ways to bypass detection.

Quote:

Originally Posted by Kristi

Hey, in the end it was your release.

Yes, but you make it sound like it was done for each custom function.

It's not really a big deal, it's easily fixable.

Quote:

Originally Posted by Kristi

You cannot assume all (even most) players are logical. It is your job to protect such data if you are going to ask for it, and honestly, with what is available to graal, you can't.

That's no excuse not to have such systems.

If the player knows it's possible for staff to see their password and they still choose to use a similar password as those that they use on other sites, then I'm sorry to say this, but they deserve to get their accounts hijacked for being such imbeciles.

[Kristi]

Quote:

Originally Posted by Gambet

If the player knows it's possible for staff to see their password and they still choose to use a similar password as those that they use on other sites, then I'm sorry to say this, but they deserve to get their accounts hijacked for being such imbeciles.

IF a player knows, which is a pretty big assumption, wouldn't you say? They deserve to be protected. Using a common theme password is common amongst MOST people. Usually bad actions are a result of tensions, like, lets say a staff member hates a player, then hes like OH i want to RUIN HIS LIFE BY STEALING HIS EMAIL. So then he intercepts his bank password for clues on how he formulates his passwords, and gets to random cracking attempts. He is now more equipped to do so then before, thus making the poor player have a disadvanteous position due to this script. Just saying your players are "Imbesiles" and therefore deserve to be open to this risk is a horrible thing to say, and bad service as staff! You seem to be unaware how many people would assume their information is safe and trust the server they love, and here you are saying its their fault if they use something wrong. At least inform them that staff can see these passwords.

[Gambet]

Quote:

Originally Posted by Kristi

IF a player knows, which is a pretty big assumption, wouldn't you say? They deserve to be protected. Using a common theme password is common amongst MOST people. Usually bad actions are a result of tensions, like, lets say a staff member hates a player, then hes like OH i want to RUIN HIS LIFE BY STEALING HIS EMAIL. So then he intercepts his bank password for clues on how he formulates his passwords, and gets to random cracking attempts. He is now more equipped to do so then before, thus making the poor player have a disadvanteous position due to this script. Just saying your players are "Imbesiles" and therefore deserve to be open to this risk is a horrible thing to say, and bad service as staff! You seem to be unaware how many people would assume their information is safe and trust the server they love, and here you are saying its their fault if they use something wrong. At least inform them that staff can see these passwords.

If they use the script then they should know how it works, thus they can go about securing it as they wish.


If I based my systems on the level of intelligence of the average Graalian, I'd probably make everything text based, requiring absolutely no information to be given from the player, mostly due to the fact that players don't even read long descriptions and so forth.


Hell, if they do get hijacked they can take it as a learning experience. The warnings have been laid out, it's the users responsibility to heed the warnings and intelligently create a password that would have little to do with their actual passwords that they use for other things.


You base your arguments assuming that the players will use similar passwords to those they use on other sites, and then you go on to assume that your staff will try to hijack email accounts and so forth with this information, which is going way out of the limb, though yes, it may be possible in some instances, but nobody is going to check each and every password for each and every player's email accounts to see which one is a match.

It's always nice to give way to all possibilities, but when there's no way of securing the information, all you can do is give out warnings and hope the players heed to them.

I'd understand you arguing if there were currently a way to secure the passwords, but since there isn't, I don't really see why we need to continue going back and forth.

I understand the risks, thus you're talking to the wrong person. If I could secure the password system, I would.

[Kristi]

Quote:

Originally Posted by Gambet

I'd understand you arguing if there were currently a way to secure the passwords, but since there isn't, I don't really see why we need to continue going back and forth.

I understand the risks, thus you're talking to the wrong person. If I could secure the password system, I would.

Because you are calling the players idiots instead of doing anything. Revise the script to say *Staff can see your password, so do not choose anything that resembles passwords on other things you own* or something along those lines. Make it loud and clear.

There are things you can do to at least better it, like md5 ;/