Don't store passwords as plaintext in wallet.dat

Discussion in 'Simulator Suggestions' started by Knots the Notorious, Aug 6, 2014.

Thread Status:
Not open for further replies.
  1. Knots the Notorious

    Knots the Notorious aka Gary Oak from HC

    Joined:
    Apr 24, 2010
    Messages:
    69
    Likes Received:
    6
    PO Trainer Name:
    Gary Oak
    Right now, PO stores all saved user passwords as plaintext in wallet.dat located at C:\Users\%USERPROFILE%\AppData\Local\Dreambelievers\pokemon-online\

    Seems like this behavior is undesirable and puts PO users at unnecessary risk.
     
  2. TheUnknownOne

    TheUnknownOne Member

    Joined:
    Mar 28, 2011
    Messages:
    988
    Likes Received:
    3
    I don't think this is possible as the client doesn't know the salt until the server sends it during the authentication phase.

    Assuming the salt stays the same could work, but of course that's not always true.
     
  3. Crystal Moogle

    Crystal Moogle Ayaya~ Administrator Administrator

    Joined:
    Jul 19, 2010
    Messages:
    3,205
    Likes Received:
    531
    PO Trainer Name:
    Hanako
    If something already has access to that file, I'd say the user already has a lot more at stake than just a PO account...
     
    Sasuke Uchiha and SongSing like this.
  4. Khristophoros

    Khristophoros New Member

    Joined:
    Jul 12, 2014
    Messages:
    12
    Likes Received:
    1
    The only way an attacker can access that file is if the user has a virus. However, it wouldn't be designed to target that file because it can just keylog the user when they try to log in to an account of value such as a bank account or email account. There would be no need for the attacker to look at the PO file.

    Even so, it is good practice to use a junk password for low-value accounts such as a PO account. The server also has the login info, so in the event that the server is hacked and the login info is stolen, the attackers will try that login info on higher value places such as banks, email accounts, or MMO accounts (because they can steal in-game currency and sell it to players).

    This file on your computer has no actual impact on your overall security. It will never be targeted by an attacker.

    For good security, get an email address that has secondary authentication such as a gmail account and set it up to text your phone with a random security code if an unrecognized IP address tries to access it. Then use this email address for account recovery and secondary authentication on accounts that do secondary email authentication. Also, use a unique password for each account of high value, and use a general junk password for everything else. Your junk password will be obtained by hackers inevitably, but it won't be of use to them. The worse they will do is use a hijacked social media account to send out spam.
     
Thread Status:
Not open for further replies.