[quake3] Re: cl_consoleHistory stores passwords in q3config.cfg

[un dead]

On 3/31/07, Tim Angus <tim at ngus.net> wrote:
> On Sat, 31 Mar 2007 14:28:47 -0400 un wrote:
> > A lot of users aren't aware their q3config.cfg has the passwords.  To
> > them it's a file generated by quake that they don't worry about.
>
> A system specific generated file should not be being sent to anyone
> else. It's better to write config files separately for things like
> scripts or specific sets of key bindings.

But are new people going to do that?  I know a lot of people who
aren't very knowledgeable about configs.  They aren't newbies but they
would happily pass along configs to someone else.

I see people on forums regularly post their configs or send configs to
other people.  There's no intuition for most people that it could lead
to exposing your passwords.

> Regardless, the password systems in Q3 are hardly a pantheon of
> security. Passwords are input and broadcast in cleartext, they really
> don't hold very much value. Therefore it's really pretty questionable
> whether implementing special cases is sensible where it is only to
> protect information that is already insecure.

Hmm I don't think this is the same class of insecurity.  True the
passwords are broadcast in plain text but you would have to sniff
their traffic in order to discover it.  In the cl_consoleHistory case,
all you need to do is send your q3config.  It seems innocent enough to
many users.

Anyway, I just wanted to bring it up and now I'll drop it. :)  I enjoy
the work you guys have done on ioquake3.  It's great.