Well i decided that as part of the release there could and should encryption for the logins. I have been holding off on this for a while because I didn't see it as necessary but for admins hosting the server at the very least this will be handy. The new implementation is on the test server and the client will be available via CVS to check out if curious. I am working on plaintext backwards compatibility so that newer clients can still interact with older version servers.
Encryption works something like this:
- Logging into Server, Server provides you with a timekey:
the time key is just the date in milliseconds.
- Client uses md5(timeKey + md5(password))
- Server authenticates sent hash with timeKey and the md5 password it has
in its password cache.
This ensures that upon login that it would be extremely hard to decode the MD5 password out of the redundant md5 hash and getting the right timeKey and plus administrators will never know your password.