Empty password warning

Post Reply
User avatar
JSonic
Member
Posts: 68
Joined: Fri Jan 13, 2012 17:48
Location: Suomi Finland
Contact:

Empty password warning

by JSonic » Post

I propose an 'Empty password warning'. If you'd leave password empty and connect then server would complain about that.
There could be also config file options like warn_empty_password and/or allow_empty_password.
What do you think?
Stairs are cool!
Minetest-c55 for Puppy Linux
Minetest-c55 PPA: daily, stable

User avatar
redcrab
Member
Posts: 833
Joined: Tue Dec 13, 2011 13:45
Location: France
Contact:

by redcrab » Post

+100000 ... Hackers loves empty password
I vote for an option : forbid empty password + strong password with a regex/simple rule (min length, special character, digits etc..)
Last edited by redcrab on Fri Jan 20, 2012 17:07, edited 1 time in total.
0.4 for serious builder click here
Dedicated Minetest redcrab server forum at http://minetestbb.suret.net

It's nice to be important but it is more important to be nice.

User avatar
sdzen
Member
Posts: 1170
Joined: Fri Aug 05, 2011 22:33
Location: Paradise (your not allowed)

by sdzen » Post

forbid empty passcode +1 dont mess with what people want their passwords dont want to add minetest to my list of infuriating logins -1
Last edited by sdzen on Fri Jan 20, 2012 20:59, edited 1 time in total.

Zen S.D.

The next generation of tranquility!
malheureusement mon français n'est pas bon :<
Owner of the Zelo's
In game name: MuadTralk, spdtainted, sdzen, sd zen, sdzeno

User avatar
dannydark
Member
Posts: 428
Joined: Fri Aug 12, 2011 21:28
Location: Manchester, UK

by dannydark » Post

sdzen wrote:forbid empty passcode +1 dont mess with what people want their passwords dont want to add minetest to my list of infuriating logins -1
I agree empty passwords shouldn't be allowed and I also agree with not forcing people into creating a strong password I tend to anyway but I don't agree with forcing them to do it (not for a game... websites/online banking etc are a different thing)

I also think though single player shouldn't require a password currently I just have mine empty as its silly to be asked for a password on single player, so If empty passwords are changed so that they are not allowed they shouldn't effect single player.

EDIT: Actually it would be nice to have the choice to require strong passwords in the server settings so that it can be optional on a per-server basis :D
Last edited by dannydark on Sat Jan 21, 2012 20:04, edited 1 time in total.

bwog
Member
Posts: 283
Joined: Wed Nov 30, 2011 14:09
Location: United States
Contact:

by bwog » Post

dannydark wrote: EDIT: Actually it would be nice to have the choice to require strong passwords in the server settings so that it can be optional on a per-server basis :D
I hate the strong password things on websites, they always want you to have upper case, lower case, numbers AND punctuation. So unless this one is different, I'm totally against that idea.

User avatar
RAPHAEL
Member
Posts: 627
Joined: Tue Nov 01, 2011 09:09
Location: Earth

by RAPHAEL » Post

I agree there should be a config settings for servers to disallow empty passwords.. but don't bother requiring strong passwords except maybe minimum of 6 characters.
"Before you speak, ask yourself: Is it kind, is it true, is it necessary, does it improve upon the silence?"
My mods: http://goo.gl/n4kpn
(Currently Various, Industrial, Fakeblocks, Jail, MoarCraft, Christmas, Replicator, minetest dev installer for linux, bash mod installer, windows mod installer)

User avatar
JSonic
Member
Posts: 68
Joined: Fri Jan 13, 2012 17:48
Location: Suomi Finland
Contact:

by JSonic » Post

I don't like so much this strong password thing. People should be able to choose their passwords themselves. -1
Stairs are cool!
Minetest-c55 for Puppy Linux
Minetest-c55 PPA: daily, stable

User avatar
Calinou
Moderator
Posts: 3169
Joined: Mon Aug 01, 2011 14:26
GitHub: Calinou
IRC: Calinou
In-game: Calinou
Location: Troyes, France
Contact:

by Calinou » Post

Same. Just make a warning if you have an empty password and make the warning pop every time you connect with an empty password (unless you connect to a local server).

