Page 1 of 1

Empty password warning

PostPosted: Fri Jan 20, 2012 15:34
by JSonic
I propose an 'Empty password warning'. If you'd leave password empty and connect then server would complain about that.
There could be also config file options like warn_empty_password and/or allow_empty_password.
What do you think?

PostPosted: Fri Jan 20, 2012 16:14
by redcrab
+100000 ... Hackers loves empty password
I vote for an option : forbid empty password + strong password with a regex/simple rule (min length, special character, digits etc..)

PostPosted: Fri Jan 20, 2012 20:58
by sdzen
forbid empty passcode +1 dont mess with what people want their passwords dont want to add minetest to my list of infuriating logins -1

PostPosted: Sat Jan 21, 2012 20:03
by dannydark
sdzen wrote:forbid empty passcode +1 dont mess with what people want their passwords dont want to add minetest to my list of infuriating logins -1


I agree empty passwords shouldn't be allowed and I also agree with not forcing people into creating a strong password I tend to anyway but I don't agree with forcing them to do it (not for a game... websites/online banking etc are a different thing)

I also think though single player shouldn't require a password currently I just have mine empty as its silly to be asked for a password on single player, so If empty passwords are changed so that they are not allowed they shouldn't effect single player.

EDIT: Actually it would be nice to have the choice to require strong passwords in the server settings so that it can be optional on a per-server basis :D

PostPosted: Sun Jan 22, 2012 02:12
by bwog
dannydark wrote:EDIT: Actually it would be nice to have the choice to require strong passwords in the server settings so that it can be optional on a per-server basis :D

I hate the strong password things on websites, they always want you to have upper case, lower case, numbers AND punctuation. So unless this one is different, I'm totally against that idea.

PostPosted: Sun Jan 22, 2012 04:03
by RAPHAEL
I agree there should be a config settings for servers to disallow empty passwords.. but don't bother requiring strong passwords except maybe minimum of 6 characters.

PostPosted: Sun Jan 22, 2012 06:23
by JSonic
I don't like so much this strong password thing. People should be able to choose their passwords themselves. -1

PostPosted: Sun Jan 22, 2012 13:07
by Calinou
Same. Just make a warning if you have an empty password and make the warning pop every time you connect with an empty password (unless you connect to a local server).

PostPosted: Mon Jan 23, 2012 03:51
by XCalibur54
The main reason people have empty passwords is because they don't want to type in a password every time they join a server. It would help more if the client remembered the password. Of course, there should still be an empty password warning on the initial entry.

PostPosted: Mon Jan 23, 2012 07:58
by Jordach
XCalibur54 wrote:The main reason people have empty passwords is because they don't want to type in a password every time they join a server. It would help more if the client remembered the password. Of course, there should still be an empty password warning on the initial entry.


Yes, this would be good.

PostPosted: Tue Jan 24, 2012 23:58
by jn
(Not overly) quick and dirty server-side patch:
Code: Select all
commit 15d24d8b03003920dea15bd1f51dc6554ad6b30e
Author: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Date:   Wed Jan 25 00:43:32 2012 +0100

    server: disallow empty passwords (configurable)

diff --git a/src/defaultsettings.cpp b/src/defaultsettings.cpp
index 1e48183..f3e25ea 100644
--- a/src/defaultsettings.cpp
+++ b/src/defaultsettings.cpp
@@ -95,6 +95,7 @@ void set_default_settings(Settings *settings)
     settings->setDefault("default_privs", "build, shout");
     settings->setDefault("unlimited_player_transfer_distance", "true");
     settings->setDefault("enable_pvp", "true");
+    settings->setDefault("allow_empty_passwords", "false");
 
     settings->setDefault("profiler_print_interval", "0");
     settings->setDefault("enable_mapgen_debug_info", "false");
diff --git a/src/server.cpp b/src/server.cpp
index a0c8a00..101427b 100644
--- a/src/server.cpp
+++ b/src/server.cpp
@@ -2016,6 +2016,17 @@ void Server::ProcessData(u8 *data, u32 datasize, u16 peer_id)
         // Add player to auth manager
         if(m_authmanager.exists(playername) == false)
         {
+
+            // TODO: allow empty passwords in local games?
+            if(g_settings->getBool("allow_empty_passwords") == false &&
+                    password[0] == '\0')
+            {
+                infostream<<"Server: new player with empty password"<<std::endl;
+                SendAccessDenied(m_con, peer_id,
+                        L"Empty passwords are not allowed");
+                return;
+            }
+
             std::wstring default_password =
                 narrow_to_wide(g_settings->get("default_password"));
             std::string translated_default_password =

PostPosted: Wed Jan 25, 2012 18:05
by JSonic
jn wrote:(Not overly) quick and dirty server-side patch:

Can you tell how to apply this patch? I tried to copy the code and put it into a new file empty_pw.patch on my local minetest git folder. Then I run this command and that's what I get.
Code: Select all
$ git apply --check empty_pw.patch
fatal: corrupt patch at line 40

I have git version 1.7.0.4, OS is Puppy Linux. What is wrong?

