WHAT’S ALAN DOING NOW?
by Hazed
We asked Alan what he was working on at the moment. Here’s what he said:
Well there’s work that goes on in the background in Fed. Work that is important but the players don’t see any difference when they play the game. For instance, players may not realise that we don’t actually store their passwords on the Fed server. What we do is to generate a unique number, which is called a ‘hash’, and store that number. The mathematical function that generates that number is such that even if you know the hash there is no way to get back to the text that generated it. So even if the file with the hashes in was stolen, it wouldn’t help.
However, I wrote that code a long time ago – over 15 years ago, I’d guess, and at the time I used the best hash function available – MD5. But a lot of water has passed under the bridge since then, and there are new and more secure hashing methods available. So, at the moment, I’m writing code to use the latest hashing method (SHA-3 512, in case you were wondering).
Actually, that’s not strictly true. I’m using a highly respected library to generate the hash, but I have to do a lot of other things to make it work and to avoid it impinging on players. For a start, when a player logs on for the first time after we start using SHA-3 I have to first check the password using the original MD5 hash. Assuming that’s OK, I then have to generate a new SHA-3 hash and store that, after which I need to delete the old MD5 hash. But before the SHA-3 hash goes live I have to make a change to the player record, because the new hash is bigger than the old one. And, if I get all this right – the players will never know!
Incidentally, I have been asked in the past why we go to all this trouble when we don’t take in any money via the game or the website. Well apart from making it more difficult for other people to access your character in the game if we get broken into, there is that fact that nearly all of you out there – not just our players – are naughty when it comes to passwords, and you re-use passwords for different services. Thus if we got ripped off, and we didn’t look after your passwords, it could compromise your account on sites that do involve financial transactions...
And anyway, it’s the right thing to do!
Alan