XCalibur54
Member
Posts: 51
Joined: Mon Oct 24, 2011 01:29

by XCalibur54 » Post

The main reason people have empty passwords is because they don't want to type in a password every time they join a server. It would help more if the client remembered the password. Of course, there should still be an empty password warning on the initial entry.
Moderator of redcrab's 0.4 server: http://c55.me/minetest/forum/viewtopic.php?id=606

Jordach
Member
Posts: 4534
Joined: Mon Oct 03, 2011 17:58
GitHub: Jordach
IRC: Jordach
In-game: Jordach
Location: Blender Scene

by Jordach » Post

XCalibur54 wrote:The main reason people have empty passwords is because they don't want to type in a password every time they join a server. It would help more if the client remembered the password. Of course, there should still be an empty password warning on the initial entry.
Yes, this would be good.

jn
Member
Posts: 106
Joined: Tue Jan 03, 2012 19:15

by jn » Post

(Not overly) quick and dirty server-side patch:

Code: Select all

commit 15d24d8b03003920dea15bd1f51dc6554ad6b30e
Author: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Date:   Wed Jan 25 00:43:32 2012 +0100

    server: disallow empty passwords (configurable)

diff --git a/src/defaultsettings.cpp b/src/defaultsettings.cpp
index 1e48183..f3e25ea 100644
--- a/src/defaultsettings.cpp
+++ b/src/defaultsettings.cpp
@@ -95,6 +95,7 @@ void set_default_settings(Settings *settings)
     settings->setDefault("default_privs", "build, shout");
     settings->setDefault("unlimited_player_transfer_distance", "true");
     settings->setDefault("enable_pvp", "true");
+    settings->setDefault("allow_empty_passwords", "false");
 
     settings->setDefault("profiler_print_interval", "0");
     settings->setDefault("enable_mapgen_debug_info", "false");
diff --git a/src/server.cpp b/src/server.cpp
index a0c8a00..101427b 100644
--- a/src/server.cpp
+++ b/src/server.cpp
@@ -2016,6 +2016,17 @@ void Server::ProcessData(u8 *data, u32 datasize, u16 peer_id)
         // Add player to auth manager
         if(m_authmanager.exists(playername) == false)
         {
+
+            // TODO: allow empty passwords in local games?
+            if(g_settings->getBool("allow_empty_passwords") == false &&
+                    password[0] == '\0')
+            {
+                infostream<<"Server: new player with empty password"<<std::endl;
+                SendAccessDenied(m_con, peer_id,
+                        L"Empty passwords are not allowed");
+                return;
+            }
+
             std::wstring default_password =
                 narrow_to_wide(g_settings->get("default_password"));
             std::string translated_default_password =

User avatar
JSonic
Member
Posts: 68
Joined: Fri Jan 13, 2012 17:48
Location: Suomi Finland
Contact:

by JSonic » Post

jn wrote:(Not overly) quick and dirty server-side patch:
Can you tell how to apply this patch? I tried to copy the code and put it into a new file empty_pw.patch on my local minetest git folder. Then I run this command and that's what I get.

Code: Select all

$ git apply --check empty_pw.patch
fatal: corrupt patch at line 40
I have git version 1.7.0.4, OS is Puppy Linux. What is wrong?
Stairs are cool!
Minetest-c55 for Puppy Linux
Minetest-c55 PPA: daily, stable

User avatar
dannydark
Member
Posts: 428
Joined: Fri Aug 12, 2011 21:28
Location: Manchester, UK

by dannydark » Post

JSonic wrote:
jn wrote:(Not overly) quick and dirty server-side patch:
Can you tell how to apply this patch? I tried to copy the code and put it into a new file empty_pw.patch on my local minetest git folder. Then I run this command and that's what I get.

Code: Select all

$ git apply --check empty_pw.patch
fatal: corrupt patch at line 40
I have git version 1.7.0.4, OS is Puppy Linux. What is wrong?
Not sure whats wrong with the patch sorry (maybe wrong format? :S don't know), but you could just edit the server.cpp & defaultsettings.cpp files manually?

jn
Member
Posts: 106
Joined: Tue Jan 03, 2012 19:15

by jn » Post

The forum seems to corrupt tabulators (or it's Firefox). I uploaded the patch here: http://paste.opensuse.org/view/raw/23146175

User avatar
JSonic
Member
Posts: 68
Joined: Fri Jan 13, 2012 17:48
Location: Suomi Finland
Contact:

by JSonic » Post

It doesn't help, I'll edit manually. Thank you. JSonic
Last edited by JSonic on Wed Jan 25, 2012 21:30, edited 1 time in total.
Stairs are cool!
Minetest-c55 for Puppy Linux
Minetest-c55 PPA: daily, stable

User avatar
redcrab
Member
Posts: 833
Joined: Tue Dec 13, 2011 13:45
Location: France
Contact:

by redcrab » Post

jn wrote:The forum seems to corrupt tabulators (or it's Firefox). I uploaded the patch here: http://paste.opensuse.org/view/raw/23146175
thx .. the patch is applied on redcrab staging server (minetest.suret.net port 30001) and works as explained in this topic.
-- already existing player with empty password still have their empty password accepted..
-- new player can't have empty password by default. :)
Last edited by redcrab on Wed Jan 25, 2012 20:03, edited 1 time in total.
0.4 for serious builder click here
Dedicated Minetest redcrab server forum at http://minetestbb.suret.net

