[quake3] Re: cl_consoleHistory stores passwords in q3config.cfg

Erik Kloppenburg kloppenburg at snt.utwente.nl
Sat Mar 31 15:26:19 EDT 2007


Tim Angus wrote:
> A system specific generated file should not be being sent to anyone
> else. It's better to write config files separately for things like
> scripts or specific sets of key bindings.

In the entire Quake 3 community it is very common practice to share 
configs with each other. 'Normal' users don't think about what 
consequences this can have and usually it has none. The risk of 
something happening is much higher thanks to this console history.

Even if you think people shouldn't do it, it's still the reality that 
they do and it would be wise to take this into account.

> Regardless, the password systems in Q3 are hardly a pantheon of
> security. Passwords are input and broadcast in cleartext, they really
> don't hold very much value. Therefore it's really pretty questionable
> whether implementing special cases is sensible where it is only to
> protect information that is already insecure.

As I said: config sharing is a very common happening. Sniffing someone's 
packets is an entirely different area.



More information about the quake3 mailing list