plaintext password in game.prefs?

from Demigod Forums

line 7 of the game.prefs file that Demigod installs, includes your user password for Demigod, in plain text.

As a (somewhat minor) software developer myself, this appears to be one of the biggest security risks I've ever seen.  To make it worse, the actual line 7 says:

 

            ImpulsePassword = 'myPassword',

 

meaning that any kind of utility searching for 'password' comes up with it, and then it even goes ahead and tell that sniffer what the password is for.

 

The argument can be made that 'hey it's just the impulse password, nothing major'.  However this is a well known bag of hooey.  A large number of users use the same or similar login/password combinations for their various accounts, and so knowing one of them can unlock numerous others.

 

Even worse, is that this is a password to a service that demigod isn't the owner of.  Impulse is owned by one company, DG by the other.  Yet here they are ruining the security system of impulse just to take the 'easy way out' in remembering a users login.

 

329 views 3 replies
Reply #1 from Demigod Forums Top

We are aware and have requested that GPG fix this.

Star Control: Origins
Reply #3 from Demigod Forums Top

Quoting n3crosys, reply 2
Kind of begs the question, why would GPG include it in the first place?
End of n3crosys's quote

Because we kept asking during the beta to have a remember password option on login (used to have to type it all in each time). That was before any of the Impulse stuff was coming around, so they probably didn't realize it's the master Impulse account password.