From TinyMUX
Jump to: navigation, search

A password is a secret word or phrase that authenticates your identity. If you are not connecting through an SSL-encrypted session, your password is sent in the clear. Even with an SSL-encrypted session, the game owner can change the server code to save your password for later abuse. For this reason, it is strongly recommended that you do not use the same password on two different sites.

While an individual game owner is certainly able to change the source code, stock servers in the MUSH family do not retain passwords in a form that can be retrieved later. Instead, given your password (at the time you logon), the server is only able to determine whether the password matches the encrypted password in the database or not. Likewise, someone with a copy of the database is not able to extract passwords from it without resorting to a dictionary attack. A dictionary attack is still surprisingly successful in that many people pick very simple passwords.

Servers in the MUSH family that encrypt their passwords with DES only use the first eight characters of the password. Any character after the first eight are ignored. Servers in the MUSH family that encrypt passwords with SHA-0, SHA-1, or MD5 are able to use much longer passwords.


As of version 2.3, TinyMUX uses SHA-1 for password encryption. Previous server versions use DES-based password via crypt(). When a user connects with a valid password, if the server sees a DES-based password in the database, the password is re-encoded using SHA-1.

Password conversion can always occur on Unix because crypt() is always available. But, crypt() support was removed from the Win32 version of TinyMUX in version 2.6. Therefore, you cannot take a pre-2.3 database and attempt to use it on post-2.6 server on Win32. The solution to this problem is to go through an intermediate version or go through Unix.


PennMUSH has supported various password encryption schemes in the past, including system crypt() where available, DES, plaintext and increasingly prominently, SHS. These could be selected from at compile time.

SHS password encryption was implemented for all systems since December 21, 1997 with version 1.7.1 patchlevel 0. Starting July 12, 2000 with version 1.7.3 patchlevel 3 movement began to migrate to just SHS, with the replacement of the crypt() option with one that checks for both crypt() and SHS, replacing the password with a SHS version upon authentication.

Since version 1.7.7 patchlevel 29 (April 28, 2004) PennMUSH will attempt several methods of determining a password, including crypt() and plaintext, but will always replace older formats with an SHS version upon authentication. The option to switch to a different encryption system has been removed entirely.


Currently Rhost uses crypt() if available, otherwise uses SHS. Rhost is capable of reading passwords from TinyMUX 1.x and 2.x databases to ease the conversion process.


TinyMUSH versions 2.x and 3.x use crypt() / DES for passwords.