It's nice to be important but it is more important to be nice.

kahrl
Member
Posts: 236
Joined: Fri Sep 02, 2011 07:51
Location: Rös̓̇chenhof

by kahrl » Post

Added it to the wiki patchsets page so it won't be forgotten.

jn
Member
Posts: 106
Joined: Tue Jan 03, 2012 19:15

by jn » Post

@kahrl: Thanks!

jn
Member
Posts: 106
Joined: Tue Jan 03, 2012 19:15

by jn » Post

My patch is now available via git at http://repo.or.cz/w/minetest-c55/jn.git ... empty_pass

User avatar
dannydark
Member
Posts: 428
Joined: Fri Aug 12, 2011 21:28
Location: Manchester, UK

by dannydark » Post

jn wrote:My patch is now available via git at http://repo.or.cz/w/minetest-c55/jn.git ... empty_pass
Nice work, although this patch shouldn't require people who just want to play locally (single player) to enter a password me thinks.

jn
Member
Posts: 106
Joined: Tue Jan 03, 2012 19:15

by jn » Post

dannydark wrote:Nice work, although this patch shouldn't require people who just want to play locally (single player) to enter a password me thinks.
It's not all that easy to decide. People might start a world in single player mode and then use it for a public server, although one could argue that admins should just take care of what they do. I changed it to allow the local player to have an empty password.

Version 2: http://repo.or.cz/w/minetest-c55/jn.git ... ty_pass_v2

It might be nice to have a client-side warning when locally starting a new player with an empty password.

User avatar
dannydark
Member
Posts: 428
Joined: Fri Aug 12, 2011 21:28
Location: Manchester, UK

by dannydark » Post

jn wrote:
dannydark wrote:Nice work, although this patch shouldn't require people who just want to play locally (single player) to enter a password me thinks.
It's not all that easy to decide. People might start a world in single player mode and then use it for a public server, although one could argue that admins should just take care of what they do. I changed it to allow the local player to have an empty password.

Version 2: http://repo.or.cz/w/minetest-c55/jn.git ... ty_pass_v2

It might be nice to have a client-side warning when locally starting a new player with an empty password.
Nice I've updated the wiki with the new link, with regards to people starting single player worlds then using them for a public server I would have thought they would have copied it out of the single player directory into the server folder for that, then all they should need todo is update there account to use a password. But like you said this is down to the admins to do this.

I personally keep a backup of my server world which I sometimes use for single player but just remove the auth file so that a new one can be made with no password ^_^
Last edited by dannydark on Sat Feb 11, 2012 21:44, edited 1 time in total.

User avatar
ParaklataChotou
Member
Posts: 209
Joined: Sat Jun 18, 2016 17:09
GitHub: paraklatachotou
IRC: CareBearWhoCares
In-game: AutistCortana

Re:

by ParaklataChotou » Post

redcrab wrote:+100000 ... Hackers loves empty password
I vote for an option : forbid empty password + strong password with a regex/simple rule (min length, special character, digits etc..)
In my case, I would like that the players of my server could join with no need of passwords. It's a creative server. I've seen that there are so many users trying to join in into my server, but they don't know how to type a password "trying to joine the server empty password". Well, how can I enable that users can access to my server with no need of password?

ip: baruman.myddns.me
port: 30001
Visit my server: freextress.ddnsking.com 30002 . mobs, npcs, interesting places, pvp.

User avatar
Krock
Developer
Posts: 4649
Joined: Thu Oct 03, 2013 07:48
GitHub: SmallJoker
Location: Switzerland
Contact:

Re: Re:

by Krock » Post

ParaklataChotou wrote:Well, how can I enable that users can access to my server with no need of password?
There was no older topic about this problem, right? (/ sarcasm)

Empty passwords are allowed by default. Revert the setting "disallow_empty_password" in the server's minetest.conf back to its default value:

Code: Select all

disallow_empty_password = false
Look, I programmed a bug for you. >> Mod Search Engine << - Mods by Krock - DuckDuckGo mod search bang: !mtmod <keyword here>

User avatar
ParaklataChotou
Member
Posts: 209
Joined: Sat Jun 18, 2016 17:09
GitHub: paraklatachotou
IRC: CareBearWhoCares
In-game: AutistCortana

Re: Re:

by ParaklataChotou » Post

Krock wrote:
ParaklataChotou wrote:Well, how can I enable that users can access to my server with no need of password?
There was no older topic about this problem, right? (/ sarcasm)

Empty passwords are allowed by default. Revert the setting "disallow_empty_password" in the server's minetest.conf back to its default value:

Code: Select all

disallow_empty_password = false
Thank you :)
Visit my server: freextress.ddnsking.com 30002 . mobs, npcs, interesting places, pvp.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests