question

Kim Strasser avatar image
Kim Strasser asked

Can I store the players password in internal data? Is it save?

I want to save the players login password in internal data (permission: private) because I need to compare the stored password with another string.

When the player wants to change his contact email address, then he/she needs to enter his login password in my game. After that, I use an Azure function to find out if the entered string is the same then the stored password in internal data. If yes, then the players current contact email address gets replaced by the new contact email address which the player has entered in my game.

Can I use internal data to store the password? Is it save?

Account Management
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

scottadams avatar image
scottadams answered

Why not let them login themselves through your game and then give them a change email screen? They can't change the account email it's fixed but this would allow them manage their own email.

The danger of doing it the way you suggested would be you are keeping their password in clear text. Even though internal data isn't seen by the players anyone who is an admin on your game would ahve access to tit.

If it is ever compromised and they used that password somewhere else, they are going to blame you, rightly so.

1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Kim Strasser avatar image Kim Strasser commented ·
Why not let them login themselves through your game and then give them a change email screen? They can't change the account email it's fixed but this would allow them manage their own email.

What do you mean with "Why not let them login themselves through your game"? In my case, the player is already logged in with his PlayFab email+password and after that I display a change email screen where the player needs to enter his password again and then I call the Azure function from my game and I compare the password in this function.

What would you do differently?

0 Likes 0 ·
scottadams avatar image
scottadams answered

It they are logged in then it means they gave the correct password. Why do you manually need to compare it?

If you want them to confirm their passwordon the meail screen then just log them out and log them back in with the password they just entered on the change contact email screen.

1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Kim Strasser avatar image Kim Strasser commented ·

I thought it would be safer if the player needs to enter his password again if he wants to change his contact email. Because someone else could have taken the players device while the player isn't paying attention, then this person changes the contact email address and after that this person could use password recovery to get a new password because I allow to change the password with admin API SendAccountRecoveryEmail if the player is not logged in. In this case, the stranger only needs to know the players login email, then he could use the players account because he already changed the contact email and password and he can login to the players account with login email address and the newly created password.

I understand that it is not safe to store the players password in internal data. I will not store it.

Thanx for the hint. I have not thought about logging the player out and then asking the password again.

I'm not sure yet if I will do it like this, maybe I will not ask the player to enter his password again, because it is the players fault if someone else steals his account like this.

0 Likes 0 ·
Seth Du avatar image
Seth Du answered
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.