PostPosted: Wed Jan 25, 2012 18:12
by dannydark
JSonic wrote:
jn wrote:(Not overly) quick and dirty server-side patch:

Can you tell how to apply this patch? I tried to copy the code and put it into a new file empty_pw.patch on my local minetest git folder. Then I run this command and that's what I get.
Code: Select all
$ git apply --check empty_pw.patch
fatal: corrupt patch at line 40

I have git version 1.7.0.4, OS is Puppy Linux. What is wrong?


Not sure whats wrong with the patch sorry (maybe wrong format? :S don't know), but you could just edit the server.cpp & defaultsettings.cpp files manually?

PostPosted: Wed Jan 25, 2012 18:15
by jn
The forum seems to corrupt tabulators (or it's Firefox). I uploaded the patch here: http://paste.opensuse.org/view/raw/23146175

PostPosted: Wed Jan 25, 2012 18:42
by JSonic
It doesn't help, I'll edit manually. Thank you. JSonic

PostPosted: Wed Jan 25, 2012 20:02
by redcrab
jn wrote:The forum seems to corrupt tabulators (or it's Firefox). I uploaded the patch here: http://paste.opensuse.org/view/raw/23146175


thx .. the patch is applied on redcrab staging server (minetest.suret.net port 30001) and works as explained in this topic.
-- already existing player with empty password still have their empty password accepted..
-- new player can't have empty password by default. :)

PostPosted: Mon Jan 30, 2012 17:11
by kahrl
Added it to the wiki patchsets page so it won't be forgotten.

PostPosted: Mon Jan 30, 2012 19:08
by jn
@kahrl: Thanks!

PostPosted: Sat Feb 11, 2012 20:17
by jn

PostPosted: Sat Feb 11, 2012 20:59
by dannydark


Nice work, although this patch shouldn't require people who just want to play locally (single player) to enter a password me thinks.

PostPosted: Sat Feb 11, 2012 21:37
by jn
dannydark wrote:Nice work, although this patch shouldn't require people who just want to play locally (single player) to enter a password me thinks.

It's not all that easy to decide. People might start a world in single player mode and then use it for a public server, although one could argue that admins should just take care of what they do. I changed it to allow the local player to have an empty password.

Version 2: http://repo.or.cz/w/minetest-c55/jn.git/shortlog/refs/heads/empty_pass_v2

It might be nice to have a client-side warning when locally starting a new player with an empty password.

PostPosted: Sat Feb 11, 2012 21:43
by dannydark
jn wrote:
dannydark wrote:Nice work, although this patch shouldn't require people who just want to play locally (single player) to enter a password me thinks.

It's not all that easy to decide. People might start a world in single player mode and then use it for a public server, although one could argue that admins should just take care of what they do. I changed it to allow the local player to have an empty password.

Version 2: http://repo.or.cz/w/minetest-c55/jn.git/shortlog/refs/heads/empty_pass_v2

It might be nice to have a client-side warning when locally starting a new player with an empty password.


Nice I've updated the wiki with the new link, with regards to people starting single player worlds then using them for a public server I would have thought they would have copied it out of the single player directory into the server folder for that, then all they should need todo is update there account to use a password. But like you said this is down to the admins to do this.

I personally keep a backup of my server world which I sometimes use for single player but just remove the auth file so that a new one can be made with no password ^_^

Re:

PostPosted: Sat Aug 06, 2016 01:06
by ParaklataChotou
redcrab wrote:+100000 ... Hackers loves empty password
I vote for an option : forbid empty password + strong password with a regex/simple rule (min length, special character, digits etc..)

In my case, I would like that the players of my server could join with no need of passwords. It's a creative server. I've seen that there are so many users trying to join in into my server, but they don't know how to type a password "trying to joine the server empty password". Well, how can I enable that users can access to my server with no need of password?

ip: baruman.myddns.me
port: 30001

Re: Re:

PostPosted: Sun Aug 07, 2016 09:58
by Krock
ParaklataChotou wrote:Well, how can I enable that users can access to my server with no need of password?

There was no older topic about this problem, right? (/ sarcasm)

Empty passwords are allowed by default. Revert the setting "disallow_empty_password" in the server's minetest.conf back to its default value:
Code: Select all
disallow_empty_password = false

Re: Re:

PostPosted: Sun Aug 07, 2016 14:11
by ParaklataChotou
Krock wrote:
ParaklataChotou wrote:Well, how can I enable that users can access to my server with no need of password?

There was no older topic about this problem, right? (/ sarcasm)

Empty passwords are allowed by default. Revert the setting "disallow_empty_password" in the server's minetest.conf back to its default value:
Code: Select all
disallow_empty_password = false

Thank you :)