Results 1 to 10 of 10

Thread: Stop keeping save.dats on players computers

  1. #1
    Lesser Wizard
    Join Date
    Aug 2019
    Location
    Not Behind You
    Posts
    386

    Default Stop keeping save.dats on players computers

    The only way to hack password is through save.dat, stop storing it in our computers and the problem will be solved, the item duplicators, gem hacks, etc will vanish..


    Growtopia is the only game that i've heard of that stores passwords in our computers.. legit every other game i've played doesn't come close to this stupid design.
    Last edited by Vandaler; 05-21-2020 at 02:27 PM.

  2. #2
    Cursed
    Join Date
    Jan 2019
    Location
    de eart
    Posts
    3,387

    Default

    please just use the token system already

  3. #3
    Master Sorcerer dcArmy's Avatar
    Join Date
    May 2017
    Location
    Indonesia
    Posts
    505

    Default

    Quote Originally Posted by Astigmatisme View Post
    please just use the token system already
    What about copying whole GT folder itself? (Token gained...)
    Signatured.

  4. #4
    Lesser Wizard
    Join Date
    Aug 2019
    Location
    Not Behind You
    Posts
    386

    Default

    Quote Originally Posted by Astigmatisme View Post
    please just use the token system already
    ?... what token system, did you even read?

    - - - Updated - - -

    I'm not mad at Growtopia, i fully deserve to get hacked for not enabling aap however i do think that keeping player passwords in their computer folder is not smart..

  5. #5
    Lesser Wizard
    Join Date
    Aug 2019
    Location
    Not Behind You
    Posts
    386

    Default

    Bump and edit..

    Removed the 'i got hacked part' because it's irrelevant to suggestions box.

  6. #6
    Master Sorcerer GEN's Avatar
    Join Date
    Nov 2015
    Location
    South East Asia
    Posts
    1,937

    Default

    Quote Originally Posted by Vandaler View Post
    The only way to hack password is through save.dat, stop storing it in our computers and the problem will be solved, the item duplicators, gem hacks, etc will vanish..


    Growtopia is the only game that i've heard of that stores passwords in our computers.. legit every other game i've played doesn't come close to this stupid design.
    then u must type ur username and password again everytime u want to play. If you want it that way, then ok.


    how do u think u are able to auto-login to steam/origin/google chrome/youtube/spotify/or even this forum.
    GenSEAF
    Graphic Designer

    Discord: GENSEAF#1544
    Portfolio (Instagram): @seafxiv
    I can give tips for designing if you like, just contact me. (And when I have time)
    Software used: Adobe Photoshop CC, Adobe Illustrator CC

  7. #7
    Lesser Wizard
    Join Date
    Aug 2019
    Location
    Not Behind You
    Posts
    386

    Default

    Quote Originally Posted by GEN View Post
    then u must type ur username and password again everytime u want to play. If you want it that way, then ok.


    how do u think u are able to auto-login to steam/origin/google chrome/youtube/spotify/or even this forum.
    And does steam,google, etc store passwords on your computer where it's easily accessible? Ofc no.. or else everyone would be getting hacked..

    And typing username and password after each login wouldn't sound so bad if it'd mean no more people getting hacked.

  8. #8
    Master Sorcerer dcArmy's Avatar
    Join Date
    May 2017
    Location
    Indonesia
    Posts
    505

    Default

    Oh i thought the token stored in client, if this stored in server, maybe more saver... but i dunno
    Signatured.

  9. #9
    Cursed
    Join Date
    Jan 2019
    Location
    de eart
    Posts
    3,387

    Default

    Quote Originally Posted by Vandaler View Post
    ?... what token system, did you even read?

    - - - Updated - - -

    I'm not mad at Growtopia, i fully deserve to get hacked for not enabling aap however i do think that keeping player passwords in their computer folder is not smart..
    It was kind of a suggestion

    Most apps uses something called the "Authorization Token" or something along those lines. Basically, for the first time you log in, you send your personal info (Username and Password) to the server. Then, the server gives you a long string of text known as a token. For the next time you log in, you just need to send the token itself, and the server automatically lets you in. If the token is incorrect, you'll not be logged in, and you need to insert your username and password again. Do note that most of the times, the token itself is heavily encrypted by both the server and the client, and each client has its own encryption method, which is obfuscated deep within the coding (the server could also have unique encryption method for every token to make it safer). So stealing the token itself is not enough, as you need to somehow extract and figure out the encryption method.

    For most apps, this works fine. But there are still some cases when the token managed to get stolen and decrypted. To counter this, some apps hides extra data in their token, such as location, IP, device name, model, ID, and other open information that's unique to each device. This way, when someone send a token to the server, the server then reads your device info and compare them to the token. If the token match, then you're free to go. If it doesn't, the server knows that someone is trying to impersonate you.

    Note that if you're logged in on several devices, each device has their own unique token, and the server can assign your account to several tokens.

    This way, the computer itself (the client) never stores your password, which is already significantly more secure. Almost every phishing site will automatically break (except for the ones that actively asks for your password), and every save.dat stealer redundant, because you now need to extract the token, reverse-engineer both the client encryption (which is unique for each client) and the server encryption (which is basically just brute-forcing), and somehow temper with your device to match the extra data inside the token (which i doubt complies with any TOS/EULA, so it's automatically out of the question).

  10. #10
    Lesser Wizard
    Join Date
    Aug 2019
    Location
    Not Behind You
    Posts
    386

    Default

    Quote Originally Posted by Astigmatisme View Post
    It was kind of a suggestion

    Most apps uses something called the "Authorization Token" or something along those lines. Basically, for the first time you log in, you send your personal info (Username and Password) to the server. Then, the server gives you a long string of text known as a token. For the next time you log in, you just need to send the token itself, and the server automatically lets you in. If the token is incorrect, you'll not be logged in, and you need to insert your username and password again. Do note that most of the times, the token itself is heavily encrypted by both the server and the client, and each client has its own encryption method, which is obfuscated deep within the coding (the server could also have unique encryption method for every token to make it safer). So stealing the token itself is not enough, as you need to somehow extract and figure out the encryption method.

    For most apps, this works fine. But there are still some cases when the token managed to get stolen and decrypted. To counter this, some apps hides extra data in their token, such as location, IP, device name, model, ID, and other open information that's unique to each device. This way, when someone send a token to the server, the server then reads your device info and compare them to the token. If the token match, then you're free to go. If it doesn't, the server knows that someone is trying to impersonate you.

    Note that if you're logged in on several devices, each device has their own unique token, and the server can assign your account to several tokens.

    This way, the computer itself (the client) never stores your password, which is already significantly more secure. Almost every phishing site will automatically break (except for the ones that actively asks for your password), and every save.dat stealer redundant, because you now need to extract the token, reverse-engineer both the client encryption (which is unique for each client) and the server encryption (which is basically just brute-forcing), and somehow temper with your device to match the extra data inside the token (which i doubt complies with any TOS/EULA, so it's automatically out of the question).
    Thank you for explaining, Growtopia could use something like this 100%!

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •