Application based password #33
Description
This is not a big concern, but something to strive toward.
An application based password, also called app-password, is used to avoid giving out your password to third-party applications but still give them access to the account. This also makes it possible to disable the password if there has been a security breach.
In our case, we got two concerns that makes it viable for us to approach this security system. The first one is that for the DAA system we currently use a weak hashing algorithm. This means that if someone manages to come over the hash, then they may use that to figure out the password.
The second concern is that there is now two hashes for the password. This means that one could use both of them to guess what the password is. Of course, this is the least of our concerns and shouldn't affect the system that much.
Best part is that this is fairly easy to implement in our case due to how the system currently works.
By changing this system for the user to activate and copy the app-password to be pasted within the game, we will remove the issue of a security breach, as it is pretty easy to disable the system without restricting the user from the website. This will therefore split up the website and the ingame and having at least 16 characters for the password would make it impossible to crack down within a sizable amount of time.